Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid 3.3.4 package for pfsense with ssl filtering

    Scheduled Pinned Locked Moved Cache/Proxy
    305 Posts 72 Posters 305.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • perikoP
      periko
      last edited by

      I had setup ssl-bump and could navigate to different sites, gmail, google, facebook, paypal and even more, all of them use https.

      The trick for me was to give my ca to each browser, on iexplore import the ca to the root, firefox was more detail because he ask u what rights u want to apply to the ca.

      Just 1 failure with my bank site which I still cannot access with ssl-bump enable, but the browser doesn't give to much details of the issue.

      The 2nd issue I found was with ebay, went I wanted to pay I receive this error:

      The following error was encountered while trying to retrieve the URL: ://checkout.payments.ebay.com:443

      Failed to establish a secure connection to site-ip

      The system returned:

      (92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
      SSL Certficate error: certificate issuer (CA) not known: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa ©10/CN=VeriSign Class 3 Secure Server CA - G3

      This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

      What I did was to clear certs folders, empty index.txt, size folder value to 0, latter remove my ca from the browsers, create a new one and start over.

      I could pay on ebay, the only issue I have is with my bank now, I will try to add the option that skip some sites from ssl-bump.

      I still nervous if I can send this to production.

      Necesitan Soporte de Pfsense en México?/Need Pfsense Support in Mexico?
      www.bajaopensolutions.com
      https://www.facebook.com/BajaOpenSolutions
      Quieres aprender PfSense, visita mi canal de youtube:
      https://www.youtube.com/c/PedroMorenoBOS

      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        @periko:

        I still nervous if I can send this to production.

        with ssl interception you will always need a lot of tests.

        I'm having some issues with some sites too, the workaround is to do not intercept sites I know or trust.

        I'm still waiting squid 3.4 in freebsd ports. Since it's there, I'll update squid3-dev.

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • G
          gzartman
          last edited by

          I've been working to get ssl bumping working on windows 7 & 8 clients, but I continue to get SSL Certificate errors.

          I'm running latest PFsense 2.1, and installed squid3-dev from the repo.

          I created a CA in the certificate manager, then clicked on SSL Man in the middle filter in the Proxy Server panel.  I'm running squid as a transparent proxy, so input port 443 in the port number field.  I then select my CA create in the CA field.

          I'm not sure if I need to select any of the options in Remote Cert checks and Certificate adapt fields, so I'm just accepting defaults (i.e., selecting none).

          I then download the CA on my windows machines and install them as Trusted Root CAs using the certmgr.msc windows application.  When I browse to google.com in both firefox and chrome, I get certificate errors.

          Am I missing a setting in the SSL man in the middle panel or some other setting?

          Thanks,

          greg

          1 Reply Last reply Reply Quote 0
          • perikoP
            periko
            last edited by

            Don't know if this helps, but if u run ccleaner to clear cache in all your browsers before testing, does this helps?

            Necesitan Soporte de Pfsense en México?/Need Pfsense Support in Mexico?
            www.bajaopensolutions.com
            https://www.facebook.com/BajaOpenSolutions
            Quieres aprender PfSense, visita mi canal de youtube:
            https://www.youtube.com/c/PedroMorenoBOS

            1 Reply Last reply Reply Quote 0
            • E
              exograpix
              last edited by

              Squid ssl filtering not working, it used to work 3 days back, but now certificate error are popping all over. please suggest.

              1 Reply Last reply Reply Quote 0
              • marcellocM
                marcelloc
                last edited by

                You have to import pfsense-ca crt on firefox too, internet explorer and chrome uses certmgr.msc imported cert.

                I'm testing it a lot without any cert issues on any sites.

                Treinamentos de Elite: http://sys-squad.com

                Help a community developer! ;D

                1 Reply Last reply Reply Quote 0
                • E
                  exograpix
                  last edited by

                  Hi,

                  I have loaded ca certificate in trusted root certificate and webconfigurator certificate in personal (through certmgr.msc). but still shows certificate error in internet explorer. please suggest what to do.

                  1 Reply Last reply Reply Quote 0
                  • E
                    exograpix
                    last edited by

                    In spite of all my effort still certificate error as soon as I enable ssl filtering , help guys.

                    1 Reply Last reply Reply Quote 0
                    • marcellocM
                      marcelloc
                      last edited by

                      @exograpix:

                      I have loaded ca certificate in trusted root certificate and webconfigurator certificate in personal (through certmgr.msc). but still shows certificate error in internet explorer. please suggest what to do.

                      the only place you need is trusted root certificate on ie and firefox.

                      Sure it works.

                      screenshot the certificate you get when firefox rejects.

                      Treinamentos de Elite: http://sys-squad.com

                      Help a community developer! ;D

                      1 Reply Last reply Reply Quote 0
                      • P
                        postduif
                        last edited by

                        @marcelloc:

                        @exograpix:

                        I have loaded ca certificate in trusted root certificate and webconfigurator certificate in personal (through certmgr.msc). but still shows certificate error in internet explorer. please suggest what to do.

                        the only place you need is trusted root certificate on ie and firefox.

                        Sure it works.

                        screenshot the certificate you get when firefox rejects.

                        It doesn't work any longer since I've updated to pfSense 2.1.1
                        It worked on 2.1

                        1 Reply Last reply Reply Quote 0
                        • E
                          exograpix
                          last edited by

                          Thats my problem too , I have tried all combination but doesn't work, it used to work earlier quite smoothly, but somehow it stopped working now.

                          I request to sort this issue out asap to help the community and existing installs.

                          1 Reply Last reply Reply Quote 0
                          • belleraB
                            bellera
                            last edited by

                            @postduif:

                            It doesn't work any longer since I've updated to pfSense 2.1.1
                            It worked on 2.1

                            Need to see which system things changed with the upgrade.

                            Verify the "orphan" libraries for squid3-dev and what about OpenSSL?

                            OpenSSL does not like country codes longer than two letters, so remove entries that are not actually country codes

                            https://doc.pfsense.org/index.php/2.1.1_New_Features_and_Changes

                            1 Reply Last reply Reply Quote 0
                            • E
                              exograpix
                              last edited by

                              I have used the standard process as pfsense 2.1 (now even in previous version ssl certificate error is popping)

                              I installed pfsense.

                              Created the internal CA.

                              Created the server certificate (tried client too)

                              Import CA certificate through certmgr.msc in trusted root

                              Import other certificate in personal

                              copied missing files for squid.

                              Installed squid-dev from packages.

                              Configured squid as before with ssl filter and certificate and boom even microsoft default certificate error.

                              1 Reply Last reply Reply Quote 0
                              • P
                                postduif
                                last edited by

                                @bellera:

                                @postduif:

                                It doesn't work any longer since I've updated to pfSense 2.1.1
                                It worked on 2.1

                                Need to see which system things changed with the upgrade.

                                Verify the "orphan" libraries for squid3-dev and what about OpenSSL?

                                OpenSSL does not like country codes longer than two letters, so remove entries that are not actually country codes

                                https://doc.pfsense.org/index.php/2.1.1_New_Features_and_Changes

                                Checked, and the orphan libraries are on the system. Countrycode is 2 letters.
                                Squid http filtering works fine, only the https part results in certificate errors.

                                1 Reply Last reply Reply Quote 0
                                • E
                                  exograpix
                                  last edited by

                                  https is the problem and it is major concern now.

                                  1 Reply Last reply Reply Quote 0
                                  • belleraB
                                    bellera
                                    last edited by

                                    pfSense 2.1 (not upgraded to 2.1.1)
                                    squid3-dev upgraded from 3.3.10 pkg 2.2.1 to 3.3.10 pkg 2.2.2

                                    Bug for interception

                                    Last lines of squid.conf generated by 2.2.1

                                    # Custom options
                                    
                                    always_direct allow all
                                    ssl_bump server-first all
                                    # Setup allowed acls
                                    # Allow local network(s) on interface(s)
                                    http_access allow localnet
                                    # Default block all to be sure
                                    http_access deny allsrc
                                    

                                    Last lines of squid.conf generated by 2.2.2

                                    # Custom options before auth
                                    
                                    # Setup allowed acls
                                    # Allow local network(s) on interface(s)
                                    http_access allow localnet
                                    # Default block all to be sure
                                    http_access deny allsrc
                                    

                                    Workaround until next version

                                    Put at Custom ACLS (Before_Auth) box the lines

                                    always_direct allow all
                                    ssl_bump server-first all

                                    Custom ACLS (After_Auth)

                                    In addition to this, the box Custom ACLS (After_Auth) does nothing.

                                    Rotate Cron duplicated

                                    The upgrade also duplicates the rotate cron. You can see it if you have Cron package installed

                                    0  	0  	*  	*  	*  	root  	/bin/rm /var/squid/cache/swap.state; /usr/pbi/squid-i386/sbin/squid -k rotate -f /usr/pbi/squid-i386/etc/squid/squid.conf  	
                                    0  	0  	*  	*  	*  	root  	/usr/pbi/squid-i386/sbin/squid -k rotate -f /usr/pbi/squid-i386/etc/squid/squid.conf
                                    

                                    Delete the old cron containing rm swap.state and look up the new option Proxy server: Cache management: Clear cache on log rotate

                                    Discussion about the new option, https://forum.pfsense.org/index.php?topic=74453.msg407287#msg407287

                                    More about squid duplicated cron, https://forum.pfsense.org/index.php?topic=74633.0

                                    1 Reply Last reply Reply Quote 0
                                    • E
                                      exograpix
                                      last edited by

                                      Thanks for all the support, worked like a charm, much relieved now, I am not blaming developer doing very good job, but this bug wasted almost two days of working time.

                                      Again my appreciations , you are a life saver.

                                      If you can, please explain cron thing in details.

                                      1 Reply Last reply Reply Quote 0
                                      • belleraB
                                        bellera
                                        last edited by

                                        Thanks for your good words!

                                        @exograpix:

                                        If you can, please explain cron thing in details.

                                        https://forum.pfsense.org/index.php?topic=74453.msg407820#msg407820

                                        1 Reply Last reply Reply Quote 0
                                        • B
                                          bardok
                                          last edited by

                                          I just created an account to say thank you. I've wasted all my afternoon after the upgrade, trying to guess why ssl bumping stopped to work at our school, but tomorrow everything (included the filter for the students) will be able to continue as expected.

                                          1 Reply Last reply Reply Quote 0
                                          • belleraB
                                            bellera
                                            last edited by

                                            Thanks for your good words!

                                            Also, at school, www.bellera.cat  :) :) :) :)

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.