Squid 3.3.4 package for pfsense with ssl filtering

marcelloc

@periko:

I still nervous if I can send this to production.

with ssl interception you will always need a lot of tests.

I'm having some issues with some sites too, the workaround is to do not intercept sites I know or trust.

I'm still waiting squid 3.4 in freebsd ports. Since it's there, I'll update squid3-dev.

gzartman

I've been working to get ssl bumping working on windows 7 & 8 clients, but I continue to get SSL Certificate errors.

I'm running latest PFsense 2.1, and installed squid3-dev from the repo.

I created a CA in the certificate manager, then clicked on SSL Man in the middle filter in the Proxy Server panel.  I'm running squid as a transparent proxy, so input port 443 in the port number field.  I then select my CA create in the CA field.

I'm not sure if I need to select any of the options in Remote Cert checks and Certificate adapt fields, so I'm just accepting defaults (i.e., selecting none).

I then download the CA on my windows machines and install them as Trusted Root CAs using the certmgr.msc windows application.  When I browse to google.com in both firefox and chrome, I get certificate errors.

Am I missing a setting in the SSL man in the middle panel or some other setting?

Thanks,

greg

periko

Don't know if this helps, but if u run ccleaner to clear cache in all your browsers before testing, does this helps?

exograpix

Squid ssl filtering not working, it used to work 3 days back, but now certificate error are popping all over. please suggest.

marcelloc

You have to import pfsense-ca crt on firefox too, internet explorer and chrome uses certmgr.msc imported cert.

I'm testing it a lot without any cert issues on any sites.

exograpix

Hi,

I have loaded ca certificate in trusted root certificate and webconfigurator certificate in personal (through certmgr.msc). but still shows certificate error in internet explorer. please suggest what to do.

exograpix

In spite of all my effort still certificate error as soon as I enable ssl filtering , help guys.

marcelloc

@exograpix:

I have loaded ca certificate in trusted root certificate and webconfigurator certificate in personal (through certmgr.msc). but still shows certificate error in internet explorer. please suggest what to do.

the only place you need is trusted root certificate on ie and firefox.

Sure it works.

screenshot the certificate you get when firefox rejects.

postduif

@marcelloc:

@exograpix:

I have loaded ca certificate in trusted root certificate and webconfigurator certificate in personal (through certmgr.msc). but still shows certificate error in internet explorer. please suggest what to do.

the only place you need is trusted root certificate on ie and firefox.

Sure it works.

screenshot the certificate you get when firefox rejects.

It doesn't work any longer since I've updated to pfSense 2.1.1
It worked on 2.1

exograpix

Thats my problem too , I have tried all combination but doesn't work, it used to work earlier quite smoothly, but somehow it stopped working now.

I request to sort this issue out asap to help the community and existing installs.

bellera

@postduif:

It doesn't work any longer since I've updated to pfSense 2.1.1
It worked on 2.1

Need to see which system things changed with the upgrade.

Verify the "orphan" libraries for squid3-dev and what about OpenSSL?

OpenSSL does not like country codes longer than two letters, so remove entries that are not actually country codes

https://doc.pfsense.org/index.php/2.1.1_New_Features_and_Changes

exograpix

I have used the standard process as pfsense 2.1 (now even in previous version ssl certificate error is popping)

I installed pfsense.

Created the internal CA.

Created the server certificate (tried client too)

Import CA certificate through certmgr.msc in trusted root

Import other certificate in personal

copied missing files for squid.

Installed squid-dev from packages.

Configured squid as before with ssl filter and certificate and boom even microsoft default certificate error.

postduif

@bellera:

@postduif:

It doesn't work any longer since I've updated to pfSense 2.1.1
It worked on 2.1

Need to see which system things changed with the upgrade.

Verify the "orphan" libraries for squid3-dev and what about OpenSSL?

OpenSSL does not like country codes longer than two letters, so remove entries that are not actually country codes

https://doc.pfsense.org/index.php/2.1.1_New_Features_and_Changes

Checked, and the orphan libraries are on the system. Countrycode is 2 letters.
Squid http filtering works fine, only the https part results in certificate errors.

exograpix

https is the problem and it is major concern now.

bellera

pfSense 2.1 (not upgraded to 2.1.1)
squid3-dev upgraded from 3.3.10 pkg 2.2.1 to 3.3.10 pkg 2.2.2

Bug for interception

Last lines of squid.conf generated by 2.2.1

# Custom options

always_direct allow all
ssl_bump server-first all
# Setup allowed acls
# Allow local network(s) on interface(s)
http_access allow localnet
# Default block all to be sure
http_access deny allsrc

Last lines of squid.conf generated by 2.2.2

# Custom options before auth

# Setup allowed acls
# Allow local network(s) on interface(s)
http_access allow localnet
# Default block all to be sure
http_access deny allsrc

Workaround until next version

Put at Custom ACLS (Before_Auth) box the lines

always_direct allow all
ssl_bump server-first all

Custom ACLS (After_Auth)

In addition to this, the box Custom ACLS (After_Auth) does nothing.

Rotate Cron duplicated

The upgrade also duplicates the rotate cron. You can see it if you have Cron package installed

0  	0  	*  	*  	*  	root  	/bin/rm /var/squid/cache/swap.state; /usr/pbi/squid-i386/sbin/squid -k rotate -f /usr/pbi/squid-i386/etc/squid/squid.conf  	
0  	0  	*  	*  	*  	root  	/usr/pbi/squid-i386/sbin/squid -k rotate -f /usr/pbi/squid-i386/etc/squid/squid.conf

Delete the old cron containing rm swap.state and look up the new option Proxy server: Cache management: Clear cache on log rotate

Discussion about the new option, https://forum.pfsense.org/index.php?topic=74453.msg407287#msg407287

More about squid duplicated cron, https://forum.pfsense.org/index.php?topic=74633.0

exograpix

Thanks for all the support, worked like a charm, much relieved now, I am not blaming developer doing very good job, but this bug wasted almost two days of working time.

Again my appreciations , you are a life saver.

If you can, please explain cron thing in details.

bellera

Thanks for your good words!

@exograpix:

If you can, please explain cron thing in details.

https://forum.pfsense.org/index.php?topic=74453.msg407820#msg407820

bardok

I just created an account to say thank you. I've wasted all my afternoon after the upgrade, trying to guess why ssl bumping stopped to work at our school, but tomorrow everything (included the filter for the students) will be able to continue as expected.

bellera

Thanks for your good words!

Also, at school, www.bellera.cat  :) :) :) :)

marcelloc

ssl_bump acls were inside auth loop. I'm fixing it right now.