SSL Man In the Middle Filtering blocking any app

  • Hello
    Why is SSL Man In the Middle Filtering enabled, and CA is installed on clients for Root, they open in the site browser, and there is no problem.
    But an Android program or any program that wants to connect to the server via the IP will error and no program works?
    what's the solution ? Is this a problem with Squid or pfsense?

    I changed all the settings to different modes, but did not answer
    Apps only work when I disable SSL Man In the Middle Filtering

  • LAYER 8 Netgate

    Perhaps the app is certificate pinning because they want to prevent people doing SSL MITM there?

  • I installed the internal Certificate and CA and installed it on the clients, and it works on the web (chrome firefox), but it does not work with any mobile application or any application that wants to connect to port 443 via IP. Encountered. I guess this problem does not arise because it does not recognize the IP. But what is the solution? How do you get this to squid?

    Is this because mobile apps want to connect to the server via IP and MIMT prevents it? Or has it another reason?

  • I'm having the same problem, but some PCs can't connect to some sites like
    On our Android devices, we can connect to apps like Snapchat, Whatsapp, etc, but we can't download audios, photos, etc.

  • This is a very big problem that I have been asking over and over again, but nobody could answer it. Perhaps this is a pfsense problem that could not solve it ... I had this problem with the site and it was a problem. I put in the bypass, but other apps can not be done
    If we put all the programs in the bypass, then this pfsense part is not applicable ... This is still a problem, and it's a problem for administrators and those who can solve this problem. Please provide a solution.

    Also, there are other problems, such as openconnect, in Linux and the ubuntu terminal with port 443, and even sites and applications that need access to the server through the IP do not work.

    Generally speaking, when the pfsense and MITM proxy server is used, everything is cut off and users become very dissatisfied.

  • Thanks but
    I set manualy proxy and port in android phone..but didn't work any app

    And define rule in NAT port forward
    80 and 443 redirect to pfsense lan address port 3128

    But not work any app

  • LAYER 8 Netgate

    Many believe that HTTPS MITM is an unsound practice if not immoral. Personally, I am one of them.

    When you click transparent proxy you automatically get a port forward on the squid interfaces that forwards all port 80 traffic to 3128.

    If you also check HTTPS you also get a port forward for port 443 traffic to port 3129.

    Those are the default ports.

    If you set the clients manually you do not need port forwards and should disable transparent mode.

    Everything you should need is here:

    Youtube Video

  • Thanks for your good answer ... The things you said are true, but the problem with Internet access is that the smartphone apps are still up to date with MITM...
    But when I use MITM - splice all ...any app work correctly

    I also believe that https MITM is not applicable ... but where need control bandwidth through squid...

  • LAYER 8 Netgate

    Splice all is not MITM.

  • ... I mean, in Man in the middle, enable the splice all option, the problem is resolved, but the monitoring on 443 is not complete.

  • LAYER 8 Netgate

    This post is deleted!

  • I searched on other sites that are related to squid.
    This problem has been reported by squid users but no solutions have been made

    Has anyone had this problem? Has it resolved?

  • Android apps, by default, don't trust roots installed by the user/admin. This security feature was added in Android N.

  • Thanks
    There is no solution right now?

  • The MITM "problem" will probably never get solved.

  • @gertjan said in SSL Man In the Middle Filtering blocking any app:

    The MITM "problem" will probably never get solved.

    Thank you very much

Log in to reply