Squid ssl filter CA issues certificates for ip, not domain

1001

I have been having a problem with my Squid SSL transparent filtering where I have installed the CA on my computers, it recognizes the CA, but when I go to a webpage, it says that the certificate is invalid. I looked into it, and figured out that it was because Squid is using the CA to issue certificates for the ip addresses of the websites, not the domain name. Does anybody know how to fix this?

jzzmatt

I have the same problem too, my self sign cert is not recognize , i don´t use transparent proxy
for site blocked on my squidGuard, which are https, i receive an erro like " your connection are not private"!!

gersonofstone

My recomendation is create new certificatte for squid

1001

I tried creating a new CA, but it didn't work.

gersonofstone

What is the issue or error?

Add a printscreen

1001

The issue is described in my original post.

gersonofstone

I need the printsreen

;)

1001

Here is the screen shot

![Screen Shot 2016-07-24 at 2.31.37 PM.png](/public/imported_attachments/1/Screen Shot 2016-07-24 at 2.31.37 PM.png)
![Screen Shot 2016-07-24 at 2.31.37 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-07-24 at 2.31.37 PM.png_thumb)

gersonofstone

check this, please

SquidVeneno is my CA for squid proxy

squid.png_thumb

1001

I changed my settings, and it now works. Thanks!

gersonofstone

cool :)

gersonofstone

@:

check this, please

SquidVeneno is my CA for squid proxy

messerchmidt

I use a free startssl certificate for mine

see -> http://www.itnotes.eu/?p=3218

reza3sw

Hello friends
I've enabled Transparent Proxy and SSL Man In the Middle Filtering on pfsense.
My pfsesne version is 2.3.4-RELEASE-p1 (amd64).
I've implemented the following rules for HTTPS SSL.
SSL / MITM Mode: Splice Whitelist , Bump Otherwise
SSL Intercept (s): LAN
SSL Proxy Compatibility Mode: Modern
DHParams Key Size: 2048
CA: Self-Signed

I use SSL Filtering in Squid and I created a certificate in pfsense and I can login to Https through Domain Name.

Tip: I have installed my certificate on the system.

For example, the site (https://www.roblox.com) looks like the following

First Photo

But when I log in through the IP of the same site, I get an error certificate like the one below

Second Photo

In Android apps on the mobile phone, all connections are through the IP, and if I connect to the Internet via WIFI, that the Pfsense firewall is on the route, none of the programs will connect (such as a telegram)

Friends and Teachers Please advise how to resolve this issue.

doktornotor

@messerchmidt:

I use a free startssl certificate for mine

You cannot use any such thing, WTF. You need your own CA that's able to issue certificates on the fly for Squid.

@reza3sw:

In Android apps on the mobile phone, all connections are through the IP, and if I connect to the Internet via WIFI, that the Pfsense firewall is on the route, none of the programs will connect (such as a telegram)

0/ Stop SCREAMING!
1/ Cannot see anything "like below". Post the error instead of huge letters.

reza3sw

@doktornotor:

@messerchmidt:

I use a free startssl certificate for mine

You cannot use any such thing, WTF. You need your own CA that's able to issue certificates on the fly for Squid.

@reza3sw:

In Android apps on the mobile phone, all connections are through the IP, and if I connect to the Internet via WIFI, that the Pfsense firewall is on the route, none of the programs will connect (such as a telegram)

0/ Stop SCREAMING!
1/ Cannot see anything "like below". Post the error instead of huge letters.

I put two photos first, through the domain name of a site, I entered the site and the second image through the IP I entered that site. I entered the site successfully in the first photo, but in the second photo there is a certificate error.
Also, in Android applications, such as the telegram, it uses the IP to connect to the server, and it does not provide a connection error.

doktornotor

@reza3sw:

I put two photos first

No idea where did you put two photos.

reza3sw

@doktornotor:

@reza3sw:

I put two photos first

No idea where did you put two photos.

I am sorry I did not understand
Probably a problem with my upload center, which is not a photo.

I'm uploading again

First Photo

Second Photo

reza3sw

I am able to log in to HTTPS sites if I enter the domain name successfully with the internal certificate, but if I get the IP address of that site, I get an error certificate?
Why this error occurs?

This problem is problematic on Android phones to enter programs such as telegrams that use HTTPS and IP, and the program does not work?
Is there a way to set up an IP certificate?
Because it seems that the internal certificate we create works properly with the domain name of the sites.
Thank you friends

doktornotor

This is an expected and documented behaviour, and not any issue with Squid. You would get exactly the same "problem" without Squid.

https://wiki.squid-cache.org/Features/MimicSslServerCert