Squid MITM proxy - certificate errors



  • I am trying to configure PFSense 2.3.2, with Squid.

    I have squid configured in transparent mode with a local CA, have exported the certificate, installed it on my endpoints and made sure it is trusted.  I have made sure not to configure the proxy on the clients.

    HTTP proxy is working as expected, but HTTPS is not. Every time I go to an HTTPS site, the browser throws an error about a hostname mismatch on the certificate.

    The certificate is signed by my CA, but has an IP as the common name. I have checked the option the force a DNS lookup, but that didn't seem to help.

    I have been looking into this all day, and cannot find a way around the issue. Some of the posts that I have seen actually refer to this being built in behavior with the browser to prevent MITM attacks (tested with chrome and safari).

    Am I just missing something with the configuration, or is this a known issue with chrome/safari?

    If anyone could provide some information on what I might be missing, I would appreciate it.

    Thanks



  • I've been having issues with the certificate system as well. The process seems so simple in pfSense, but my windows systems don't seem to like the certificates (I haven't tried it on any of my other computers yet). In fact I had to download Firefox because Chrome wouldn't even allow me to add an exception to reach pfSense after changing the web GUI certificate.

    As a test to see if your CA is working in windows you could create a cert for the web GUI. Then try to access the web GUI via HTTPS.

    What I would really like to do is create a CA in active directory, then import that to pfSense as the CA to use, but for the life of me I can't figure it out.