Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Enabled SSL filtering in squid transparent proxy, but some sites uses the actual CA cert!

    Cache/Proxy
    2
    4
    1.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      monterry
      last edited by

      I installed squid proxy in pfsense, set it as a transparent proxy, and enabled SSL filtering by specifying a newly created certificate.

      This certificate was exported and imported into trusted root certificates section in a Windows 10 PC which which is connected to the LAN of pfsense.

      Then I tried to browse a website which uses https, and as expected, it loaded via the transparent proxy and the site's address bar showed that it is indeed using my custom CA certificate to establish a secure connection with the transparent proxy.

      So far so good. However, some websites (eg google.com, gmail.com etc) load with its own original CA issued by their own respective certifying authorities.

      SSL/MITM mode is set to "Splice whitelist, bump otherwise", but I haven't added anything into the whitelist.

      My understanding was that any https request from the Windows client would use the custom CA certificate, but how can google.com load using the actual CA cert? (Client asks - "give me google.com", then the transparent proxy says - "ok here's by certificate [which is indeed the custom CA], use that to create a secured connection with me". Then the client enters symmetric encryption session with the proxy)

      Can anyone throw some light onto this behavior? I could load google.com and gmail.com using my custom CA yesterday, but when I tried using the same setup today, it loads these sites using the legitimate CA itself. Most other sites still load with my custom CA.

      1 Reply Last reply Reply Quote 0
      • M
        monterry
        last edited by monterry

        UPDATE1: I created a new Windows 10 VM (VM2) as the client, and imported the custom CA certificate into:

        1. trusted certificates store
        2. intermediate certificates store

        And browsed google.com, and now it is showing up with my custom CA!
        Actually all sites show up with the custom CA.

        Wondering what is making google.com, gmail.com etc. show up with their original certificates in the other Windows 10 client VM! (VM1)

        UPDATE2: Installed the custom CA certificate into VM1 and now google.com loads up with custom CA.

        When the VM is under the transparent proxy, who intercepts all https traffic, how could google.com load with its own certificate? It has to either load with the custom CA certificate, or the browser should show and error saying "Your connection is not secure" right?

        N 1 Reply Last reply Reply Quote 0
        • N
          Napsterbater @monterry
          last edited by

          @monterry Are you using Chrome? If so they are connecting via QUIC most likely, i.e. UDP 443 vs TCP 443.

          M 1 Reply Last reply Reply Quote 1
          • M
            monterry @Napsterbater
            last edited by

            @Napsterbater yes indeed, I'm using Chrome! Thank you for the reply, I was beginning to doubt that Chrome is probably using some other protocol to establish connections.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.