Ssl https not work in some website (SSL Man In the Middle Filtering)
-
**When I entered the site, I went with the domain name.
Just when I entered the registration of members on the site, I get this message
Seems that the SQUID does it automatically?It also happens that I try to log in https://outlook.co.il**
The following error occurred while attempting to resolve the address
URL: https://outlook.co.il/An error occurred trying to create a secure connection 157.55.43.17
The system returned:
[No Error] (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH)
Certificate does not match domainname: /1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Washington/businessCategory=Private Organization/serialNumber=600413485/C=US/postalCode=98052/ST=Washington/L=Redmond/street=1 Microsoft Way/O=Microsoft Corporation/OU=Outlook Kahuna DUB-A Jun2015This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
-
These are broken sites you are trying to get to. They also fail for me and I don't have problem with any site in general. When I go to outlook.co.il I get a cert error, and the SAN cert says it is for the following domains:
DNS Name=contacts.live.com DNS Name=dub109.afx.ms DNS Name=dub109.mail.live.com DNS Name=dub110.afx.ms DNS Name=dub110.mail.live.com DNS Name=dub111.afx.ms DNS Name=dub111.mail.live.com DNS Name=dub112.afx.ms DNS Name=dub112.mail.live.com DNS Name=dub113.afx.ms DNS Name=dub113.mail.live.com DNS Name=dub114.afx.ms DNS Name=dub114.mail.live.com DNS Name=dub115.afx.ms DNS Name=dub115.mail.live.com DNS Name=dub116.afx.ms DNS Name=dub116.mail.live.com DNS Name=dub117.afx.ms DNS Name=dub117.mail.live.com DNS Name=dub118.afx.ms DNS Name=dub118.mail.live.com DNS Name=dub119.afx.ms DNS Name=dub119.mail.live.com DNS Name=dub120.afx.ms DNS Name=dub120.mail.live.com DNS Name=dub121.afx.ms DNS Name=dub121.mail.live.com DNS Name=dub122.afx.ms DNS Name=dub122.mail.live.com DNS Name=dub123.afx.ms DNS Name=dub123.mail.live.com DNS Name=dub124.afx.ms DNS Name=dub124.mail.live.com DNS Name=dub125.afx.ms DNS Name=dub125.mail.live.com DNS Name=dub126.afx.ms DNS Name=dub126.mail.live.com DNS Name=dub127.afx.ms DNS Name=dub127.mail.live.com DNS Name=dub128.afx.ms DNS Name=dub128.mail.live.com DNS Name=dub129.afx.ms DNS Name=dub129.mail.live.com DNS Name=dub130.afx.ms DNS Name=dub130.mail.live.com DNS Name=dub131.afx.ms DNS Name=dub131.mail.live.com DNS Name=dub132.afx.ms DNS Name=dub132.mail.live.com DNS Name=dub133.afx.ms DNS Name=dub133.mail.live.com DNS Name=dub134.afx.ms DNS Name=dub134.mail.live.com DNS Name=dub135.afx.ms DNS Name=dub135.mail.live.com DNS Name=dvt.mail.live.com DNS Name=home.live.com DNS Name=hotmail.co.jp DNS Name=hotmail.co.uk DNS Name=hotmail.com DNS Name=hotmail.live.com DNS Name=hotmail.msn.com DNS Name=m.mail.live.com DNS Name=mail.live.com DNS Name=origin.dub109.mail.live.com DNS Name=origin.dub110.mail.live.com DNS Name=origin.dub111.mail.live.com DNS Name=origin.dub112.mail.live.com DNS Name=origin.dub113.mail.live.com DNS Name=origin.dub114.mail.live.com DNS Name=origin.dub115.mail.live.com DNS Name=origin.dub116.mail.live.com DNS Name=origin.dub117.mail.live.com DNS Name=origin.dub118.mail.live.com DNS Name=origin.dub119.mail.live.com DNS Name=origin.dub120.mail.live.com DNS Name=origin.dub121.mail.live.com DNS Name=origin.dub122.mail.live.com DNS Name=origin.dub123.mail.live.com DNS Name=origin.dub124.mail.live.com DNS Name=origin.dub125.mail.live.com DNS Name=origin.dub126.mail.live.com DNS Name=origin.dub127.mail.live.com DNS Name=origin.dub128.mail.live.com DNS Name=origin.dub129.mail.live.com DNS Name=origin.dub130.mail.live.com DNS Name=origin.dub131.mail.live.com DNS Name=origin.dub132.mail.live.com DNS Name=origin.dub133.mail.live.com DNS Name=origin.dub134.mail.live.com DNS Name=origin.dub135.mail.live.com DNS Name=people.live.com DNS Name=www.hotmail.com DNS Name=www.hotmail.msn.com DNS Name=www.live.com DNS Name=www.mail.live.comYou will notice that outlook.co.il is not in this list, so you get a certificate mismatch. Nothing to do with pfSense.
-
this link http://wiki.squid-cache.org/Features/SslBump
can fix it ? -
I doubt it. The error is that their certificate does not match the domain name you are using to access them. Only they can fix that. Send them an email and ask them why you get cert errors when using their site. I just tried it again on my end and it worked the second time (redirected to login.live.com) so the problem seems to be intermittent. I wonder if they just have a misconfigured server that you get served round-robin?
-
The problem that happens in a few sites not only on outlook.co.il
like this
https://forums.linuxmint.com/It has nothing to do about it?
-
When SSL sites redirect us to another SSL site it will fail, It will check the actual certificate receive by the client before it tries to redirect us to another site.
Fix bypass using proxy on this sites. or try accessing directly the site where it will redirect you.
for https://outlook.co.il/ just go directly to https://login.live.com/
-
Hello,
There is another solution which is working for me. Bypass https filtering for that particular computer which is used to access such sites. All your http blocking rule will still apply for that computer but https sites accessed from this computer will bypass proxy.
This can be done by inbound port forwarding. Create an alias for ips of such computer for which you want to bypass https filtering. Create a NAT rule as in attached screenshot.
I hope this useful for someone.
thanks.
-
Can any one test accessing https://workshop.olacabs.com behind a firewall with SSL bumping. Is there an issue with site or my firewall is misconfigured. I am able to access the site without SSL bump.
Can any one test this particular site.
Thank you.
Ashima -
I get an enter email page with ssl bump and squid transparent enabled.
-
Thank you for testing it. Can anyone else also try it please. Accessing https://workshop.olacabs.com with SSL bump in transparent mode.
Thank you
Ashima
