Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Verifying SSL site certificate verification

    Scheduled Pinned Locked Moved General pfSense Questions
    21 Posts 7 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      Jdwind
      last edited by

      Hi, I am using Pfsense with Squid, Squidguard and Snort packages. Squid with non-transparent proxy. I have set CA certificate (i.e. named "mycert"), when I open i.e. bank website (or other site with SSL) I see green padlock in my web browser, but it is only that green padlock, without any information about that who is verified certificate (i.e. Verysign, Symantec or other). There is only information, when I click that padlock, so cert was verified by Pfsense (mycert). How can I check that informations?
      Sorry for my english and regards.

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        With SSL MITM you can't. If you want to verify certificates (and who doesn't?), don't do that.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • J Offline
          Jdwind
          last edited by

          But SSL MITM is more security (in my opinion, if I'm not wrong?), how to otherwise filtering https sites with proxy?

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            Well, then you have a choice to make.

            Look at https peek/splice

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • johnpozJ Online
              johnpoz LAYER 8 Global Moderator
              last edited by

              More security for who exactly? You can filter users from going to sites you don't want them to go to without having to do a MITM on the ssl.  If your doing a MITM the user would not be able to see the end cert, only the cert you present them.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • J Offline
                Jdwind
                last edited by

                Thank you very much for a explnation, but can you tell me how can I filter sites with SSL and the same time have anti-virus protection enabled for them?

                1 Reply Last reply Reply Quote 0
                • johnpozJ Online
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  You would not be able to scan for antivirus inside a ssl tunnel.  The client would do this on their end..  You wouldn't do this on the firewall.

                  But you can filter what sites they go to without having to do a mitm on the ssl.. Doing mitm opens up a whole can of worms.. You would then be able to sniff users passwords to like their banks, and such.  View medical info they might be looking at.

                  SSL is suppose to provide end to end security.. From the end user to the site they are going to.. When you break that trust by doing a mitm you can open up a whole freaking can of issues that are best left alone..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • J Offline
                    Jdwind
                    last edited by

                    So, if you can (please), tell me, what should I do to do? Use transparent squid proxy without MITM? And how to manage ssl sites (i.e. how to block youtube, facebook etc. for some users in my network)?
                    Best regards and thank you very much.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD Offline
                      Derelict LAYER 8 Netgate
                      last edited by

                      peek/splice, not MITM.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • J Offline
                        Jdwind
                        last edited by

                        Then what should I to do? Disable MITM, enable transparent proxy in squid? I found only in Squid (in SSL Man In the Middle Filtering section) that information: Please see SslBump Peek and Splice wiki documentation for additional details - but there http://wiki.squid-cache.org/Features/SslPeekAndSplice is not information how use it with Pfsense. Can you tell me some more about how do that, please?

                        1 Reply Last reply Reply Quote 0
                        • C Offline
                          Chrismallia
                          last edited by

                          Here is mine

                          sp.PNG
                          sp.PNG_thumb

                          1 Reply Last reply Reply Quote 0
                          • D Offline
                            doktornotor Banned
                            last edited by

                            @Jdwind:

                            But SSL MITM is more security

                            https://www.us-cert.gov/ncas/alerts/TA17-075A

                            1 Reply Last reply Reply Quote 0
                            • J Offline
                              Jdwind
                              last edited by

                              Thank you, doktornotor. I have installed end-point antyvirus on every host too. In my network I must have any security solution (like IPS/IDS - I use Snort package), that why I used MITM and SSL filtering. Chrismallia show his configuration, but if I am not wrong he has MITM and SSL filtering too. Only different is with SSL/MITM mode - I have default, he Splice All. That's all?

                              1 Reply Last reply Reply Quote 0
                              • C Offline
                                Chrismallia
                                last edited by

                                with splice all you do not need to install certs on devices, it is mostly good for only filtering  no AV, so it does not break the  ssl connection  or inspect content, it uses the SNI, anyone correct me if I am mistaken in any way

                                1 Reply Last reply Reply Quote 0
                                • D Offline
                                  doktornotor Banned
                                  last edited by

                                  @Jdwind:

                                  Thank you, doktornotor. I have installed end-point antyvirus on every host too.

                                  Oh noes. That was NOT the point. The point was that MITM is evil.

                                  1 Reply Last reply Reply Quote 0
                                  • J Offline
                                    Jdwind
                                    last edited by

                                    I tried this settings (from Chrismallia) on virtual network, Pfsense and two hosts and  what can I say… it works. Antivirus dont works with SSL, but I have it installed on every host. Thank you all for help and explanation very, very much. But one thing more that I can't understand (after Doktornotor post) - it is still MITM enabled - does it matter?
                                    Best regards

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ Online
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by

                                      no with splice your not your doing a peek and then splicing it back.. The client is getting the actual cert from the server.. Your just peaking inside to see where they are going, etc.  And if it should be filtered.

                                      "splice: Become a TCP tunnel without decoding the connection. The client and the server exchange data as if there is no proxy in between."

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • J Offline
                                        Jdwind
                                        last edited by

                                        Thank you very much again, so now I have everything ok. With Squidguard ssl filtering just works.

                                        1 Reply Last reply Reply Quote 0
                                        • H Offline
                                          Harvy66
                                          last edited by

                                          There are many attack vectors to infect machines when MITM is used. SSL provides two things, privacy and security. The security is provided by the signing. When you MITM, you break the signing, which means you break the security.

                                          1 Reply Last reply Reply Quote 0
                                          • K Offline
                                            kpa
                                            last edited by

                                            With MITM you're breaking the chain of trust normally provided the trusted third party signatures found on the certificates. Your users will no longer be able to verify that they are connecting to the real deal when they connect to a HTTPS site, instead they can at maximum be sure only that they are connecting to your MITM proxy.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.