Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Another SSL Error Post

    Scheduled Pinned Locked Moved pfBlockerNG
    5 Posts 2 Posters 641 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • TheCableGuy96T
      TheCableGuy96
      last edited by

      Hi,

      Yes, I know there are a ton of these but I can't find anything recent so am looking for an update...

      Is there any way as yet to get around the SSL error with the DNSBL other than turning off logging to redirect to 0.0.0.0?

      Not sure why they can't be redirected to a page on the pfBlocker server showing the error and where they came from so they know which page is blocked? Why does it have to show an SSL error on the blocked page?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        It's all about the very nature of TLS/SSL.
        HSTS does not make things any better.

        Just know this first : what TLS/SSL is, what this means https://....... What these certificates are actually doing. And I mean, really know the why and what.

        The HSTS add's a possibility to your browser so it knows that, example, certificate using "microsoft.com" can never ever be used in relation to a web server that is not addressable at "microsoft.com".
        It boils down to : when the browser want a page from "microsoft.com", it will never accept info from a site that is not "microsoft.com".
        The web page that " pfBlockerNG " tries to show you isn't from "microsoft.com" - and no one one planet earth can fool the browser any more so that it thinks it is. It's about security and so ^^

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • TheCableGuy96T
          TheCableGuy96
          last edited by TheCableGuy96

          @Gertjan said in Another SSL Error Post:

          ser so it knows that, example

          Hi @Gertjan

          I understand that, but why can pfBlocker not intercept this and simply redirect the user to a locally hosted page instead that says the previous page has been blocked? It already displays a custom page using the requested URL, it would just need to show the same page but on a redirected URL instead.

          Cheers.

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @TheCableGuy96
            last edited by

            Ok.

            Lucky you, I have 5 minutes.

            Here we go:

            A web page contains a publicity, like
            https://serverfault.com/questions/1000126/set-up-multicast-route-across-a-middle-hop

            You see the :

            6c6e200c-39d5-407d-9b52-9213126a8331-image.png

            Let's inspect.
            It's a whole bunch of html coming from :

            <i frame style="border: 0px none; vertical-align: bottom;" src="https://tpc.googlesyndication.com/safeframe/1-0-37/html/container.html" id="google_ads_iframe_/248424177/serverfault.com/lb/question-pages_0"
            

            Note : it's an iframe, loaded "as a new page" but in place, in the existing page / browser tab. These can't be redirected, and the loading is handled by embedded javascript.

            The info, a pub, comes from googlesyndication.com and the transmision is done over https.
            So, the certifcate that comes from "googlesyndication.com" - where ever that points to, should say it's "googlesyndication.com".
            Or, the IP isn't from "googlesyndication.com" - because that URL is blacklisted by a feed you are using with pfBlockerNG.
            My Resolver was load with this info

            local-zone: "googlesyndication.com" redirect local-data: "googlesyndication.com 60 IN A 10.10.10.1"
            

            ( this is what pfBlockerNG is all about )

            So it points to 10.10.10.1 or wherever your "DNSBL Webserver Configuration" is pointing to.

            And, while "DNSBL Webserver Configuration" is using https and thus sending a certificate, it will not send a certificate that says it is "googlesyndication.com".

            Amongst other, my browser detects that it is a self signed certificate, so it rejects the content. Bye bye the nice "DNSBL Webserver Configuration" placer-holder web page.

            pfBlockerNG could have been using a really trusted certificate - I have those on my pfSense, but still, my browser would know it isn't "googlesyndication.com" that is answering.

            I could have my generated a "googlesyndication.com" certificate on the fly, as soon as I can proof that I'm the owner of "googlesyndication.com", but I'll be having a hard time doing so.

            And even when I pull that one off, my browser is caching certificates, and knows that the new "googlesyndication.com" I just created isn't what it has seen before. This is HSTS is all about.

            @Daskew78 said in Another SSL Error Post:

            I understand that

            You understand now do you do not / did not understand what happens.
            Good news : I guess I thrown you on the right track. Now apply : "There's a difference between knowing the path and walking the path.".

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • TheCableGuy96T
              TheCableGuy96
              last edited by

              @Gertjan Okay so put simply, it's just not possible ☹

              Thanks anyway :)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.