Working transparent SSL filtering, but have a question…



  • I've got transparent SSL filtering working without having to use squidguard, wpad, Splice-all, etc, but in order to get this working, I had to disable something that I thought was required:

    Under Certificate Adapt, I had to unselect "Sets CN Property (setCommonName)."

    I thought the CN was how programs determine if the certificate belongs to the host providing the certificate – I.E. verify that the FQDN matches the CN.  My testing shows that only when I de-select this does the CN field get populated correctly.  Is there a bug in the code that applies this switch that is reversing what is being asked for, or am I not understanding what this setting is supposed to do?


  • Rebel Alliance Developer Netgate

    @Tantamount:

    I thought the CN was how programs determine if the certificate belongs to the host providing the certificate – I.E. verify that the FQDN matches the CN.

    Actually, since RFC 2818 back in May of 2000, the use of CN for matching hostnames has been deprecated in favor of matching based only on Subject Alternative Names (SAN). Some browsers still fall back to check the CN if the SAN list is empty, but Chrome recently dropped checking CN entirely and now only looks at the SAN list.

    I'm not sure how that would have made a difference with your splice all setup, since it wouldn't be doing MITM, except that maybe having that on still made it alter the certificate when it should have left it alone.


Log in to reply