On Wed, Mar 8, 2017 at 5:43 PM, Nemeth Gyorgy <[email protected]> wrote:
> 2017-03-08 16:45 keltezéssel, SZ, Zsolt írta: > > As we have corporate proxy with NTLM authentication I am using CNTLM > > daemon for authentication and using localhost as proxy. It was working > > fine until yesterday. Any not secure traffic works fine though and > > local ssh is working fine as well. Most likely my local proxy is the > > root of this problem but I have not changed anything on its settings > > so I have no idea what makes this bad behavior. > > > > I tried with openssl s_client and it seems that beside the original > > certificate the corporate certificate is face up somehow. As our root > > certificate is only a local certificate, which is installed on Windows > > machines, it is unknown for my debian system. I do not want to add to > > my debian machine as my system worked without it before. > > > > Any similar experience or idea what is wrong? > Contact your proxy administrator. If your local root certificate appears > in the certification chains then it is possible that the proxy checks > SSL traffic. Technically it is the same as a MITM traffic and it means > that your root certificate issues 'fake' certificates for the https > sites. If this is the case then the only solution is to add your local > root to the trusted certificates (or switch off SSL inspection on the > proxy but if it company policy then I see very little chance). > Thanks for your answer György. About MITM. That is what I am afraid of. I have asked proxy administrator before my email and they do not know such settings. I can reach internet only through proxy so proxy is mandatory. Do you have any URL how to "extract" my root certificate? I was able to "extract" some certificates so I am able to connect to github with git clone. I got some certificates from my Windows machine, probably our root certification as well, and some from my Linux machine via openssl s_client. I added crt base64 files to /usr/local/share/ca-certificates and run update-ca-certificates application. Based on its output it seems that certifications were successfully added. But at the same time I am still not able to connect any https via Firefox and my dropbox is not able to connect as well. So there is still some problem. BR, Zsolt
