Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Trust CA and Certificate issue ?

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 6 Posters 6.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      myhome
      last edited by

      Dear All,

      If I
          1) Create a certificate to my domain from StartSSL
          2) Import it to my CA on PFSense
          3) Enable HTTPS filter

      Are that will remove the warning message of "Certificate is not trusted" in web browser ?

      Note:
      PFSense are a standalone server (not join domain)

      Thanks

      1 Reply Last reply Reply Quote 0
      • H Offline
        Harvy66
        last edited by

        It should stop your PFSense box from not being trusted. I'm not sure if it will work with private IP addresses. It won't work for HTTPS transparent mode proxy. I only mention that because you said "HTTPS Filter" and that sounded like you were potentially talking about squid proxy.

        1 Reply Last reply Reply Quote 0
        • M Offline
          myhome
          last edited by

          Thank you Harvy66 for your reply.

          yes, I will use Squid proxy to filter HTTPS users traffic and i need this certificate from trusted CA to avoid the message in users browser

          So, if you know another way to do that please, tell me.

          1 Reply Last reply Reply Quote 0
          • H Offline
            Harvy66
            last edited by

            You can't throw any CA signed cert, it has to be a CA signed cert for the domain in question. If you want to proxy Google.com, then you need a cert signed for Google.com.

            Of course you'll never get this, even the government has to pull strings to get this. The only way to man-in-the-middle an HTTPS connection is to make your own self-signed certs for each domain and add your root cert to all of the clients and tell them to explicitly trust your root cert. You need to be your own CA. Unless you can make a fully wild-card cert for all domains. Maybe that's possible, I never had to mess with this before.

            Just to let you know, this can create some security issues since HTTPS not only encrypts connections but authenticates connections. Your connections will still be encrypted, but they will falsely authenticate potentially any website.

            1 Reply Last reply Reply Quote 0
            • johnpozJ Offline
              johnpoz LAYER 8 Global Moderator
              last edited by

              It's possible to filter https traffic with creation with your own CA and installing that CA into your clients browsers so they trust any cert you present.

              But really not nice to mitm https traffic.  Why do you want to do this to be honest??  For a home its really really pointless.. Are you trying to block your kids from hitting porn via https?  What is your goal in https mitm?  There are ways to block https site you don't want them to go to without having to mess with the https certs.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • M Offline
                myhome
                last edited by

                I have over 3000 users on the current Wi-Fi network  ::) and for sure it is not practical to deploy a certificate to these numbers.

                Since all the smart phones are using the https for it's application which overload the bandwidth of the Wi-Fi, hecne I would like to block specfic https websites i.e (download from google play, youtube and social media videos etc..) and in the other hand i would like to allow using i.e ( e-mails pages, banks etc…)

                Is there any suggestion to block specfic https websites instead of using MITM and deploying certificate to all 3000 users.  :o

                1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  you don't need to present trusted certs to block https.. Now if you want to present them with a page telling them that domain is blocked then you would need to use a cert they trust to present that page via https.

                  But you sure and the hell do not need to mitm to block a domain.  Why can you not just setup a dstdomain acl and then use connect to block - connect is done before the protocol so does not matter if the uri is ftp:// or https:// etc..

                  If you want to block stuff they might be doing inside a https connection that you allowed then you would have to ssl bump and use a cert that they trust.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • H Offline
                    Harvy66
                    last edited by

                    Mind you, blocking "downloads" from Google Play will be just blocking all of Google Play. This may break cell phones in some fashion. Google Play is not just an app store, but also handles user settings.

                    If you're trying to limit bandwidth usage, there's not much you can do, but if you just want to give users a better experience, why not use traffic shaping like FairQ?

                    1 Reply Last reply Reply Quote 0
                    • KOMK Offline
                      KOM
                      last edited by

                      You're in for a world of hurt if you think you're going to service 3000 users with Squid in transparent mode.

                      Normally if you want to intercept HTTPS transparently, you need to install the pfSense certificate into every client browser.  This is impractical, obviously, and that fact makes transparet mode uselsss these days.  So your next option is a mix of manual configuration of the proxy in conjunction with auto-detection using WPAD.

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        doktornotor Banned
                        last edited by

                        Disregarding the technical aspects - unless you are talking about corporate environment; by blocking things like Google Play, you're just gonna piss off your customers. Big time.

                        1 Reply Last reply Reply Quote 0
                        • M Offline
                          myhome
                          last edited by

                          I will try to use "WPAD"

                          But there is no option to select "Auto detect proxy" on Android phones.
                          Are that mean i must configure it manually on all phones ?!!!

                          1 Reply Last reply Reply Quote 0
                          • GertjanG Offline
                            Gertjan
                            last edited by

                            IF
                            @myhome:

                            I will try to use "WPAD"

                            means that you have to
                            @myhome:

                            But there is no option to select "Auto detect proxy" on Android phones.
                            Are that mean i must configure it manually on all phones ?!!!

                            then stop trying and your done, right ;)

                            Why implementing WPAD ?
                            Using the captive portal for years now (wireless, 5 AP, and wired) : devices just connect. They (client) 'find' our Wifi network, they (client) connect to it, they will be presented with a login page**, and they are connected / on the net.

                            ** iDevices always worked good or great - Android people are not complaining (anymore) (when they updated to recent OS version) - PC's always worked good.

                            No "help me" PM's please. Use the forum, the community will thank you.
                            Edit : and where are the logs ??

                            1 Reply Last reply Reply Quote 0
                            • KOMK Offline
                              KOM
                              last edited by

                              Are that mean i must configure it manually on all phones ?!!!

                              Yes.  Android support for WPAD is strangely absent.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.