Ssl https not work in some website (SSL Man In the Middle Filtering)



  • Hello everyone
    There is a strange phenomenon that I am trying to solve for over a month
    Some sites appear at the entrance to this message (not all site) .
    if i config Bypass Proxy for These Destination IPs for this site that work

    **The following error occurred while attempting to resolve the address
    URL: https://nanlyx.blogspot.co.il/2013/04/how-to-block-file-uploads-using-squid.html?

    An error occurred trying to create a secure connection
    172.217.23.1

    The system returned:

    [No Error] (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH)
    Certificate does not match domainname: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.googleusercontent.com

    This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.**

    or

    *The following error was encountered while trying to retrieve the URL: https://213.8.192.8/

    Failed to establish a secure connection to 213.8.192.8

    The system returned:

    (92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
    Handshake with SSL server failed: [No Error]

    This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

    Your cache administrator is admin@mynetwork.com.**

    I searched the forums and google but to no avail/
    work on pfsense Version 2.3.2-RELEASE (amd64)
    squidGuard last ver
    squid last ver

    thenks for help!!!



  • It's complaining about the certificate.  They're probably using name-based vhosts and you're trying to get there via the IP address so you get a certificate mismatch.  Is there some reason you can't just use their domain name via jobmaster.co.il?



  • **When I entered the site, I went with the domain name.
    Just when I entered the registration of members on the site, I get this message
    Seems that the SQUID does it automatically?

    It also happens that I try to log in https://outlook.co.il**

    The following error occurred while attempting to resolve the address
    URL: https://outlook.co.il/

    An error occurred trying to create a secure connection 157.55.43.17

    The system returned:

    [No Error] (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH)
    Certificate does not match domainname: /1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Washington/businessCategory=Private Organization/serialNumber=600413485/C=US/postalCode=98052/ST=Washington/L=Redmond/street=1 Microsoft Way/O=Microsoft Corporation/OU=Outlook Kahuna DUB-A Jun2015

    This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.



  • These are broken sites you are trying to get to.  They also fail for me and I don't have problem with any site in general.  When I go to outlook.co.il I get a cert error, and the SAN cert says it is for the following domains:

    DNS Name=contacts.live.com
    DNS Name=dub109.afx.ms
    DNS Name=dub109.mail.live.com
    DNS Name=dub110.afx.ms
    DNS Name=dub110.mail.live.com
    DNS Name=dub111.afx.ms
    DNS Name=dub111.mail.live.com
    DNS Name=dub112.afx.ms
    DNS Name=dub112.mail.live.com
    DNS Name=dub113.afx.ms
    DNS Name=dub113.mail.live.com
    DNS Name=dub114.afx.ms
    DNS Name=dub114.mail.live.com
    DNS Name=dub115.afx.ms
    DNS Name=dub115.mail.live.com
    DNS Name=dub116.afx.ms
    DNS Name=dub116.mail.live.com
    DNS Name=dub117.afx.ms
    DNS Name=dub117.mail.live.com
    DNS Name=dub118.afx.ms
    DNS Name=dub118.mail.live.com
    DNS Name=dub119.afx.ms
    DNS Name=dub119.mail.live.com
    DNS Name=dub120.afx.ms
    DNS Name=dub120.mail.live.com
    DNS Name=dub121.afx.ms
    DNS Name=dub121.mail.live.com
    DNS Name=dub122.afx.ms
    DNS Name=dub122.mail.live.com
    DNS Name=dub123.afx.ms
    DNS Name=dub123.mail.live.com
    DNS Name=dub124.afx.ms
    DNS Name=dub124.mail.live.com
    DNS Name=dub125.afx.ms
    DNS Name=dub125.mail.live.com
    DNS Name=dub126.afx.ms
    DNS Name=dub126.mail.live.com
    DNS Name=dub127.afx.ms
    DNS Name=dub127.mail.live.com
    DNS Name=dub128.afx.ms
    DNS Name=dub128.mail.live.com
    DNS Name=dub129.afx.ms
    DNS Name=dub129.mail.live.com
    DNS Name=dub130.afx.ms
    DNS Name=dub130.mail.live.com
    DNS Name=dub131.afx.ms
    DNS Name=dub131.mail.live.com
    DNS Name=dub132.afx.ms
    DNS Name=dub132.mail.live.com
    DNS Name=dub133.afx.ms
    DNS Name=dub133.mail.live.com
    DNS Name=dub134.afx.ms
    DNS Name=dub134.mail.live.com
    DNS Name=dub135.afx.ms
    DNS Name=dub135.mail.live.com
    DNS Name=dvt.mail.live.com
    DNS Name=home.live.com
    DNS Name=hotmail.co.jp
    DNS Name=hotmail.co.uk
    DNS Name=hotmail.com
    DNS Name=hotmail.live.com
    DNS Name=hotmail.msn.com
    DNS Name=m.mail.live.com
    DNS Name=mail.live.com
    DNS Name=origin.dub109.mail.live.com
    DNS Name=origin.dub110.mail.live.com
    DNS Name=origin.dub111.mail.live.com
    DNS Name=origin.dub112.mail.live.com
    DNS Name=origin.dub113.mail.live.com
    DNS Name=origin.dub114.mail.live.com
    DNS Name=origin.dub115.mail.live.com
    DNS Name=origin.dub116.mail.live.com
    DNS Name=origin.dub117.mail.live.com
    DNS Name=origin.dub118.mail.live.com
    DNS Name=origin.dub119.mail.live.com
    DNS Name=origin.dub120.mail.live.com
    DNS Name=origin.dub121.mail.live.com
    DNS Name=origin.dub122.mail.live.com
    DNS Name=origin.dub123.mail.live.com
    DNS Name=origin.dub124.mail.live.com
    DNS Name=origin.dub125.mail.live.com
    DNS Name=origin.dub126.mail.live.com
    DNS Name=origin.dub127.mail.live.com
    DNS Name=origin.dub128.mail.live.com
    DNS Name=origin.dub129.mail.live.com
    DNS Name=origin.dub130.mail.live.com
    DNS Name=origin.dub131.mail.live.com
    DNS Name=origin.dub132.mail.live.com
    DNS Name=origin.dub133.mail.live.com
    DNS Name=origin.dub134.mail.live.com
    DNS Name=origin.dub135.mail.live.com
    DNS Name=people.live.com
    DNS Name=www.hotmail.com
    DNS Name=www.hotmail.msn.com
    DNS Name=www.live.com
    DNS Name=www.mail.live.com
    

    You will notice that outlook.co.il is not in this list, so you get a certificate mismatch.  Nothing to do with pfSense.





  • I doubt it.  The error is that their certificate does not match the domain name you are using to access them.  Only they can fix that.  Send them an email and ask them why you get cert errors when using their site.  I just tried it again on my end and it worked the second time (redirected to login.live.com) so the problem seems to be intermittent.  I wonder if they just have a misconfigured server that you get served round-robin?



  • The problem that happens in a few sites not only on outlook.co.il

    like this
    https://forums.linuxmint.com/

    It has nothing to do about it?



  • When SSL sites redirect us to another SSL site it will fail, It will check the actual certificate receive by the client before it tries to redirect us to another site.

    Fix bypass using proxy on this sites. or try accessing directly the site where it will redirect you.

    for https://outlook.co.il/ just go directly to https://login.live.com/



  • Hello,

    There is another solution which is working for me. Bypass https filtering for that particular computer which is used to access such sites. All your http blocking rule will still apply for that computer but https sites accessed from this computer will bypass proxy.

    This can be done by inbound port forwarding. Create an alias for ips of such computer for which you want to bypass https filtering. Create a NAT rule as in attached screenshot.

    I hope this useful for someone.

    thanks.




  • Can any one test accessing https://workshop.olacabs.com behind a firewall with SSL bumping. Is there an issue with site or my firewall is misconfigured. I am able to access the site without SSL bump.

    Can any one test this particular site.

    Thank you.
    Ashima



  • I get an enter email page with ssl bump and squid transparent enabled.



  • Thank you for testing it. Can anyone else also try it please. Accessing https://workshop.olacabs.com  with SSL bump in transparent mode.

    Thank you
    Ashima