Make Certificate Configurable



  • Hi,
    would it be possible to make the certificate on the HTTPs server configurable (when blocking DNS requests)? You could either take a leaf certificate from the certificate manager or generate a new one on the fly using a configured CA and send the whole certificate chain along.
    This way the SSL errors would go away on machines that trust the custom ca when accessing a blocked site. Currently there is no way in trusting these errors to generate a smoother user experience and inform users what's going on.


  • Moderator

    I'd rather not MITM and generate fake certs....

    In pfBlockerNG-devel, there is a new option to disable logging of domains and send the DNS request to 0.0.0.0, which will avoid the cert issue. So what you would do is make a new DNSBL Group and manually add the domains that are generating those cert issues to the DNSBL custom list. Set Logging to "disabled" and set the Order to Primary so that this group is processed first before the other DNSBL groups.



  • Thanks for the answer.
    The problem is I'm using many lists and I don't know which of the domains will cause errors in the future and it would be a painful job to move them by hand if it happens.
    One popular case is google analytics. If you have GA on a DNSBL (as it's almost on every list) and someone want's to access the admin console of GA, you are presented with a certificate error and it's hard for the user to determine what's going on under the hood.

    So if I send the request to 0.0.0.0 will it still be blocked? If I route all of my DNSBL to 0.0.0.0 will it work as before or are there any disadvantages?`


  • Moderator

    @firefart said in Make Certificate Configurable:

    So if I send the request to 0.0.0.0 will it still be blocked? If I route all of my DNSBL to 0.0.0.0 will it work as before or are there any disadvantages?`

    I would expect there to be a handful of domains that cause this issue... The domain you listed as one of them.

    When you use 0.0.0.0 it will block the domain (static zone in Unbound) but it will not keep track of the blocked events in the Reports/Alerts Tabs.



  • perfect thanks!


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy