Verifying SSL site certificate verification

Jdwind

Then what should I to do? Disable MITM, enable transparent proxy in squid? I found only in Squid (in SSL Man In the Middle Filtering section) that information: Please see SslBump Peek and Splice wiki documentation for additional details - but there http://wiki.squid-cache.org/Features/SslPeekAndSplice is not information how use it with Pfsense. Can you tell me some more about how do that, please?

Chrismallia

Here is mine

sp.PNG_thumb

doktornotor

@Jdwind:

But SSL MITM is more security

https://www.us-cert.gov/ncas/alerts/TA17-075A

Jdwind

Thank you, doktornotor. I have installed end-point antyvirus on every host too. In my network I must have any security solution (like IPS/IDS - I use Snort package), that why I used MITM and SSL filtering. Chrismallia show his configuration, but if I am not wrong he has MITM and SSL filtering too. Only different is with SSL/MITM mode - I have default, he Splice All. That's all?

Chrismallia

with splice all you do not need to install certs on devices, it is mostly good for only filtering no AV, so it does not break the ssl connection or inspect content, it uses the SNI, anyone correct me if I am mistaken in any way

doktornotor

@Jdwind:

Thank you, doktornotor. I have installed end-point antyvirus on every host too.

Oh noes. That was NOT the point. The point was that MITM is evil.

Jdwind

I tried this settings (from Chrismallia) on virtual network, Pfsense and two hosts and what can I say… it works. Antivirus dont works with SSL, but I have it installed on every host. Thank you all for help and explanation very, very much. But one thing more that I can't understand (after Doktornotor post) - it is still MITM enabled - does it matter?
Best regards

johnpoz

no with splice your not your doing a peek and then splicing it back.. The client is getting the actual cert from the server.. Your just peaking inside to see where they are going, etc. And if it should be filtered.

"splice: Become a TCP tunnel without decoding the connection. The client and the server exchange data as if there is no proxy in between."

Jdwind

Thank you very much again, so now I have everything ok. With Squidguard ssl filtering just works.

Harvy66

There are many attack vectors to infect machines when MITM is used. SSL provides two things, privacy and security. The security is provided by the signing. When you MITM, you break the signing, which means you break the security.

kpa

With MITM you're breaking the chain of trust normally provided the trusted third party signatures found on the certificates. Your users will no longer be able to verify that they are connecting to the real deal when they connect to a HTTPS site, instead they can at maximum be sure only that they are connecting to your MITM proxy.

Jdwind

It is too much for my mind… Yes, now I know you are both right. But now, when I'm using peek and splice all mode with MITM and I can see every certificate verificated by.. i.e. Verisign, Symante, Oracle.. now my network settings are right - am I right or am I wrong?
EDIT:
I found that thread https://forum.pfsense.org/index.php?topic=123461.0, there is more explanation about my doubts. Thank you once more.