[AusNOG] Maximum users per AP

Scott Howard scott at doc.net.au
Sat Oct 27 07:43:56 EST 2012


On Thu, Oct 25, 2012 at 11:15 PM, Craig Askings <craig at askings.com.au>wrote:

> The normal trick for SSL is to make a new root ca + wildcard cert and
> forcibly install the root ca onto each PC via A/D or MDM for the iOS and
> Android devices. From there you just MitM with the wildcart cert installed
> on the UTM.
>

Close but not quite.

They do involve a new root CA as you've mentioned, but not a wildcard
cert.  Instead, they create dynamic certs for the sites being accessed, and
then sign them with the root CA which the end-user trusts.

eg, user goes to https://www.facebook.com.  The proxy creates a new
certificate on-the-fly for the same hostname/CN/expiry/etc as the real
www.facebook.com cert, signs it using it's own root CA cert, and then uses
that for the connection between the client and the proxy.  Presuming the
client has the root CA in it's trusted list, this is completely transparent
to the end user.

The problem here is getting the cert in the users browser.  In a controlled
corporate environment this is relatively easy (standard build, MS GPO,
etc).  In an uncontrolled environment, it's pretty much impossible.

  Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20121026/464861db/attachment.html>


More information about the AusNOG mailing list