Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem Opening Websities when using Transparent https (Squid)

    Scheduled Pinned Locked Moved Cache/Proxy
    11 Posts 6 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      muhammad.alitav.com.pk
      last edited by

      I have followed;

      https://forum.pfsense.org/index.php?topic=72528.0

      to successfully implement https transparent with Squid Proxy.

      The Issue is for the following website;

      safemarine.com

      can anyone help me on this…..

      1 Reply Last reply Reply Quote 0
      • A
        agixdota
        last edited by

        may use ssl_bump none  ;D

        1 Reply Last reply Reply Quote 0
        • M
          muhammad.alitav.com.pk
          last edited by

          not working.

          acl broken_sites dstdomain .safmarine.com
          ssl_bump none broken_sites

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            That site has an untrusted cert.  When I examine the cert, it appears to be self-signed.  Nobody in the world will trust that.

            Here are the problems:

            1.  This cert has been issued to accentosrl.origina.it, not www.safemarine.com
            2.  This cert is self-signed with no trusted Certificate Authority behind it
            3.  It's using the deprecated SHA1 algorithm

            They need to get a real certificate for the real domain using current encryption and try again.  You can ge ta free SSL cert good for one year from www.startssl.com.

            Lastly, questions about squid go in the Packages - Cache/Proxy forum.  This has nothing to do with the firewall.

            1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan
              last edited by

              @KOM:

              …. This has nothing to do with the firewall.

              Well … yes, it does somehow.
              It breaks the 'firewall' ... ;)

              [Ok, I leave]

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • M
                muhammad.alitav.com.pk
                last edited by

                Can I Bypass it somehow….

                1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM
                  last edited by

                  Can I Bypass it somehow….

                  Yes, by clicking "I Understand The Risks" and continuing anyway after you have been warned about the bad cert.  However, this is Bad Security.  You don't want to train people to ignore errors and warnings.  Get a real certificate.  It isn't that hard nor that expensive.

                  1 Reply Last reply Reply Quote 0
                  • C
                    chavarriaa
                    last edited by

                    @KOM:

                    Can I Bypass it somehow….

                    Yes, by clicking "I Understand The Risks" and continuing anyway after you have been warned about the bad cert.  However, this is Bad Security.  You don't want to train people to ignore errors and warnings.  Get a real certificate.  It isn't that hard nor that expensive.

                    KOM,
                    in some websites doesn't appear the option "I understand  the risks". Says the page only works with their certificates.
                    When i use ssl_bump. squid skip this message, but immediatly appears squid with SQUID_X509_V_ERR_DOMAIN_MISMATCH.

                    I tried with another certificate (free , starssl.com), when i import the certificate in pfsense. Squid doesn't want start.

                    thanks for sharing your knowledge

                    1 Reply Last reply Reply Quote 0
                    • KOMK
                      KOM
                      last edited by

                      You don't import certificates into pfSense, you import them into your web browser or PC operating system.  You should probably start your own thread since your problems don't seem to be similar.  Make a new thread with the problem you have and what you have done to fix it.

                      1 Reply Last reply Reply Quote 0
                      • C
                        chidgear
                        last edited by

                        Maybe you want to pass the control to the users for this special cases. Sometimes you make use of a website that you know is safe, but the certificate is in "bad shape" showing that error page so, to "bypass" in this cases, you need to pass the control to the user. In  "proxy server"-> "general" tab -> "SSL man in the middle filtering" -> "Remote Cert checks" select "Accept remote server certificate erros"
                        (screenshot attached)

                        This must get rid of that page and show you the browser dialog reffering to the ssl certificate trouble, allowing you to add the site in the exception list.

                        Captura.PNG
                        Captura.PNG_thumb

                        1 Reply Last reply Reply Quote 0
                        • C
                          chavarriaa
                          last edited by

                          KOM, I'll make my own thread.

                          Chidgear, i have this option. i can access in some sites clicking in add to exception,on gmail.com not. Also when i have to updates my applications the proxy server doesn't let me update (Windows, antivirus, local software, etc) this is other problem, i'll make too other thread. like i said; i've tried with, ssl_bump, authentic certificate and my problem is the same.

                          I'll tell you any notice

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.