Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Squid MITM proxy - certificate errors

    Cache/Proxy
    2
    2
    768
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 8
      8bitz last edited by

      I am trying to configure PFSense 2.3.2, with Squid.

      I have squid configured in transparent mode with a local CA, have exported the certificate, installed it on my endpoints and made sure it is trusted.  I have made sure not to configure the proxy on the clients.

      HTTP proxy is working as expected, but HTTPS is not. Every time I go to an HTTPS site, the browser throws an error about a hostname mismatch on the certificate.

      The certificate is signed by my CA, but has an IP as the common name. I have checked the option the force a DNS lookup, but that didn't seem to help.

      I have been looking into this all day, and cannot find a way around the issue. Some of the posts that I have seen actually refer to this being built in behavior with the browser to prevent MITM attacks (tested with chrome and safari).

      Am I just missing something with the configuration, or is this a known issue with chrome/safari?

      If anyone could provide some information on what I might be missing, I would appreciate it.

      Thanks

      1 Reply Last reply Reply Quote 0
      • M
        MrVining last edited by

        I've been having issues with the certificate system as well. The process seems so simple in pfSense, but my windows systems don't seem to like the certificates (I haven't tried it on any of my other computers yet). In fact I had to download Firefox because Chrome wouldn't even allow me to add an exception to reach pfSense after changing the web GUI certificate.

        As a test to see if your CA is working in windows you could create a cert for the web GUI. Then try to access the web GUI via HTTPS.

        What I would really like to do is create a CA in active directory, then import that to pfSense as the CA to use, but for the life of me I can't figure it out.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post