SSL Filtering blocks some windows apps (Dropbox, Anydesk and etc.)

emammadov · Feb 26, 2017, 9:36 AM

Hello,

I have enabled SSL filtering in Squid Proxy. I exported and added certificate to my computer. But after that Dropbox application and some other softwares stopped working, but I can access https websites. What is my option to do to solve this issue?

sichent · Feb 26, 2017, 2:38 PM

That's SSL Certificate Pinning working, see explanation at https://docs.diladele.com/faq/squid/sslbump_exlusions/dropbox.html

emammadov · Feb 26, 2017, 6:02 PM

I am using Squid proxy inside pfSense and added dropbox.com, but it didn't work.

pfsensation · Feb 26, 2017, 6:24 PM

This is an annoying security feature as mentioned before called Certificate Pinning. It's there to stop MITM attacks like the one you are doing, I have a similar configuration to yours but I've had to setup bypasses for apps which use Certificate Pinning via Squid to make them work.

emammadov · Feb 26, 2017, 8:17 PM

Thank you very much for your help. I changed SSL/MITM Mode to Splice All. It worked now. But Splice all says "Content filtering (such as Antivirus) will not be available for SSL sites. " Then keeping ClamAV Antivirus turned on doesn't make sense?

sichent · Feb 27, 2017, 8:37 AM

Revert back the Splice All ( it actually means no HTTPS filtering) - try adding .dropbox.com (note leading dot!!) to SSL filter exclusions.

emammadov · Feb 27, 2017, 10:01 AM

Actually I tested https sites with Splicall All, it worked.
I reverted from Splice All to Splice Whitelist, Bump Otherwise and added .dropbox.com in Bypass Proxy for These Destination IPs under Transparent Proxy Settings. When saving settings, it gives an error: Bypass proxy for these destination IPs' entry '.dropbox.com' is not a valid IP address, hostname, or alias.

doktornotor · Feb 27, 2017, 10:04 AM

That is not the place. The place is ACLs - Whitelist.

emammadov · Feb 27, 2017, 11:17 AM

Thanks, I will try it. But what about my router using DHCP relay, then I have to add certificate in each mobile phones too?

pfsensation · Feb 27, 2017, 4:40 PM

@emammadov:

Thanks, I will try it. But what about my router using DHCP relay, then I have to add certificate in each mobile phones too?

Don't use the router for DHCP. Use PfSense as the DHCP server, so you can configure WPAD (so devices can auto discover your proxy), there's guides already on how to do that. Export out the CA certificate from PfSense, and install it on all your mobile devices. If you have Android devices, note that there's steps involved. Android doesn't support WPAD or any auto discovery by default, so you'll have to set that up manually. On IOS devices, just select the proxy as auto and it should pick it up from WPAD.

Also, are you using SquidGuard to do the filtering? For mobile devices…You'll find a lovely surprise of apps not working due to certificate pinning. I've been through all this myself, and have setup bypasses for most of them.

emammadov · Feb 28, 2017, 6:36 AM

Sorry, I mean wifi router which is using dhcp relay to pfsense. Actually it becomes annoying to import ca certificate to each pc and mobile devices.
I added .dropbox.com to ACLs - Whitelist in Squid Proxy, but it didn't work either. It just works only with Splice All. For example: I have created group of some https websites and denied them in Squid Proxy, and then tested, it worked okay, it shows it is forbidden by administrator. Also dropbox and some other apps in windows started working. I think it means SSL filtering works well for http and https websites.
But Splice all says "Content filtering (such as Antivirus) will not be available for SSL sites. " Then keeping ClamAV Antivirus turned on doesn't make sense?

doktornotor · Feb 28, 2017, 8:23 AM

@emammadov:

Then keeping ClamAV Antivirus turned on doesn't make sense?

"Content filtering (such as Antivirus) will not be available for SSL sites"