Certificate errors with SSL Filtering using SquidGuard
Hello guys, first off I just want to say that I am really pleased with the performance of my pfSense box. I bought an SG-2440 and it's been working great. Recently, I've setup SSL filtering with Squid to block sites and it's almost working perfectly except for a two main issues.
I am using version 2.3.2 with Squid 3.5.
My first issues is that sometimes, it seems that Squid is issuing a certificate using the IP address for the common name instead of the FQDN, which results in a certificate error. It doesn't happen for every site but it happens occasionally for a few sites.
My second issue is that Internet Explorer seems to complain about the certificate not being trusted even though the CA is installed on the computer in MMC. It seems to only complain when I visit sites that are blocked. If I visit sites that are secured with SSL but aren't blocked, they work as expected. It is working fine in Firefox and Google Chrome when going to blocked sites.
If anyone has any advice or possibly knows why these issues are happening, I would greatly appreciate it!
Just a little update – the Internet Explorer error is occurring because there is some sort of problem with the redirection. I can tell because the URL bar says the original address that I have typed in and the certificate has the wrong information when I click the certificate information bar.
Same problem here, Squid issues the certificate on the ip not on the fqdn of the website. I already ticked "Resolve DNS IPv4 First" on the general tab but it doesn't change anything. Has anybody a clue to solve this problem?
Thanks in advance.
Solved this problem a few minutes ago for my installation.
In my setup i have Pfsense 2.3.2, squid and squidguard.
The problem i've dealth with, was the certification error "http". After clicking everything possible in squid configuration i've found out it was the squidguard common ACL "blk_BL_adv"
I imagine that many users use the shallalist blacklist, at the very moment i disabled that rule everything in the Man in The Middle worked like charm.
I'm not a programmer nor a squid expert, if anyone in this forum can contact the squidguard developers maybe they will find out if i was lucky or if there's a problem with squidguard, shallalist and ssl filtering
Sorry for my poor english.