Post Reply 
certs.pem (certs120102.zip)
Dec. 29, 2010, 09:29 PM (This post was last modified: Jan. 02, 2012 08:47 PM by JJoe.)
Post: #1
certs.pem (certs120102.zip)
Zip contains a current list of trusted certificate authorities, extracted from an XP Pro SP3 IE7 machine and edited.

Only for those that wish to filter https!
Exit the Proxomitron.
Rename certs.pem in the Proxomitron's folder to certsold101229.pem.
Extract certs120102.zip to the Proxomitron's folder.
Start the Proxomitron.

I'd like to know about warnings caused by the new file.
Also, any invalid certs that are not flagged.

No guarantees or warranties and tested very little.
This thread could disappear in a hurry. Wink

Have fun

Edit:
certs.pem 2012.01.02, list of valid certs removed (certs-current-removed.txt) from IE extraction
.zip  certs120102.zip (Size: 280.45 KB / Downloads: 937)
.txt  certs-current-removed.txt (Size: 3.41 KB / Downloads: 584)

make-certspem.zip contains instructions and files to create certs.pem from IE certs file, I hope.
.zip  make-certspem.zip (Size: 824.61 KB / Downloads: 631)
.txt  !ReadMe.txt (Size: 5.92 KB / Downloads: 654)

Old cert
.zip  certs101229.zip (Size: 260.82 KB / Downloads: 790)
Add Thank You Quote this message in a reply
[-] The following 6 users say Thank You to JJoe for this post:
usr, Styx, whenever, sbk, herbalist, Gravemind
Dec. 29, 2010, 11:10 PM
Post: #2
RE: certs.pem (certs101229.zip)
so far, so good...
it solved an intermittent SSL warning i was receiving Big Teeth
Add Thank You Quote this message in a reply
Sep. 29, 2011, 03:49 PM (This post was last modified: Sep. 29, 2011 03:50 PM by sbk.)
Post: #3
RE: certs.pem (certs101229.zip)
(Dec. 29, 2010 09:29 PM)JJoe Wrote:  Zip contains a current list of trusted certificate authorities, extracted from an XP Pro SP3 IE7 machine and edited.
what was basis or goal of editing?
Quote:I'd like to know about warnings caused by the new file.
Also, any invalid certs that are not flagged.
how would we test with invalid certs?
Quote:side by side browsers, one with https set to connect through proxo, the other browser set to connect only http through proxo?

No guarantees or warranties and tested very little.
This thread could disappear in a hurry. Wink
uh oh. :0
thanks. I'm beginning using now, with newly generated sidki make-cert proxcert.pem
Add Thank You Quote this message in a reply
Sep. 30, 2011, 03:19 AM
Post: #4
RE: certs.pem (certs101229.zip)
(Sep. 29, 2011 03:49 PM)sbk Wrote:  what was basis or goal of editing?
Quote:

I can't find the instructions that I had planned on posting before ouch...

I think the extracted file contained "required certs", http://support.microsoft.com/kb/293781 , that caused problems and may not have contained a cert that is required by the Proxomitron.

But we probably won't know for sure until I do it again.

[quote='sbk' pid='15777' dateline='1317311346']
how would we test with invalid certs?

You would have to know. The Proxomitron doesn't check for revoked certs and neither do I. So, report findings.

(Sep. 29, 2011 03:49 PM)sbk Wrote:  I'm beginning using now

Be careful.
Have fun.
Add Thank You Quote this message in a reply
Jan. 01, 2012, 11:23 PM
Post: #5
RE: certs.pem (certs101229.zip)
(Dec. 29, 2010 09:29 PM)JJoe Wrote:  Only for those that wish to filter https!
Exit the Proxomitron.
Rename certs.pem in the Proxomitron's folder to certsold3.pem.
Extract certs101229.zip to the Proxomitron's folder.
Start the Proxomitron.

is there a way for users to roll their own "certs.pem"?
also, i'm kinda wondering if the 'certsold3.pem' is "required" - can i delete it now after all these months, or is it somehow "linked to" or something?
Add Thank You Quote this message in a reply
Jan. 02, 2012, 05:17 AM
Post: #6
RE: certs.pem (certs101229.zip)
I've created a new "certs.pem". So with memory refreshed, I'll post instructions and file later.

I don't see any new certs but there may be some to delete.
http://en.wikipedia.org/wiki/DigiNotar

(Jan. 01, 2012 11:23 PM)ProxRocks Wrote:  is there a way for users to roll their own "certs.pem"?

I think I can provide a bat file to convert the IE format but you may still have to add or remove certs. It isn't a big deal, tho.

I'm evaluating another certificate source, atm.

(Jan. 01, 2012 11:23 PM)ProxRocks Wrote:  i'm kinda wondering if the 'certsold3.pem' is "required" - can i delete it now after all these months, or is it somehow "linked to" or something?

It isn't required but you want to keep it. Sometimes a new "certs.pem" will have a problem that the old one did not. Comparing the files can help solve the problem.

Add Thank You Quote this message in a reply
[-] The following 1 user says Thank You to JJoe for this post:
ProxRocks
Jan. 02, 2012, 08:45 PM
Post: #7
RE: certs.pem (certs101229.zip)
(Jan. 02, 2012 05:17 AM)JJoe Wrote:  I'll post instructions and file later.

Done. Hope it's good enough.

(Jan. 02, 2012 05:17 AM)JJoe Wrote:  I don't see any new certs but there may be some to delete.
http://en.wikipedia.org/wiki/DigiNotar

I'm evaluating another certificate source, atm.

As I suspected, somebody wasn't as current as they thought they were.
There have been a number of changes.

HitH
Add Thank You Quote this message in a reply
Jan. 02, 2012, 10:11 PM
Post: #8
RE: certs.pem (certs120102.zip)
awesome, much appreciated!...

i'll check out the roll-your-own in a few days or so and report back Smile!
Add Thank You Quote this message in a reply
Jan. 02, 2012, 10:42 PM
Post: #9
RE: certs.pem (certs120102.zip)
this fixed a first-run-only Yahoo warning dialog that i've had for "years", AWESOME!...

i was never able to figure out "why" i'd get the certificate error once and only once, always the first visit to Yahoo after Proxo is first opened...

it was always such a dang irratating nuisance that i keep an AutoIt script running in the systray that automatically clicks the button for me when the warning dialog pops up - i no longer need it running, SWEET!
Add Thank You Quote this message in a reply
Jan. 03, 2012, 05:33 PM
Post: #10
RE: certs.pem (certs120102.zip)
(firstly, apologies for three posts in a row, lol...)

EXTREME KUDOS!...

i've ran through all of my work-related and home-use SSL sites (there is over four dozen of them)...

this is the first time in literally "years" that i have had a proxcert.pem/certs.pem combo that actually WORKS FLAWLESSLY...

my Proxo folder actually has eight proxcert.pem's and three certs.pem's...

these new ones by JJoe have been the only ones to WORK "in recent years" on ALL of my frequently visited SSL's...

they used to "always" work, "something" happened about two years ago or so and for the last two years or so, i've been having to "settle" with the combo that worked with the fewest error dialogs...

not having ANY is just downright AMAZING!...


GREATLY appreciated, JJoe...
Totally AWESOME!...
Add Thank You Quote this message in a reply
Jan. 04, 2012, 09:56 PM
Post: #11
RE: certs.pem (certs120102.zip)
(Jan. 03, 2012 05:33 PM)ProxRocks Wrote:  Totally AWESOME!...

At the risk of spoiling your bliss... What happens if you,
exit the Proxomitron,
remove certs.pem from the Proxomitron's folder,
restart the Proxomitron,
and then visit your SSL sites?
Add Thank You Quote this message in a reply
Jan. 04, 2012, 11:12 PM (This post was last modified: Jan. 05, 2012 12:09 AM by ProxRocks.)
Post: #12
RE: certs.pem (certs120102.zip)
well isn't that interesting - no errors anywhere (didn't visit "all" of my SSL's, just the ones that historically presented dialog warnings)...

i'm running "half-ssl", as i suspect you already knew...

i brought the "previous" version of certs.pem back and i got the first-visit dialog error when logging into Yahoo...


it's all over my head Sad


edit: the disappointing part, i'm now learning that the POC warning dialogs i "was" getting for "years" could have been eliminated by deleting/renaming certs.pem Sad ... if newbies to Proxo were getting them also, it's safe to assume they likely abandoned Proxo before learning its true potential... who knows... i mean, the topic has come up dozens of times and the answer has always been that half-ssl rids them (seems now it only rids them if certs.pem is "fixed" or outright deleted)... but like i said, way over my head...
Add Thank You Quote this message in a reply
Jan. 05, 2012, 05:31 AM
Post: #13
RE: certs.pem (certs120102.zip)
ReadMe.txt Wrote:NEW: Proxomitron now can check to make sure the certificate on the
remote server is valid. It looks for a file named "certs.pem" in
the Proxomitron base folder. If found, this file should contain
a list of trusted certificate authorities in the PEM format used
by OpenSSL.

"If found", so after you removed "certs.pem" the Proxomitron simply decrypted the data. No attempt was made to validate the certificate.

ReadMe.txt Wrote:Proxomitron will pop-up it's own certificate warning dialog if
the SSL site's certificate has problems or can't be matched to
one of the trusted certificates on file.

So far, I've removed two certificates that generated errors (and am seeing errors related to other "new" certificates). I'm assuming that the remaining certificates get the job done correctly.
A guess is that some of the new certificates indicate abilities that the Proxomitron does not have.

Current "new" errors are of the "Certificate's host name (CN) doesn't match the site's" or the CN contains a wildcard variety, http://www.torproject.org or http://www.hsn.com .

I would rather people use a "certs.pem" and

ReadMe.txt Wrote:Keep in mind certificates are just used to help insure your actually
connecting to the site you think you are and not some "spoofed" site.
Whether they actually do this or not is debatable. Many sites (especially
smaller ones) may not be using properly "signed" certificates, but this
doesn't mean your connection is not as encrypted. Really all it means is
they didn't cough up some money for VeriSign's official stamp of approval.
Likewise, a valid certificate is no guarantee a site won't rip you off -
you must still be careful before trusting a site with sensitive data.

Still, that being said, it's always safer to connect in pass-thru mode
(see below) in cases where security is critical

HTH
Add Thank You Quote this message in a reply
Jan. 05, 2012, 05:44 AM
Post: #14
RE: certs.pem (certs120102.zip)
(Jan. 04, 2012 11:12 PM)ProxRocks Wrote:  if newbies to Proxo were getting them also

Newbies filtering their purchases, investments, banking... I hope not!

(Jan. 04, 2012 11:12 PM)ProxRocks Wrote:  i mean, the topic has come up dozens of times and the answer has always been that half-ssl rids them

Half-SSL handles (and it does) the warnings coming from the browser that complain about the Proxomitron being in the middle.

Warnings generated by "certs.pem" are coming from the Proxomitron.

The browser may also throw a flag if the Proxomitron's certificate isn't in its store.

HTH
Add Thank You Quote this message in a reply
Jan. 05, 2012, 07:08 AM
Post: #15
RE: certs.pem (certs120102.zip)
cool, thanks for the explanation Smile!

agreed, would much rather use a certs.pem...
and yeah, "newbies" 'probably' shouldn't be filtering SSL...


come to think of it, i know that the yahoo warning i used to get was CN...
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: