Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Verifying SSL site certificate verification

    Scheduled Pinned Locked Moved General pfSense Questions
    21 Posts 7 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      Chrismallia
      last edited by

      Here is mine

      sp.PNG
      sp.PNG_thumb

      1 Reply Last reply Reply Quote 0
      • D Offline
        doktornotor Banned
        last edited by

        @Jdwind:

        But SSL MITM is more security

        https://www.us-cert.gov/ncas/alerts/TA17-075A

        1 Reply Last reply Reply Quote 0
        • J Offline
          Jdwind
          last edited by

          Thank you, doktornotor. I have installed end-point antyvirus on every host too. In my network I must have any security solution (like IPS/IDS - I use Snort package), that why I used MITM and SSL filtering. Chrismallia show his configuration, but if I am not wrong he has MITM and SSL filtering too. Only different is with SSL/MITM mode - I have default, he Splice All. That's all?

          1 Reply Last reply Reply Quote 0
          • C Offline
            Chrismallia
            last edited by

            with splice all you do not need to install certs on devices, it is mostly good for only filtering  no AV, so it does not break the  ssl connection  or inspect content, it uses the SNI, anyone correct me if I am mistaken in any way

            1 Reply Last reply Reply Quote 0
            • D Offline
              doktornotor Banned
              last edited by

              @Jdwind:

              Thank you, doktornotor. I have installed end-point antyvirus on every host too.

              Oh noes. That was NOT the point. The point was that MITM is evil.

              1 Reply Last reply Reply Quote 0
              • J Offline
                Jdwind
                last edited by

                I tried this settings (from Chrismallia) on virtual network, Pfsense and two hosts and  what can I say… it works. Antivirus dont works with SSL, but I have it installed on every host. Thank you all for help and explanation very, very much. But one thing more that I can't understand (after Doktornotor post) - it is still MITM enabled - does it matter?
                Best regards

                1 Reply Last reply Reply Quote 0
                • johnpozJ Online
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  no with splice your not your doing a peek and then splicing it back.. The client is getting the actual cert from the server.. Your just peaking inside to see where they are going, etc.  And if it should be filtered.

                  "splice: Become a TCP tunnel without decoding the connection. The client and the server exchange data as if there is no proxy in between."

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • J Offline
                    Jdwind
                    last edited by

                    Thank you very much again, so now I have everything ok. With Squidguard ssl filtering just works.

                    1 Reply Last reply Reply Quote 0
                    • H Offline
                      Harvy66
                      last edited by

                      There are many attack vectors to infect machines when MITM is used. SSL provides two things, privacy and security. The security is provided by the signing. When you MITM, you break the signing, which means you break the security.

                      1 Reply Last reply Reply Quote 0
                      • K Offline
                        kpa
                        last edited by

                        With MITM you're breaking the chain of trust normally provided the trusted third party signatures found on the certificates. Your users will no longer be able to verify that they are connecting to the real deal when they connect to a HTTPS site, instead they can at maximum be sure only that they are connecting to your MITM proxy.

                        1 Reply Last reply Reply Quote 0
                        • J Offline
                          Jdwind
                          last edited by

                          It is too much  for my mind… Yes, now I know you are both right. But now, when I'm using peek and splice all mode with MITM and I can see every certificate verificated by.. i.e. Verisign, Symante, Oracle.. now my network settings are right - am I right or am I wrong?
                          EDIT:
                          I found that thread https://forum.pfsense.org/index.php?topic=123461.0, there is more explanation about my doubts. Thank you once more.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.