Web lists-archives.com

Re: certificate problem on sid




On Wed, Mar 8, 2017 at 5:43 PM, Nemeth Gyorgy <friczy@xxxxxxxxxxx> wrote:
2017-03-08 16:45 keltezéssel, SZ, Zsolt írta:
> As we have corporate proxy with NTLM authentication I am using CNTLM
> daemon for authentication and using localhost as proxy. It was working
> fine until yesterday. Any not secure traffic works fine though and
> local ssh is working fine as well. Most likely my local proxy is the
> root of this problem but I have not changed anything on its settings
> so I have no idea what makes this bad behavior.
>
> I tried with openssl s_client and it seems that beside the original
> certificate the corporate certificate is face up somehow. As our root
> certificate is only a local certificate, which is installed on Windows
> machines, it is unknown for my debian system. I do not want to add to
> my debian machine as my system worked without it before.
>
> Any similar experience or idea what is wrong?
Contact your proxy administrator. If your local root certificate appears
in the certification chains then it is possible that the proxy checks
SSL traffic. Technically it is the same as a MITM traffic and it means
that your root certificate issues 'fake' certificates for the https
sites. If this is the case then the only solution is to add your local
root to the trusted certificates (or switch off SSL inspection on the
proxy but if it company policy then I see very little chance).

Thanks for your answer György. About MITM. That is what I am afraid of.

I have asked proxy administrator before my email and they do not know such settings. I can reach internet only through proxy so proxy is mandatory. Do you have any URL how to "extract" my root certificate?

I was able to "extract" some certificates so I am able to connect to github with git clone. I got some certificates from my Windows machine, probably our root certification as well, and some from my Linux machine via openssl s_client. I added crt base64 files to /usr/local/share/ca-certificates and run update-ca-certificates application. Based on its output it seems that certifications were successfully added. But at the same time I am still not able to connect any https via Firefox and my dropbox is not able to connect as well. So there is still some problem.

BR, Zsolt