Captive portal + https + certificates



  • Hello,

    I just created a certificate on my pfsense, the reason for this was because I saw that when I go to youtube or any other https site I cannot connect. But after I created my certificate I get this error  in my webbrowser. What should I do?

    ERROR MESSAGE:

    **Your connection is not secure

    The owner of support.mozilla.org has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

    This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate.

    Learn more…

    support.mozilla.org uses an invalid security certificate.

    The certificate is not trusted because it is self-signed.
    The certificate is only valid for internal-ca

    Error code: SEC_ERROR_UNKNOWN_ISSUER**



  • When YOU create a certificate on your pfSense, YOU could trust this certificate.
    But, by default, you browser doesn't.
    So, tell you browser it's ok, by accepting it ones.

    What happens is that you go to a https://support.mozilla.org via your portal.
    Your portal intercepts the https "call", and gives your browser another page - your https login page with YOUR certificate.
    Your certificates tells a lot to the browser, but one thing will NOT please your browser : your certificate isn't for "support.mozilla.org", but for "internal-ca".



  • @Gertjan:

    When YOU create a certificate on your pfSense, YOU could trust this certificate.
    But, by default, you browser doesn't.
    So, tell you browser it's ok, by accepting it ones.

    What happens is that you go to a https://support.mozilla.org via your portal.
    Your portal intercepts the https "call", and gives your browser another page - your https login page with YOUR certificate.
    Your certificates tells a lot to the browser, but one thing will NOT please your browser : your certificate isn't for "support.mozilla.org", but for "internal-ca".

    The problem is I do not get any accept message on my browser. Also is this the only way by which https sites can be accessed by pfsense?


  • LAYER 8 Netgate

    That is because browser manufacturers are protecting users from themselves by making it harder to just click through certificate errors.

    Just turn off https interception. Let those connections hang.

    Two choices:

    1. Let connections to https sites hang and make your users have to connect to an http site to get the portal page.

    2. Intercept https connections, display your portal page, and deal with all the ramifications of being an https man-in-the-middle with certificate errors, browser protections, installing your certificate as trusted for your user's bank because they clicked the wrong thing, HSTS, pinned certificates, etc.

    Every browser manufacturer is doing everything they can to make what you are trying to do harder. Just don't.



  • @Derelict:

    That is because browser manufacturers are protecting users from themselves by making it harder to just click through certificate errors.

    Just turn off https interception. Let those connections hang.

    Two choices:

    1. Let connections to https sites hang and make your users have to connect to an http site to get the portal page.

    2. Intercept https connections, display your portal page, and deal with all the ramifications of being an https man-in-the-middle with certificate errors, browser protections, installing your certificate as trusted for your user's bank because they clicked the wrong thing, HSTS, pinned certificates, etc.

    Every browser manufacturer is doing everything they can to make what you are trying to do harder. Just don't.

    Hello thanks for your reply,

    1)Thanks for this tip I configured http://www.google.com as the first website for them to go to right after authentication.

    1. Any Idea on how to configure pfsense captive portal so that it can connect to https websites i am a bit stuck…..


  • @CallFromUSA:

    1)Thanks for this tip I configured http://www.google.com as the first website for them to go to right after authentication.

    Ok.
    So you made it very clear : you didn't understand the issue yet.
    When the Captive Portal becomes 'transparent' (because the user authenticated) there is more https (SSL) issue.
    The right redirect action would be : redirect them to https://www.google.fr !!

    BEFORE authentication, when the "https" captive portal is used (with YOUR certificates signed by a recognized authority, or your self) the browser will find
    YOUR certificate
    or
    The user wants to visit https://his-bank.com (and thus receiving a certificate that the site is actually "https://his-bank.com")
    Which won't happen - because with the portal your are acting as "a man in de middle" (wikipedia this concept and your done).
    and the browser will signal this - whatever you do.

    @CallFromUSA:

    1. Any Idea on how to configure pfsense captive portal so that it can connect to https websites i am a bit stuck…..

    Because you are fighting the SSL end-to-end concept.
    Don't.
    You can't.
    Read again what Derelict stated just above. As soon as you understood it, you're done.


  • LAYER 8 Netgate

    Two choices:

    1. Let connections to https sites hang and make your users have to connect to an http site to get the portal page.

    2. Intercept https connections, display your portal page, and deal with all the ramifications of being an https man-in-the-middle with certificate errors, browser protections, installing your certificate as trusted for your user's bank because they clicked the wrong thing, HSTS, pinned certificates, etc.

    Third choice:

    1. Disable captive portal. Let the users connect and go.


  • @Derelict:

    Two choices:

    1. Let connections to https sites hang and make your users have to connect to an http site to get the portal page.

    2. Intercept https connections, display your portal page, and deal with all the ramifications of being an https man-in-the-middle with certificate errors, browser protections, installing your certificate as trusted for your user's bank because they clicked the wrong thing, HSTS, pinned certificates, etc.

    Third choice:

    1. Disable captive portal. Let the users connect and go.

    Thanks I too option 1 I added https://google.fr and it works.


Log in to reply