Squid ssl filter CA issues certificates for ip, not domain



  • What is the issue or error?

    Add a printscreen



  • The issue is described in my original post.



  • I need the printsreen

    ;)



  • Here is the screen shot

    ![Screen Shot 2016-07-24 at 2.31.37 PM.png](/public/imported_attachments/1/Screen Shot 2016-07-24 at 2.31.37 PM.png)
    ![Screen Shot 2016-07-24 at 2.31.37 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-07-24 at 2.31.37 PM.png_thumb)



  • check this, please

    SquidVeneno is my CA for squid proxy




  • I changed my settings, and it now works. Thanks!



  • cool  :)



  • @😄:

    check this, please

    SquidVeneno is my CA for squid proxy



  • I use a free startssl certificate for mine

    see -> http://www.itnotes.eu/?p=3218



  • Hello friends
    I've enabled Transparent Proxy and SSL Man In the Middle Filtering on pfsense.
    My pfsesne version is 2.3.4-RELEASE-p1 (amd64).
    I've implemented the following rules for HTTPS SSL.
    SSL / MITM Mode: Splice Whitelist , Bump Otherwise
    SSL Intercept (s): LAN
    SSL Proxy Compatibility Mode: Modern
    DHParams Key Size: 2048
    CA: Self-Signed

    I use SSL Filtering in Squid and I created a certificate in pfsense and I can login to Https through Domain Name.

    • Tip: I have installed my certificate on the system.

    For example, the site (https://www.roblox.com) looks like the following

    First Photo

    But when I log in through the IP of the same site, I get an error certificate like the one below

    Second Photo

    In Android apps on the mobile phone, all connections are through the IP, and if I connect to the Internet via WIFI, that the Pfsense firewall is on the route, none of the programs will connect (such as a telegram)

    Friends and Teachers Please advise how to resolve this issue.


  • Banned

    @messerchmidt:

    I use a free startssl certificate for mine

    You cannot use any such thing, WTF. You need your own CA that's able to issue certificates on the fly for Squid.

    @reza3sw:

    In Android apps on the mobile phone, all connections are through the IP, and if I connect to the Internet via WIFI, that the Pfsense firewall is on the route, none of the programs will connect (such as a telegram)

    0/ Stop SCREAMING!
    1/ Cannot see anything "like below". Post the error instead of huge letters.



  • @doktornotor:

    @messerchmidt:

    I use a free startssl certificate for mine

    You cannot use any such thing, WTF. You need your own CA that's able to issue certificates on the fly for Squid.

    @reza3sw:

    In Android apps on the mobile phone, all connections are through the IP, and if I connect to the Internet via WIFI, that the Pfsense firewall is on the route, none of the programs will connect (such as a telegram)

    0/ Stop SCREAMING!
    1/ Cannot see anything "like below". Post the error instead of huge letters.

    I put two photos first, through the domain name of a site, I entered the site and the second image through the IP I entered that site. I entered the site successfully in the first photo, but in the second photo there is a certificate error.
    Also, in Android applications, such as the telegram, it uses the IP to connect to the server, and it does not provide a connection error.


  • Banned

    @reza3sw:

    I put two photos first

    No idea where did you put two photos.



  • @doktornotor:

    @reza3sw:

    I put two photos first

    No idea where did you put two photos.

    I am sorry I did not understand
    Probably a problem with my upload center, which is not a photo.

    I'm uploading again

    First Photo

    Second Photo



  • I am able to log in to HTTPS sites if I enter the domain name successfully with the internal certificate, but if I get the IP address of that site, I get an error certificate?
    Why this error occurs?

    This problem is problematic on Android phones to enter programs such as telegrams that use HTTPS and IP, and the program does not work?
    Is there a way to set up an IP certificate?
    Because it seems that the internal certificate we create works properly with the domain name of the sites.
    Thank you friends


  • Banned

    This is an expected and documented behaviour, and not any issue with Squid. You would get exactly the same "problem" without Squid.

    https://wiki.squid-cache.org/Features/MimicSslServerCert



  • @doktornotor:

    This is an expected and documented behaviour, and not any issue with Squid. You would get exactly the same "problem" without Squid.

    https://wiki.squid-cache.org/Features/MimicSslServerCert

    So why when the HTTPS / SSL Interception option enables SSL filtering.

    This activates this and does not exist when it is disabled?
    And my Android phone that connects to this firewall via Wi-Fi

    If this option is enabled, some of the programs will not connect to the Internet? But if this option is disabled, they will be connected.

    I even installed the internal certificate I built on my mobile phone, but the problem remains


  • Banned

    There's nothing that activates. When you try browsing https://8.42.96.25 (or any other IPs that www.roblox.com resolves to) instead of https://www.roblox.com, you get exactly the same result without any proxy. Because the site clearly does not have any of it's IPs in its certificate's SAN.



  • @doktornotor:

    There's nothing that activates. When you try browsing https://8.42.96.25 (or any other IPs that www.roblox.com resolves to) instead of https://www.roblox.com, you get exactly the same result without any proxy. Because the site clearly does not have any of it's IPs in its certificate's SAN.

    Thanks for your good guidance
    But what is this problem?

    Why does SSL filtering enable HTTPS / SSL interception when it is enabled? In squid

    Is it possible to connect some Android apps to mobile phones?


  • Banned

    @reza3sw:

    Why does SSL filtering enable HTTPS / SSL interception when it is enabled?

    ??? ??? ???



  • @doktornotor:

    @reza3sw:

    Why does SSL filtering enable HTTPS / SSL interception when it is enabled?

    ??? ??? ???

    :D :D

    I know my questions are a lot.
    But I did not find a place.

    Thanks for the time you left


  • Banned

    Well I don't get the question really… that's the whole purpose of the feature. If you don't want it, do NOT make the proxy transparent (or whitelist stuff that's not supposed to get proxied).



  • @doktornotor:

    Well I don't get the question really… that's the whole purpose of the feature. If you don't want it, do NOT make the proxy transparent (or whitelist stuff that's not supposed to get proxied).

    Again thanks for the guidance

    But to control some sites, I need to enable this option, and on the other hand, I have the problem


Log in to reply