Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Https problem

    Captive Portal
    4
    5
    816
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      byreco last edited by

      Hi,

      we are using pfsense 2.3.2-RELEASE-p1. Before Captive portal user authentication "https" problem if the user open the https web page. send the attachment file.

      thank you.

      1 Reply Last reply Reply Quote 0
      • Gertjan
        Gertjan last edited by

        Hi,

        When you connect to a network (cable or Wifi, what ever) that offers a captive portal like pfSense does, the OS, after receiving an IP (and gateway, and DNS) by DHCP, sends out a "hidden" http GET.
        Example : an IOS device sends out : http://captive.apple.com/hotspot-detect.html
        This NON-HTTPS GET will get redirected to the Captive portal page.
        The OS detects this, ans "asks for your attention" (as "Windows" does) or just opens a very basic web browser - and the call get renewed.
        This time, the captive login page shows up.

        For some reason, on your device (PC ? OS ? Browser ?) this didn't work.
        You (?) opened a browser and it tried to go to his default home page : https://google.com - that won't work - will never work - because MITM doesn't work.

        First : Do not use this old pfSEnse versions. upgrade to 2.3.4-RELEASE-p1
        Remove your own captive portal, if you upload one : use the build in 'html' page.
        Then : when connecting to the captive portal network, check that a browser pops up automatically. Microsoft, Androids, Apple devices will do so … and that the login page shows up.
        If not, hitting the captive portal with a https request WILL never work (this is not a bug, but a feature).
        So : Make your captive portal work first.

        edit : btw : the subject is wrong.

        If you (your browser) asks for https://google.com and the server "on the other side" (the captive portal web server running on your pfSEnse box) replies, the certificate returned (YOUR certicate that you use for your captive portal) WILL NOT state that it is "google.com" - because he isn't ;) Your browser detects this, and fires a "Man In The Middle" MITM error.
        So, all goes well, you are protected ! Be happy ! Their is no problem.

        No "help me" PM's please. Use the forum.

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned last edited by

          You cannot hijack HTTPS without causing certificate errors on clients. Move on.

          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            If you have a current version of Chrome it should see the cert error, try an HTTP portal test, and then automatically open a new tab with the portal login. At least it does for me.

            I do have HTTPS portal enabled with a valid cert (LE/ACME) for my hostname set on the portal config, and a host override pointing that hostname to the CP interface address. But last time I tested it, it should work with an invalid/self-signed cert, basically any unexpected HTTPS response, including a timeout, should kick in Chrome's portal detection.

            Firefox pops up its little portal detection bar with a button to open the portal either way.

            Of course all that assumes you aren't doing something like squid or a host bypass that somehow breaks the portal detection code in the browsers.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • Gertjan
              Gertjan last edited by

              @jimp:

              If you have a current version of Chrome it should see the cert error, try an HTTP portal test, and then automatically open a new tab with the portal login. At least it does for me.

              I do have HTTPS portal enabled with a valid cert (LE/ACME) for my hostname set on the portal config, and a host override pointing that hostname to the CP interface address. But last time I tested it, it should work with an invalid/self-signed cert, basically any unexpected HTTPS response, including a timeout, should kick in Chrome's portal detection.

              Firefox pops up its little portal detection bar with a button to open the portal either way.

              Good to here all this :D I didn"t even know that our browsers are also "captive portal aware" these days.

              No "help me" PM's please. Use the forum.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post