Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Originial SSL Certificate Requirement on Non-Transparent Mode

    Firewalling
    3
    4
    657
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      EROL52
      last edited by

      Hello,

      I would like to access https traffic and logs on my pfsense firewall that is being used for my company. In order to watch the traffic and logs, original ssl certificate is required, otherwise when non-transparent mode is clicked with fake artificial certificate, https web site can't be accessed.

      Do you have any advise concerning this issue? Or can you suggest me anywhere that I am able to purchase SSL certificate for firewall not for neither domain nor IP.

      Every single reply is highly appreciated.

      1 Reply Last reply Reply Quote 0
      • H
        Harvy66
        last edited by

        No one will sell you certs singed for domains that you do not own. That's illegal. Even the USA government has a hard time getting this done.

        What you can do is install your cert on all of the client machines and tell the client machines to trust your cert. This does open all of your clients to all sorts of attacks, but it's the only way to do it. HTTPS serves two purposes  1) Encryption 2) Authentication  You're breaking #2. What you're trying to do is lie to the clients, claiming to be someone that you're not. Hey, I'm google.com! If you install your certs and sign every site with your cert, no one will be able to know who is the real google.com.

        Some critical systems use HTTPS to for auth, like Windows Updates. There have been attacks that took advantage of HTTPS transparent proxies and tricked Windows to install malware vial Windows Update. Be prepared for the can of worms you're opening.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          If you really need to do MITM on your users.. Then use your own CA, create your own wildcard certs or gen them on the fly for each fqdn requested, etc.  Have your users trust your CA..

          But as Harvy66 mentions, this is a can of worms that really should not be open..  if you have problems with users using proxies via ssl to bypass your content filtering then block those proxies.. Or block all ssl and whitelist the ssl sites that are needed to get too.  It is an uphill battle for sure…  But doing mitm on your users a slippery slope that really shouldn't be gone down if you ask me from many different levels.

          If you can not trust your users to use the internet appropriately, maybe they shouldn't freaking have internet..  This is a better option then giving watching their traffic that is suppose to be secure..

          Why don't you ask your users if they are ok with you being able to monitor all their logins and traffic to their bank accounts, medical sites, every site that they login to with an account that you will be able to see username and passwords and data that is suppose be secure between the server and their browser.. See if they are ok with that..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • H
            Harvy66
            last edited by

            I just noticed the title says "non-transparent mode". I guess I miss-read that because so many want to use transparent mode. I am not familiar with this mode.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.