如何理解Squid SSL Bumping需要的证书?
- By : Will
- Category : Forward Proxy
1. 我们通过如下链接了解到Squid SSL bump可以使用CA机构颁发的证书,
https://support.kaspersky.com/KWTS/6.1/en-US/166244.htm
其中重点描述如下,
SSL Bumping requires an SSL certificate and a private key in PEM format. You can create a new self-signed SSL certificate or use a prepared one (for example, an SSL certificate issued by a Certificate Authority).
2. 我们按照文档的配置,通过如下配置引入CA机构为服务器提供的公钥(xxx.crt )以及私钥(xxx.key),
http_port 3128 tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/etc/squid/ssl_cert/squid.cmdschool.org.crt key=/etc/squid/ssl_cert/squid.cmdschool.org.key cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS options=NO_TLSv1,NO_SSLv3,NO_SSLv2,SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=prime256v1:/etc/squid/ssl_cert/bump_dhparam.pem
3. 当我们使用FireFox浏览器测试时,可见如下错误提示,
错误代码:SEC_ERROR_INADEQUATE_KEY_USAGE
Squid的日志“/var/log/squid/cache.log”有如下提示,
2023/08/24 02:06:15 kid1| ERROR: failure while accepting a TLS connection on conn25612 local=10.168.0.92:3128 remote=10.168.0.165:51136 FD 12 flags=1: 0x55743bc3e5f0*1
current master transaction: master1407
4. 我们从Squid的官方链接了解到,Squid SSL bump使用的证书需要是根证书(root CA),详见,
https://wiki.squid-cache.org/Features/DynamicSslCert
其中重点描述如下,
This certificate will be used by Squid to generate dynamic certificates for proxied sites. For all practical purposes, this certificate becomes a Root certificate and you become a Root CA.
5. 所以问题本质在于Squid服务器需要使用CA证书(证书颁发机构证书)对Squid打开的每个网站连接的的公钥证书进行重新签名。当客户端信任Squid重新签名的伪造证书后,客户端透过Squid与远程网站交互式,Squid可以解密并拦截SSL流量。所以,我们需要的是能对服务器签名证书,而不是被签名后颁发的服务器证书,所以作为非权威的证书颁发机构,你可以购买从属根证书为英文“Subordinate CA Certificate”,但由于申请的手续繁琐和价格昂贵,所以一般情况下只能自己创建非权威机构根证书,详细教程如下,
没有评论