SSL inspection

samer79 · Dec 10, 2010, 3:27 AM

Hello,

When can we have SSL port 443 inspection, this will be an excellent feature for the PFsense, will it be a snort development or a different package (WAF Web application firewall)?

Regards,
Sam

jimp · Dec 13, 2010, 1:31 PM

If you want to do that, setup squid and hardcode the proxy settings into the clients.

If you want to do transparent SSL inspection, that is impossible. Some routers claim to do this but you have to install special certificates on every client so it's hardly "transparent" in the traditional sense.

chronos00 · Dec 15, 2010, 2:34 PM

Perhaps I am misunderstanding, but if you want to intercept SSL comunications, that can be done by proxying web access to your clients and stripping the SSL URLs, and changing them for non SSL URLs. For more information, see this site

Another way is to use bogus certificates to replace the original ones while proxying. Believe it or not this can be done; some publicly accepted CAs had a bug that allowed the creation of certificates with "\0" in their URLs, wich is why most browsers will show the certificate for "www.google.com\0.mih4x0rdomain.com" as "www.google.com". I understand this has been corrected in most cases, but some of this certificates have not exipred yet. More info here

Hope this helps.
Regards

jimp · Dec 15, 2010, 2:37 PM

Both of those are pretty much what I said… but obviously relying on that second bug to stick around would not be wise.

samer79 · Dec 21, 2010, 2:32 PM

Any example on how to use the first option (SSL STRIP)?