This fabulous product generates certificate requests with 1023 or 2047 bit modulus (instead of 1024 and 2048) and 3 or 7 as exponent (instead of 65537). These certificate requests are unsignable by the majority of CA. The solution is to terminate the SSL tunnel in front of them on a squid proxy configured as reverse proxy for https and installing regular signed certificates (obtained with openssl; I use TinyCA to speedup testing) in it. # Squid configuration for Reverse https proxy https_port [<IP>:]443 accel cert=/usr/local/squid/etc/certs/trapano.pem key=/usr/local/squid/etc/certs/trapano.key cafile=/usr/local/squid/etc/certs/CA.pem defaultsite=trapano.trincatrinca.it vhost # trapano.units.it is the FQDN of the vpn concentrator # HTTPS peer ( 300.300.300.300 is the ip server of the VPN concentrator) cache_peer 300.300.300.300 parent 443 0 proxy-only no-query originserver ssl DONT_VERIFY_PEER,NO_DEFAULT_CA,DONT_VERIFY_DOMAIN ssloptions=NO_TLSv1 name=trapano # ssloptions=NO_TLSv1 needed for Cisco VPN 3000 acl webvpn dstdomain trapano.trincatrinca.it cache_peer_access trapano allow webvpn http_access allow webvpn always_direct allow webvpn # ignore errors with certain sites (very dangerous!) #sslproxy_cert_error allow all acl TrustedName dst 300.300.300.300 sslproxy_cert_error allow TrustedName Restart Squid and don't forget to point your dns at the new proxy machine. In production environments you can test the whole functionality using a bogus entry in your /etc/hosts file pointing trapano.trincatrinca.it at the IP of your proxy machine. |
how-to_ >