On Mar 14, 2013, at 9:23 AM, Hasanen AL-Bana <hasa...@gmail.com> wrote:

> I thought Squid can fetch the original certificate for a website and pass it 
> to the browser instead of the one created by me,
> Isn't that how dynamic ssl generation should work ?

No, there are two parts for the asymmetric encryption used for certificates: 
the public key in the certificate, and the private key known only to the 
original web server. Without the original private key, squid can not 
impersonate the original web server and thus can not simply pass the real 
certificate to the browser.

So, dynamic SSL certificate generation involves creating 'imposter" 
certificates and private keys, signed with a local signing certificate that the 
local web browsers trust. 

Guy

> 
> On Thu, Mar 14, 2013 at 5:05 PM, Guy Helmer <guy.hel...@palisadesystems.com> 
> wrote:
> On Mar 14, 2013, at 7:22 AM, Hasanen AL-Bana <hasa...@gmail.com> wrote:
> 
> > Hi,
> >
> > I have successfully installed squid 3.3 compiled with ssl support
> > Interception SSL traffic is working fine with browsers loaded with my
> > self created .DER file.
> > But without it , I keep getting browser warningings , chrome doesn't
> > work at all with gmail in this case.
> 
> That's correct behavior.
> 
> > The question is , if I purchase a valid SSL certificate , will squid
> > be able to use it for all websites ?
> > Will user browsers accept it ?
> 
> No, you can't purchase a certificate from legitimate certificate vendors that 
> can sign other arbitrary certificates. If you could, then any site could 
> impersonate any other site, and server authentication by certificates would 
> be meaningless.
> 
> Guy




Reply via email to