Update check & package install behind MITM proxy?



  • I have a situation where I'm forced to use a corporate proxy to access the Internet. Our proxy rewrites SSL and basically acts as a MITM. Because of this, requests to https urls (like the pfsense packages url, for example) will fail unless the SSL certs for the corporate proxy are trusted. I've added both of our company's certs to pfSense's Cert (see attachment). Manager and they were accepted, however the update check & package installation pages still fail.

    I've verified that I have access to the Internet (through our proxy) by using curl:

    [2.3.2-RELEASE][[email]admin@lab-firewall.hts.lab]/root: curl -x <<<myproxy>>>m:8123 [url]http://google.com[/url]
    
    <title>301 Moved</title>
    
    # 301 Moved
    
    The document has moved
    [here.](http://www.google.com/)</myproxy> 
    ``` [**Requesting https through the proxy shows this:**
    

    [2.3.2-RELEASE][[email]admin@lab-firewall.hts.lab]/root: curl -x <<<myproxy>>>:8123 [url]https://google.com[/url]
    curl: (60) SSL certificate problem: unable to get local issuer certificate
    More details here: [url]https://curl.haxx.se/docs/sslcerts.html[/url]

    curl performs SSL certificate verification by default, using a "bundle"
    of Certificate Authority (CA) public keys (CA certs). If the default
    bundle file isn't adequate, you can specify an alternate file
    using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
    the bundle, the certificate verification probably failed due to a
    problem with the certificate (it might be expired, or the name might
    not match the domain name in the URL).
    If you'd like to turn off curl's verification of the certificate, use
    the -k (or --insecure) option.</myproxy>

    **Telling curl to ignore certificates shows this (which works):**](http://www.google.com/) ```
    [[2.3.2-RELEASE][[email]admin@lab-firewall.hts.lab]/root: curl -x <<<myproxy>>>:8123 [url]https://google.com[/url] -k
    
    <title>301 Moved</title>
    
    # 301 Moved
    
    The document has moved</myproxy>](http://www.google.com/) [here.](https://www.google.com/) 
    ``` [I've set up an intermediary proxy between pfSense and our company proxy to see what's going on. I can see pfSense firewall asking for "pkg.pfsense.org:443" in the squid logs (shown below).
    

    1478163783.083    533 x.x.x.x TCP_MISS/000 2976 CONNECT pkg.pfsense.org:443 - FIRST_UP_PARENT/proxy.<<<company>>>.com -
    1478163784.417    321 x.x.x.x TCP_MISS/000 1571 CONNECT pkg.pfsense.org:443 - FIRST_UP_PARENT/proxy.<<<company>>>.com -
    1478163784.738    318 x.x.x.x TCP_MISS/000 1571 CONNECT pkg.pfsense.org:443 - FIRST_UP_PARENT/proxy.<<<company>>>.com -
    1478163786.059    314 x.x.x.x TCP_MISS/000 1571 CONNECT pkg.pfsense.org:443 - FIRST_UP_PARENT/proxy.<<<company>>>.com -
    1478163786.392    331 x.x.x.x TCP_MISS/000 2939 CONNECT pkg.pfsense.org:443 - FIRST_UP_PARENT/proxy.<<<company>>>.com -
    1478163787.645    249 x.x.x.x TCP_MISS/000 2939 CONNECT pkg.pfsense.org:443 - FIRST_UP_PARENT/proxy.<<<company>>>.com -
    1478163787.962    315 x.x.x.x TCP_MISS/000 1571 CONNECT pkg.pfsense.org:443 - FIRST_UP_PARENT/proxy.<<<company>>>.com -
    1478163789.300    319 x.x.x.x TCP_MISS/000 2939 CONNECT pkg.pfsense.org:443 - FIRST_UP_PARENT/proxy.<<<company>>>.com -</company></company></company></company></company></company></company></company>

    But the upgrade check & check for packages always fails.
    
    Thank you in advance and I appreciate any ideas or suggestions!
    
    ![pfsensecerts.PNG](/public/_imported_attachments_/1/pfsensecerts.PNG)
    ![pfsensecerts.PNG_thumb](/public/_imported_attachments_/1/pfsensecerts.PNG_thumb)](https://www.google.com/)

Log in to reply