Squid MITM Proxy certificate error

8bitz · May 1, 2017, 7:23 PM

I am trying to configure PFSense 2.3.2, with Squid.

I have squid configured in transparent mode with a local CA, have exported the certificate, installed it on my endpoints and made sure it is trusted. I have made sure not to configure the proxy on the clients.

HTTP proxy is working as expected, but HTTPS is not. Every time I go to an HTTPS site, the browser throws an error about a hostname mismatch on the certificate.

I have been looking into this all morning, and cannot find a way around the issue. Some of the posts that I have seen actually refer to this being built in behavior with the browser to prevent MITM attacks.

Am I just missing something with the configuration, or is this a known issue with chrome/safari?

If anyone could provide some information on what I might be missing, I would appreciate it.

Thanks

pfsensation · May 1, 2017, 8:07 PM

I've been literally scratching my head for a while now a this issue. I've been searching all over and I think I just found something useful on Stackoverflow which talks about having to supply an extra alternative name parameter to the certificates. http://stackoverflow.com/questions/43665243/chrome-invalid-self-signed-ssl-cert-subject-alternative-name-missing

I think PfSense/Squid may need an update to support this automatically via the GUI, because chrome really isn't accepting my self signed certificates. It's really annoying because I can't get my Squid working with HTTPS interception anymore… :(

I know it can be achieved because at my college they use smoothwall and theirs is working fine.

8bitz · May 1, 2017, 8:07 PM

If you look at the cert, the common name is the IP and not the actual domain name.

I selected the option to force an IP lookup, but this didn't change anything.

I'll post back if I find anything else.

Thanks

pfsensation · May 1, 2017, 8:16 PM

@8bitz:

If you look at the cert, the common name is the IP and not the actual domain name.

I selected the option to force an IP lookup, but this didn't change anything.

I'll post back if I find anything else.

Thanks

Seems it could be an issue with Squid not correctly forging the certificates. I've already kinda reported this issue to Squid maintainer (Doktornotor) but no decent reply. I think I even had a hard time understanding or explaining this issue lol, even with screenshots. I'm glad I'm not alone now, because I literally tried reinstalling pfsense, running x86 version on VMware, and all sorts…The problem of course now I know is to do with browsers upping the security.

PS : Maybe you should get this thread moved to Cache/Proxy section. Doktornotor checks that section more it seems.

8bitz · May 2, 2017, 12:25 AM

Reposted in cache/proxy

https://forum.pfsense.org/index.php?topic=129823.msg715323#msg715323

8bitz · May 5, 2017, 7:22 PM

quick update:

Was under the impression that the upgrade to 2.3.4 was supposed to fix this issue, but it still isn't working.

I have recreated the CA, redeployed the certificate, and still get the error.

Does anyone have any additional thoughts?

![Screen Shot 2017-05-05 at 3.19.48 PM.png](/public/imported_attachments/1/Screen Shot 2017-05-05 at 3.19.48 PM.png)
![Screen Shot 2017-05-05 at 3.19.48 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-05-05 at 3.19.48 PM.png_thumb)

pfsensation · May 5, 2017, 8:25 PM

@8bitz:

quick update:

Was under the impression that the upgrade to 2.3.4 was supposed to fix this issue, but it still isn't working.

I have recreated the CA, redeployed the certificate, and still get the error.

Does anyone have any additional thoughts?

It's a issue with Chrome using a non standard policy. I am on the same boat, however I am about to ditch Squid's HTTPS interception for E2Guardian. E2Guardian's source has been updated to fix this issue : https://github.com/e2guardian/e2guardian/issues/216

Just waiting on Marcelloc to update his E2Guardian package to the latest version, which he's already working on, and then I'll use E2G to create the forged SSL certificates and hopefully breathe a sigh of relief when Chrome works again. At some point this issue should be fixed for Squid too, but then again since SquidGuard is rubbish and full of bugs. It's less of a bother.

doktornotor · May 6, 2017, 11:35 AM

@pfsensation:

I think PfSense/Squid may need an update to support this automatically via the GUI, because chrome really isn't accepting my self signed certificates. It's really annoying because I can't get my Squid working with HTTPS interception anymore… :(

This is impossible to fix in pfSense. Squid's ssl_crtd needs to be fixed to generate certificates with SAN.

http://bugs.squid-cache.org/show_bug.cgi?id=4711

For tracking only: https://redmine.pfsense.org/issues/7524

Kowolski · May 6, 2017, 2:43 PM

Sophos had this error with chrome too, they were able to patch it. https://community.sophos.com/products/unified-threat-management/f/general-discussion/91085/https-scanning-web-protection-ssl-error-err_cert_common_name_invalid