Threaded Mode | Linear Mode

sbk · (This post was last modified: Jan. 07, 2012 07:20 AM by sbk.)

recent discovery.
I've begun using ssl setting. so, I've been withstanding the "scary" warnings.
But at mozilla.org pages, theIR stylesheet "doesn't work", and the relevant cert warnings come only from proxo. IOW, browser doesn't offer the usual way to accept proxo cert as if it were the site cert for stylesheets.

fix:
in proxo log window, i found a cdn mozilla,org domain.
i loaded the root domain in browser. so then the browser offered the cert accept procedure.
And the styles were correct when i then reloaded a typical mozilla.org page.

chatterer · Feb. 03, 2013, 11:46 AM

Hi,

last Update for Root Certificates For Windows [December 2012] (KB931125), any new certs.pem for proxomitron online?

greetz,
chatterer

***JJoe*** · (This post was last modified: Feb. 04, 2013 04:49 AM by JJoe.)

(Feb. 03, 2013 11:46 AM)chatterer Wrote: last Update for Root Certificates For Windows [December 2012] (KB931125), any new certs.pem for proxomitron online?

I could add another one but I don't know that it would help anybody.

I did once try the 'certs.pem' offered by cURL, http://curl.haxx.se/docs/caextract.html .

curl.haxx.se/docs/caextract.html Wrote:Automatically converted CA Certs from mozilla.org

Related:
SSL Certs
We provide automated conversions. The output CA bundle file in PEM format is available from here:

cacert.pem (~250KB)
cacert.pem.gz (~130 KB)
cacert.pem.bz2 (130 KB)
The PEM file contains the datestamp of the conversion and we try to only convert if there's a change in either the script or the source file.

Their current cacert.pem is dated 2012/12/29 16:32:45.
To start to experiment, you would save "cacert.pem" as "certs.pem".

Edit: changed "cert.pem" to "certs.pem"

chatterer · Feb. 04, 2013, 04:35 AM

(Feb. 04, 2013 02:02 AM)JJoe Wrote: ....I did once try the 'cert.pem' offered by cURL, http://curl.haxx.se/docs/caextract.html ...To start to experiment, you would save "cacert.pem" as "cert.pem."

Nice, thank you. I will try and learning.

***JJoe*** · Feb. 04, 2013, 04:48 AM

(Feb. 04, 2013 02:02 AM)JJoe Wrote: ....I did once try the 'cert.pem' offered by cURL, http://curl.haxx.se/docs/caextract.html ...To start to experiment, you would save "cacert.pem" as "cert.pem".

Note my mistake, "cert.pem" should be "certs.pem".

Sorry

***ProxRocks*** · (This post was last modified: Nov. 14, 2013 02:34 PM by ProxRocks.)

this month's "Patch Tuesday" had a "roots update"...
http://www.microsoft.com/en-us/download/...x?id=41084
http://support.microsoft.com/kb/931125

seems to be for XP only, not sure...

i've experimented with trying to "roll my own" certs.pem, but i keep running into invalid cert warning POS for yahoo and piriform (ccleaner), first two noticed, didn't keep hunting for more...

is there any chance that we can get an updated certs.pem?

***JJoe*** · Nov. 23, 2013, 10:09 PM

(Nov. 14, 2013 02:32 PM)ProxRocks Wrote: is there any chance that we can get an updated certs.pem?

Try attached. I've only used it at a few sites.

Yahoo alerts are due to Digicert's new scheme. I removed certs:

Code:

subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Trusted Root G4

issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Trusted Root G4

subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2

issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2

subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root G2

issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root G2

www.piriform.com alerts that I see are actually from optimizely.com, which is something that I would just block.
The cause (don't quote me) of the alerts may be that Optimizely isn't doing something quite right technically. I see less than perfect https there with a direct connection.

HTH

***ProxRocks*** · Nov. 23, 2013, 10:38 PM

hmm, now the wheels are turning...
how did you track down yahoo = digicert and piriform = optimizely?

ie, how would i find out which cert to REMOVE for any given web site that i "trust" and do NOT wish to jump through the d@mn hoops of an "invalid" certificate just because the "man in the middle" isn't doing their "job" 'correctly'?

***JJoe*** · Nov. 24, 2013, 01:32 AM

(Nov. 23, 2013 10:38 PM)ProxRocks Wrote: how did you track down yahoo = digicert

The browser showed me
.png

yahoo.png (Size: 84.13 KB / Downloads: 815) .
I used a direct connection to load yahoo, clicked on the lock, clicked on Connection. Then I compared the old "certs.pem" to the new and found the new certificates. Searched google for info about the new certs. Finally, I removed the new certs and lost the alerts.

However, the plan is, there still are Digicert certificates in certs.pem that are used to verify connections.

(Nov. 23, 2013 10:38 PM)ProxRocks Wrote: and piriform = optimizely?

The Proxomitron told me
.png

optimizely.png (Size: 36.92 KB / Downloads: 777) .

Proxomitron Wrote:Looks like SSL certificate for the site:
cdn.optimizely.com
has some problems.

The SSL verify errors might be hidden by removing the certificate that was used to verify but the Proxomitron would still warn that "gp1.wac.edgecastcdn.net" is not the site's name, "cdn.optimizely.com".

Note that the links at piriform for optimizely are relative. So you may not see the alerts while using half-SSL or http.

(Nov. 23, 2013 10:38 PM)ProxRocks Wrote: how would i find out which cert to REMOVE for any given web site that i "trust"

It doesn't work that way. If I remove all the Digicert certificates, all sites that use only Digicert would be 'trusted'.

This is why something like an autoit script could be very handy. The Proxomitron's dialog has buttons for "Allow", "Deny", and "Allow for Session" but they don't work as needed.

HTH

***ProxRocks*** · Nov. 24, 2013, 01:37 PM

okay, next question...

the PITA nag screens that have been P^SS^NG me off so much lately are all over at RAPIDSHARE...

as an example -
http://rapidshare.com/files/2956692990/O...Online.exe

note the URL is //rapidshare
but the POS "invalid" cert CRAP gives a CN of .rapidshare
ie, with a *DOT* before the actual URL, so PROXO throws up a cert-crap dialog, not the browser...

can anything be done to fix that?

***JJoe*** · (This post was last modified: Nov. 24, 2013 07:41 PM by JJoe.)

(Nov. 24, 2013 01:37 PM)ProxRocks Wrote: as an example -
http://rapidshare.com/files/2956692990/O...Online.exe

The Proxomitron sees a wildcard cert at rapidshare for subdomains.
.png

rapidsharewildcardcert.png (Size: 17.3 KB / Downloads: 800)
The CN is "*.rapidshare.com". So as far as the Proxomitron is concerned, "rapidshare.com" is not a subdomain of "rapidshare.com" and the cert "Has some problems..." .

http://www.ssltools.com/certificate_lookup/rapidshare.com shows us,

ssltools Wrote:SSL Certificate

Common Name : *.rapidshare.com
Subject Alternative Names : *.rapidshare.com, rapidshare.com
Issuer Name : WebSpace-Forum Server CA
Serial Number : fc:ff:ff:cd:b7:d2:34:3f:c3:10:52:93:fa:5a:a3:f4
SHA1 Thumbprint : 0F:C1:CA:33:40:BD:20:58:8C:DE:3F:E0:9E:47:7C:50:FF:CD:11:DD
Key Length : 2048 bit
Signature Algorithm : sha1WithRSAEncryption
Secure Renegotiation: Supported

This certificate does not use a vulnerable Debian key (this is good)

Correct : Certificate date is valid, valid from Oct 1 2012 and it expires Oct 1 2015 (676 days from today)

Correct : Certificate Name matches hostname rapidshare.com

, a Subject Alternative Name "rapidshare.com" that does match the site.

I don't remember the Proxomitron's SSL routines ever understanding wildcard certs and all (if any) SubjectAltName extensions. Scott didn't enable everything due to patent, legal, and time concerns.

(Nov. 24, 2013 01:37 PM)ProxRocks Wrote: can anything be done to fix that?

To really fix it, we would need to recompile the Proxomitron...
Our choices are to bypass, block, force http, force cache, add ProxHTTPSProxy.py (or equivalent), add utility to automatically dismiss the Proxomitron's dialog.

http://en.wikipedia.org/wiki/Wildcard_certificate
http://en.wikipedia.org/wiki/Subject_Alternative_Name
http://www.openssl.org/docs/apps/x509v3_config.html

BTW, I am not an SSL expert.

HTH

***ProxRocks*** · Nov. 24, 2013, 08:21 PM

(Nov. 24, 2013 07:31 PM)JJoe Wrote: To really fix it, we would need to recompile the Proxomitron...

anybody know anybody that could do that?
i know there were people on this forum that recompiled Proxo in the past...

***JJoe*** · Nov. 24, 2013, 08:49 PM

(Nov. 24, 2013 08:21 PM)ProxRocks Wrote: i know there were people on this forum that recompiled Proxo in the past...

I don't think so. To do what I intended, they would have to have the Proxomitron's source code and Scott kept it closed.

***ProxRocks*** · (This post was last modified: Nov. 25, 2013 09:23 AM by ProxRocks.)

(Nov. 24, 2013 07:31 PM)JJoe Wrote: BTW, I am not an SSL expert.

no such thing exists !!!...

that's why we, the end user, keeps having to deal with the NUISANCE of "invalid" man-in-the-middle type of BULLSH^T...

and also why the recent "advancement" in modern web browser software is to provide us, the end user, with a means to avoid the entire d@mn NUISANCE altogether...

unfortunately, these modern web browsers are still in their infancy and are lacking other end-user features and are therefore not quite ready to be set as the "default" web browser...