E2Guardian: Failed to negotiate ssl connection to client

ravegen

@susamlicubuk:

Create a new alias in the firewall + alias section
into
Add your bypass domains like d.dropbox.com, client.dropbox.com
then this alias is the name
Bypass Proxy for These Destination IPs
Write to section
this is how I work using dropbox

can I use *.dropbox.com instead of specifying the subdomain ?

susamlicubuk

@ravegen:

@susamlicubuk:

Create a new alias in the firewall + alias section
into
Add your bypass domains like d.dropbox.com, client.dropbox.com
then this alias is the name
Bypass Proxy for These Destination IPs
Write to section
this is how I work using dropbox

can I use *.dropbox.com instead of specifying the subdomain ?

no but
It would be better if there was another partition to do the ssl bypass and if the domains could be written
because it is a bit unstable when you add the alias section
marcello maybe can.

ravegen

What is the relationship of adding Pass Rule in the firewall for that sites while I am using E2Guardian for filtering ?

susamlicubuk

You are bypassing e2Guardian because ssl is a filtering problem
e2Guardian with firewall rule is very different things
e2Guardian squidGuard alternative content filter software
and much faster

ravegen

ok.  so d.dropbox.com, client.dropbox.com is already known as you gave it to me.  but what about other sites that our 3rd party application use.  How will I know them ?

susamlicubuk

I see and bypass the access log
Why do you want the ssl filter so much
I do not install SSL certificates in some institutions
It can make very stable filter while loading (http and https)
only in the https sites are banned warning does not come

marcelloc

e2guardian can only intercept https sites but some applications like dropbox and skype user same port 443 but with another protocol(most proprietary).

That's why you can't intercept it. You can try to include skype.com and dropbox.com on e2guardian exception list to do not intercept these connections or add on firewall alias like susamlicubuk posted.

pfsensation

@marcelloc:

e2guardian can only intercept https sites but some applications like dropbox and skype user same port 443 but with another protocol(most proprietary).

That's why you can't intercept it. You can try to include skype.com and dropbox.com on e2guardian exception list to do not intercept these connections or add on firewall alias like susamlicubuk posted.

Its SSL pinning, the developers of these programs bake the CA cert into the program so that fake certs like the ones from E2 Guardian cannot be used to intercept traffic.

ravegen

so to block dropbox, skype, yahoo messenger is to mitm ssl disrupting connection and to allow them under mitm ssl connection is to place them on exemption, right?

pfsensation

@ravegen:

so to block dropbox, skype, yahoo messenger is to mitm ssl disrupting connection and to allow them under mitm ssl connection is to place them on exemption, right?

Pretty much, yes. Although if you completely want to block them, use banned list and don't rely on the SSL pinning to block it as the developers of the platform can change things.