Dansguardian package for 2.0
-
It will scan https url and domains only until whe find a way to create "valid" men-on-the-middle certs.
The point is That dansguardian 2.12 is the first release with full ssl filtering support But it is on experimental stage and not documented at all. We could compile it with ssl and also patched dansguardian-devel ports to help bsd users to get it working.If you want to test or reach the same point we(cino and me) are, go on system cert manager, create a CA certificate and a server certificate using this ca. On dansguardian, apply these certificares on second tab and finally enable ssl filtering option on groups tab.
I have same problem with Cino mentioned when using SSL filtering, the dansguardian itself reject/block the site since the certificate is not valid. I thought the client's browser will warns the user about invalid certificates (I've used astaro gateway before) then the user can choose to continue. Maybe since this very experimental stage it does not work well yet.
On another note, a little bit out of topic. I've used proxy.pac and wpad.dat to autoconfigure the proxy settings on the client computers. I put proxy.pac, wpad.dat and wpad.da on local webserver on the network and assign wpad dns name to that particular webserver. This is working fine for most of the computers, most computers connect though the proxy automatically.
However it seems not all client using the proxy settings so when I block outgoing port 80 some client just can't connect to the internet. I've checked the settings and I'm sure all settings is the same (Auto detect settings are ticked). So I did NAT to redirect outgoing port 80 from the internal network to the dansguardian port and its working fine and making sure all clients browse thru the filter.
But with this method I have little trouble bypassing the filter for some host. On the pfsense squid configuration menu it has the option to enable transparent proxy and select exception list of IP are permitted to bypassing the proxy. I'm not sure how to do it on using NAT rule.
EDIT: one more thing. If using wpad/proxy.pac config it will bypass captive portal. Users can browse the internet but can't check emails on outlook since the ports are blocked by the captive portal, cannot login to captive portal too since it nevers shows the login page. If I did not use proxy/wpad thing (connect directly and use port redirection (transparent) the captive portal is working properly). I guess this is the drawback using wpad/proxy auto config.
-
Hi mschiek01,
Postfix and dansguardian with clamav can work together, this setup I've tested sucessfully.
Can you post your pfsense version?
Did you tried a full clamav uninstall as described on previous post?
This way I can simulate the problem.I did get it to work. Here is what I did:
Uninstall, postfix, dansguardian & mailscanner
reinstall HAVP
uninstall HAVP & deleted havp user
reinstall postfix, mailscanner, dansguardian
Trying to just pkg_delete the clamv packages was showing errors concerning the packaged deletion.Stopped working again with "error connecting to clam d socket"
check the config file make sure it points to the right clamd socket. In this case on mine the on the /usr/local/etc/clamd.conf clamd socket is located on /var/run/clamd.sock
So I edited the /usr/local/etc/dansguardian/contentscanners/clamdscan.conf to make sure it points to the right location: In mine I change it to:
# edit this to match the location of your ClamD UNIX domain socket clamdudsfile = '/var/run/clamd.sock'
Thanks my configuration was the same. I made the change and it is working now.
Now the dansguardian + av content scanner is working great! I've test it to download eicar test file signature and it detects the signature.
However, I have additional question. I've set the proxy server to dansguardian port in the browser config file on http, ftp and https. But it seems dansguardian does not scan https protocol. Is that normal?
-
think there may be a permission issue with clamav… It doesnt start when i reboot the box. This is what I get when I manually start the process:
./clamav-clamd start mkdir: /var/run/clamav: File exists Starting clamav_clamd. ERROR: Can't open /var/log/clamav/clamd.log in append mode (check permissions!). ERROR: Can't initialize the internal logger ./clamav-clamd: WARNING: failed to start clamav_clamd
the permissions for the files are 0644, wheel/root
when i change it to 777, its able to start -
Cino,
If you apply dansguardian config after reboot it fixes the permission?
-
Cino,
If you apply dansguardian config after reboot it fixes the permission?
It has not in the past.. I'll test again but I had to reboot my box yesterday… then i disabled the ssl man-in-middle(would be a apply to dansguardian) and had to manually set the permissions
-
Ok, I'll check it and socket file location
-
still have a lot more testing with SSL man-in-middle but when I try to access https sites, i'm getting the danguardian denied page "Certificate supplied by server was not valid"
still have to check logs and read the docs from danguardian site on this feature.
I am at the same point with ssl mitm. I found in the dansguardianf1.conf file there are two options:
one for mitm (sslmitm = on) and one for cert checking (sslcertcheck = off), however even with cert checking off, I'm still getting that message:
"Certificate supplied by server was not valid"
So either that option is not sticking or I'm missing something. I had a thought of actually feeding the cert checking function with all the trusted root certs from a popular browser. According to dansguardian.conf they should be placed in '/etc/ssl/certs/' though I'm not sure what format or exactly how to batch export them all… Thoughts? -
I am at the same point with ssl mitm. I found in the dansguardianf1.conf file there are two options:
one for mitm (sslmitm = on) and one for cert checking (sslcertcheck = off), however even with cert checking off, I'm still getting that message:
"Certificate supplied by server was not valid"Are you sure you deselected sslmint option(CTRL+CLICK)?
Every time I test dansguardian package, I can enable and disable this option via gui. -
I am at the same point with ssl mitm. I found in the dansguardianf1.conf file there are two options:
one for mitm (sslmitm = on) and one for cert checking (sslcertcheck = off), however even with cert checking off, I'm still getting that message:
"Certificate supplied by server was not valid"Are you sure you deselected sslmint option(CTRL+CLICK)?
Every time I test dansguardian package, I can enable and disable this option via gui.Yes toggling mitm works. Its the cert checking that won't disable. Even through the conf file.
-
Can you check on dansguardianfx.conf if this option is set on on all groups you have?
At my setup it changes from on/off without issues.
-
I should have been more clear, it toggles on and off in the conf file without issue. But once I enable mitm it apparently automatically enables cert checking Even though the conf file still says certcheck=off. I'm assuming this is the reason we are getting that invalid server cert error.
Maybe dansguardian has a built in dependency when you enable mitm you get cert checking. This makes sense because the user/browser can no longer check the authenticity of the original cert since we are only presenting him with a forged cert. The solution would be (as I see it) to fill the /etc/ssl/certs/ with a repository of the valid Root CAs on the internet and let the cert checking do its job.. That should clear the error.
@marcelloc:Can you check on dansguardianfx.conf if this option is set on on all groups you have?
At my setup it changes from on/off without issues.
-
Ok this appears to have worked. I no longer get the "Certificate supplied by server was not valid". However I now get a 404. It appears to be trying to use some sort of redirecting cgi that we don't have in the package yet?
Now when trying to go to https://mail.google.com it redirects to a url: http://PFSENSE_ip/modules/guardian/cgi-bin/mitm.cgi?https://mail.google.com/mail/?tab=wm which triggers a 404.
Bottom line I think I'm one step closer to working mitm…Here's what I did (maybe someone can suggest a cleaner route, I'm pretty new to this..)
-Ran a live ubuntu iso in virtualbox
-Grabbed the folder /etc/ssl/certs (which is a bunch of symlinks to the mozilla folder)
-Grabbed the folder /usr/share/ca-certificates/mozilla
-dumped them in same locations on pfsense
-violla certs now pass dansguardian inspectionNext step find the missing cgi and drop in www path?
-
It steps on mitm cert verify and on ssl filter?
If so, this is really a GOOD news! :D
-
Yes with mitm ON and cert check ON! Try it you'll get a 404 now..
If there's a way to post the tar's of the cert folders, I would but I'm not sure if that's allowed?It steps on mitm cert verify and on ssl filter?
If so, this is really a GOOD news! :D
-
Send a link to me on private Message.
If it is the same certs Every browser has to check sites, I think there is no problem.
EDIT
Are these the certs you did install?
http://www.FreeBSD.org/cgi/ports.cgi?query=Cert&stype=all&sektion=security
Port description for security/ca_root_nss
Root certificates from certificate authorities included in the Mozilla
NSS library and thus in Firefox and Thunderbird.This port directly tracks the version of NSS in the security/nss port.
Can you try to install this package and see if you get the same result?
amd64
http://e-sac.siteseguro.ws/packages/amd64/8/All/ca_root_nss-3.13.2.tbzi386
http://e-sac.siteseguro.ws/packages/8/All/ca_root_nss-3.13.2.tbzThis package install /usr/local/share/certs/ca-root-nss.crt and a symlink to /etc/ssl/cert.pem
-
Sent. That looks cool, if that could be incorporated into the package along with the missing cgi we may be in business.
Send a link to me on private Message.
If it is the same certs Every browser has to check sites, I think there is no problem.
EDIT
Are these the certs you did install?
http://www.FreeBSD.org/cgi/ports.cgi?query=Cert&stype=all&sektion=security
Port description for security/ca_root_nss
Root certificates from certificate authorities included in the Mozilla
NSS library and thus in Firefox and Thunderbird.This port directly tracks the version of NSS in the security/nss port.
Can you try to install this package and see if you get the same result?
amd64
http://e-sac.siteseguro.ws/packages/amd64/8/All/ca_root_nss-3.13.2.tbzi386
http://e-sac.siteseguro.ws/packages/8/All/ca_root_nss-3.13.2.tbzThis package install /usr/local/share/certs/ca-root-nss.crt and a symlink to /etc/ssl/cert.pem
-
The certs looks the same on both.
On freebsd/pfsense the package installs a unique file with all certs with info and on your tar It's a file for each ca.
I'm getting the same result here. with or without cert check enabled I can see all ssl sites not in blacklist.
But when I enable ssl mitm log show all ssl as
DENIED Certificate supplied by server was not valid: unable to get local issuer certificate CONNECT 0 0 SSL Site 1 200 - Default
Tried to copy pfsense created ca to /etc/ssl/certs/ with no success.
If you can test this, edit /usr/local/pkg/dansguardian.conf.template file to fix sslcertificatepath from pfsense ca-root package
#SSL certificate checking path
#Path to CA certificates used to validate the certificates of https sites.
sslcertificatepath = '/etc/ssl/certs/'After this file edit, apply conf on dansguardian gui.
att,
Marcello Coutinho -
You also need to have symlinks to each of the pem files. The name of symlink will be the computed hash of the cert. Without the properly named symlinks, dansguardian will not see the pem files.
See this site for a script to create a correct symlink: http://wiki.openwrt.org/doc/howto/wget-ssl-certsOr if you use the tars I sent they already have all the symlinks setup just do tar -xzf for both folders.
The certs looks the same on both.
On freebsd/pfsense the package installs a unique file with all certs with info and on your tar It's a file for each ca.
I'm getting the same result here. with or without cert check enabled I can see all ssl sites not in blacklist.
But when I enable ssl mitm log show all ssl as
DENIED Certificate supplied by server was not valid: unable to get local issuer certificate CONNECT 0 0 SSL Site 1 200 - Default
Tried to copy pfsense created ca to /etc/ssl/certs/ with no success.
If you can test this, edit /usr/local/pkg/dansguardian.conf.template file to fix sslcertificatepath from pfsense ca-root package
#SSL certificate checking path
#Path to CA certificates used to validate the certificates of https sites.
sslcertificatepath = '/etc/ssl/certs/'After this file edit, apply conf on dansguardian gui.
att,
Marcello Coutinho -
No luck. :(
using tar or using ca-root package and linking pfsense ca created I always get the same error.
using only cert check, all https that is not on blacklists goes with no erros
using ssl mitm every https that is not on whitelist fails withThe only thing that changed is that the error now says:
DENIED Failed to negotiate ssl connection to client CONNECT 0 0 SSL Site 1 200I did removed all certs, including ca-root package and folders.
I'll keep trying to identify how to reach each error.
-
Your symlinks are probably not working. You should have in the /etc/ssl/certs folder about 180 symlinks that look like similar to these:
f060240e.0
f081611a.0
f15719eb.0
f3377b1b.0
f387163d.0
f39fc864.0
f4996e82.0If you cat one of them you should see a certificate pem file.
This has nothing to do with the generated pfsense CA certificate. This is for dansguardian to verify the CA's on the genuine certs it's receiving from websites. It uses the symlinks to quickly locate the correct CA cert.
That's what cert checking does it checks the website cert against a repository of vaild public CA certs. What's interesting is that dansguardian apparently always does the cert checking if mitm is ON.I wonder how we can get that cgi, from the source code it appears to be doing some cookie work. The file mitm.cgi does not appear in the dansguardian-2.12.0.0.tar.gz tarball is that what you're working with?