Update check & package install behind MITM proxy?
-
I have a situation where I'm forced to use a corporate proxy to access the Internet. Our proxy rewrites SSL and basically acts as a MITM. Because of this, requests to https urls (like the pfsense packages url, for example) will fail unless the SSL certs for the corporate proxy are trusted. I've added both of our company's certs to pfSense's Cert (see attachment). Manager and they were accepted, however the update check & package installation pages still fail.
I've verified that I have access to the Internet (through our proxy) by using curl:
[2.3.2-RELEASE][[email]admin@lab-firewall.hts.lab]/root: curl -x <<<myproxy>>>m:8123 [url]http://google.com[/url] <title>301 Moved</title> # 301 Moved The document has moved [here.](http://www.google.com/)</myproxy> ``` [**Requesting https through the proxy shows this:**
[2.3.2-RELEASE][[email]admin@lab-firewall.hts.lab]/root: curl -x <<<myproxy>>>:8123 [url]https://google.com[/url]
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: [url]https://curl.haxx.se/docs/sslcerts.html[/url]curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.</myproxy>**Telling curl to ignore certificates shows this (which works):**](http://www.google.com/) ``` [[2.3.2-RELEASE][[email]admin@lab-firewall.hts.lab]/root: curl -x <<<myproxy>>>:8123 [url]https://google.com[/url] -k <title>301 Moved</title> # 301 Moved The document has moved</myproxy>](http://www.google.com/) [here.](https://www.google.com/) ``` [I've set up an intermediary proxy between pfSense and our company proxy to see what's going on. I can see pfSense firewall asking for "pkg.pfsense.org:443" in the squid logs (shown below).
1478163783.083 533 x.x.x.x TCP_MISS/000 2976 CONNECT pkg.pfsense.org:443 - FIRST_UP_PARENT/proxy.<<<company>>>.com -
1478163784.417 321 x.x.x.x TCP_MISS/000 1571 CONNECT pkg.pfsense.org:443 - FIRST_UP_PARENT/proxy.<<<company>>>.com -
1478163784.738 318 x.x.x.x TCP_MISS/000 1571 CONNECT pkg.pfsense.org:443 - FIRST_UP_PARENT/proxy.<<<company>>>.com -
1478163786.059 314 x.x.x.x TCP_MISS/000 1571 CONNECT pkg.pfsense.org:443 - FIRST_UP_PARENT/proxy.<<<company>>>.com -
1478163786.392 331 x.x.x.x TCP_MISS/000 2939 CONNECT pkg.pfsense.org:443 - FIRST_UP_PARENT/proxy.<<<company>>>.com -
1478163787.645 249 x.x.x.x TCP_MISS/000 2939 CONNECT pkg.pfsense.org:443 - FIRST_UP_PARENT/proxy.<<<company>>>.com -
1478163787.962 315 x.x.x.x TCP_MISS/000 1571 CONNECT pkg.pfsense.org:443 - FIRST_UP_PARENT/proxy.<<<company>>>.com -
1478163789.300 319 x.x.x.x TCP_MISS/000 2939 CONNECT pkg.pfsense.org:443 - FIRST_UP_PARENT/proxy.<<<company>>>.com -</company></company></company></company></company></company></company></company>But the upgrade check & check for packages always fails. Thank you in advance and I appreciate any ideas or suggestions! ![pfsensecerts.PNG](/public/_imported_attachments_/1/pfsensecerts.PNG) ![pfsensecerts.PNG_thumb](/public/_imported_attachments_/1/pfsensecerts.PNG_thumb)](https://www.google.com/)