MITM stopped working.
-
Hey,
I have Squid running with SSL bump, and have my clients set up to explicitly use it to get access to the outside world. CA certificate has been installed on all devices, everything was working extremely well until last Squid update.
Now I get "cert common name invalid" on all devices when trying to access HTTPS sites. Anyone else have this issue or know why it's happening? Installing the CA certificate has always bypassed browser pinning in the past. What's wrong now?
-
Anyone??
-
Absolutely nothing relevant changed in the last Squid update. Nor in the previous one. Frankly, nothing changed at all wrt MITM since PR269 which was well tested, working and presented in the Squid hangout by jimp.
If some browser update changed the behaviour meanwhile, all I can say is tough cookies, don't use MITM.
https://www.us-cert.gov/ncas/alerts/TA17-075A
-
Absolutely nothing relevant changed in the last Squid update. Nor in the previous one. Frankly, nothing changed at all wrt MITM since PR269 which was well tested, working and presented in the Squid hangout by jimp.
If some browser update changed the behaviour meanwhile, all I can say is tough cookies, don't use MITM.
https://www.us-cert.gov/ncas/alerts/TA17-075A
I've seen it working at a college with no issues, they use smoothwall. How can I get it working again in explicit mode? It also can't be cookies, I've tried clearing them and tried using the browser in incognito too.
-
So I've tried re-installing squid countless time, deleting squid configuration then installing everything fresh. Created a new CA certificate, but I'm still having problems…
Here's a screenshot of the issue.
And of course, my browser is set to use that proxy explicitly.
It's been a long time since I've been facing this. Anyone got any idea how to solve it?
-
And of course, my browser is set to use that proxy explicitly.
And what on earth does that have to do with SSL Bump in that case?
-
And of course, my browser is set to use that proxy explicitly.
And what on earth does that have to do with SSL Bump in that case?
Sorry maybe I'm confused or not explaining correctly. I'm trying to MITM with squid, this was working fine before after having the CA certificates installed on my devices. But now it doesn't work, before I used to get similar errors if I didn't explicitly set the proxy on my devices. That's why I thought I'd add it in.
-
Yeah, this was working just fine without any certificates installed when you were running a non-transparent proxy. What you've created (proxy configured on clients with transparent MITM enabled on pfSense) is a broken configuration that's never been supported or intended to work.
-
Yeah, this was working just fine without any certificates installed when you were running a non-transparent proxy. What you've created (proxy configured on clients with transparent MITM enabled on pfSense) is a broken configuration that's never been supported or intended to work.
No I've always had the certificates installed on clients. And squid was able to mimick certificates without any errors as long as the clients were set to use the proxy in the settings. On squid I have transparent HTTP filtering. Is this what you're referring to? Should I just disable that? What I'm finding weird is the configuration I had worked fine before. Then suddenly broke. Sorry if I'm annoying you with all these confusions and messages. Do let me know if you want me to send you my squid configuration so you can take a look.
Edit: unchecked transparent HTTP, and tried manually setting the proxy on clients. When I set it I get the same "error: common name invalid". I have got the CA certificate on the device and correctly installed. What could be the issue here? I'm starting to really get annoyed with squid. On my phone, chrome is saying "Servers certificate does not match the URL" however, looking at the certificate on my device. I can see that squid did actually mimick the common name of the real certificate. But why isn't it working still and giving me errors?
I've installed CA certificate on devices, and made sure it was in he correct store.
I've turned on squid, and enabled https interception and selected the CA certificate I'm using.
I've set my clients up to use the proxy, manually on settings on android, wpad for Windows machines and ios. They all have the same issue.What did I do wrong?
-
I've turned on squid, and enabled https interception and selected the CA certificate I'm using.
I've set my clients up to use the proxy, manually on settings on android, wpad for Windows machines and ios. They all have the same issue.Which part of do NOT attempt to do MITM with explicitly set proxy on clients was unclear?
-
I've turned on squid, and enabled https interception and selected the CA certificate I'm using.
I've set my clients up to use the proxy, manually on settings on android, wpad for Windows machines and ios. They all have the same issue.Which part of do NOT attempt to do MITM with explicitly set proxy on clients was unclear?
How should I go about doing it then? Sorry about this, I'm still learning. Ofc any help you do provide will also help out others in a similar situation.
-
There is no need for MITM nor for installing certificates on clients when you explicitly set the proxy on clients. Squid will use CONNECT for HTTPS on sslports ACL to connect to HTTPS websites. If you want MITM, make the proxy transparent and stop configuring it on clients.
-
There is no need for MITM nor for installing certificates on clients when you explicitly set the proxy on clients. Squid will use CONNECT for HTTPS on sslports ACL to connect to HTTPS websites. If you want MITM, make the proxy transparent and stop configuring it on clients.
I want to be able to see HTTPS traffic for both inspection + caching. I've tried not configuring the proxy on clients and leaving on transparent mode. That's throwing errors too. Am I the only one having this issue?? I'm guessing the DNS alternative name isn't being mimicked by Squid properly. Since on Chrome mobile, that's an error it's saying "DNS alternative name invalid".