• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Squid + https

Scheduled Pinned Locked Moved Cache/Proxy
52 Posts 5 Posters 6.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    techtester-m @DaddyGo
    last edited by techtester-m Jul 15, 2020, 5:41 PM Jul 15, 2020, 5:00 PM

    @DaddyGo said in Squid + https:

    professional stuff usually doesn't even have a GUI, just a CLI

    I know, but it's not only the GUI part here. It's an entire dedicated solution for one single task - "DNSing", but I'll search for some good lists for pfBlockerNG and see.

    @DaddyGo said in Squid + https:

    mainly because it does with a professional DNS resolver

    I forward the requests anyway, because the 13 DNS root servers don't support DoT (yet).
    With Pi-Hole it would be DoH because they don't support DoT yet for some reason.

    D 1 Reply Last reply Jul 15, 2020, 8:00 PM Reply Quote 0
    • T
      techtester-m @DaddyGo
      last edited by Jul 15, 2020, 6:08 PM

      @DaddyGo @Gertjan Do any of you know how does a certificate validation works exactly, in technical details?
      I just posted it on security.stackexchange but decided to try and ask you guys as well :)

      I've read this post - https://security.stackexchange.com/questions/135401/certificate-validation,
      where it says this : "...an attacker can still take the whole signed content and present it to you but won't be able to change any details or the signature won't match."

      My questions are these:
      (1) How does the browser validates the details of a certificate and see its content like: domain name etc.? Knowing that the cert is encrypted.
      (2) If a MITM wanna change anything he would need to decrypt the cert, which is impossible, or simply change what he wants but then fail at the browser because, as mentioned above, the signature won't match?

      Thank you,

      G 1 Reply Last reply Jul 16, 2020, 7:45 AM Reply Quote 0
      • D
        DaddyGo @techtester-m
        last edited by Jul 15, 2020, 8:00 PM

        @techtester-m said in Squid + https:

        but I'll search for some good lists for pfBlockerNG and see.

        in the "devel" version have a lot of built-in lists, but I also have a lot of collected lists

        don't be fooled by the word = DEVEL - this current / actual version

        Cats bury it so they can't see it!
        (You know what I mean if you have a cat)

        1 Reply Last reply Reply Quote 0
        • G
          Gertjan @techtester-m
          last edited by Gertjan Jul 16, 2020, 7:46 AM Jul 16, 2020, 7:45 AM

          @techtester-m said in Squid + https:

          Do any of you know how does a certificate validation works exactly, in technical details?

          Yep.
          Have a look at least 10 videos from this list https://www.youtube.com/results?search_query=https+certificate+how+it+works

          Added to that :
          In a perfect world, DNS is non spoofable (because you use the Resolver and DNSSEC ;) ), your app will know for sure what the real IP of a site is.

          The important things :
          In a certificate, you find the dates of validity,
          The CA, used to certify that the certicate is valid. An OS, web browser, app, whatever, sues a build in list with known trusted CA's - and take note : you can add your own CA .... you can become a CA for your own network.
          In a certificate is embedded the domain name or even a root domain name :

          9d6d2277-03ee-465d-a92a-73f3cf1e3a30-image.png

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          T 1 Reply Last reply Jul 16, 2020, 8:53 AM Reply Quote 0
          • T
            techtester-m @Gertjan
            last edited by techtester-m Jul 16, 2020, 8:59 AM Jul 16, 2020, 8:53 AM

            @Gertjan @DaddyGo I already knew about the certificate itself and I myself have signed or got signed by a trusted one etc. All I wanted to know is the security mechanism(s) that prevent MITM. Yesterday I did more reading on the subject and on digital signatures as well and understood everything I wanted to understand and know. It took a few hours over 1-2 days but Hopefully it'll be stored in my head forever haha

            As I understand it - Unless a MITM got the end user to trust his CA, the attack will fail.

            It would fail because:

            (A) MITM would try and send his own PK and the browser will give warning.
            (B) MITM must send his own PubK in order to encrypt/decrypt the content with his Private Key which is the key to everything here basically.
            (C) If MITM changes anything in the message that comes with the certificate, like the domain name etc. the signature verifying algorithm would fail and the browser will give warning.
            (D) No CA would sign fraudulent certificate unless they wanna go bankrupt and get sued.
            (E) Even if a MITM sends the end user the exact same certificate he himself got from let's say Google then the browser might think for the first time that it's talking to Google but the next communication would fail because it would be encrypted with Google's PubK and could be decrypted only with Google's Private-Key so the MITM won't be able to read anything, there will be a connection time out and the attack would fail.
            (F) I'm sure there are few more reasons...

            Thank you guys for all your help, input and knowledge. A pleasure as always :)

            1 Reply Last reply Reply Quote 0
            • V
              viberua
              last edited by Jul 17, 2020, 11:59 AM

              Hello,
              Can you help me find solution?
              I've added CA of our domain controller in System > Cert Manager
              0788fdb6-9565-406e-b388-34723f6783fa-image.png
              But in squid SSL MITM i can't select this CA and enable SSL filtering. Only "None" can select.
              9fb16e58-36e0-470e-ab6f-1b7593649fff-image.png
              How i can set up domain CA for enabling SSL filtering ?
              Or pfsense can only accept self made cert from internal CA?
              Thanks in advance.

              T 1 Reply Last reply Jul 17, 2020, 12:06 PM Reply Quote 0
              • T
                techtester-m @viberua
                last edited by techtester-m Jul 17, 2020, 12:07 PM Jul 17, 2020, 12:06 PM

                @viberua I'm no expert at all on the matter but it tells you to create your own on pfSense, because it needs to be able to create certs on demand and locally...I think, but again..no expert.
                Screen Shot 2020-07-17 at 15.04.06.png

                1 Reply Last reply Reply Quote 0
                • G
                  Gertjan
                  last edited by Jul 17, 2020, 12:58 PM

                  Never used squid before, but I guess a CA should be created first.
                  Here :

                  74a3d27e-e644-474a-83cd-fb9855bbc874-image.png

                  Then, based on the CA, you create your certs :

                  9c04ee32-e19e-48b3-b689-f694aded4dc5-image.png

                  These certs can be used in OpenVPN, FreeRadius, the pfSense GUI, etc.
                  CA's can't be use directly, except for signing (your own) certs.

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  D 1 Reply Last reply Jul 17, 2020, 1:08 PM Reply Quote 0
                  • D
                    DaddyGo @Gertjan
                    last edited by Jul 17, 2020, 1:08 PM

                    @Gertjan said in Squid + https:

                    Never used squid before, but I guess a CA should be created first.
                    Here :

                    exactly,
                    use the pfSense certificate builder and then it will appear in Squid settings

                    then you can also export it for installation on external devices

                    like:
                    b0e976f7-948a-4515-bedb-311e848e43c7-image.png

                    Cats bury it so they can't see it!
                    (You know what I mean if you have a cat)

                    V 1 Reply Last reply Jul 17, 2020, 1:14 PM Reply Quote 0
                    • V
                      viberua @DaddyGo
                      last edited by Jul 17, 2020, 1:14 PM

                      @DaddyGo so if i don't want create new CA because i already have one, then i can't use this external CA cert in MITM?

                      D T 2 Replies Last reply Jul 17, 2020, 1:26 PM Reply Quote 0
                      • D
                        DaddyGo @viberua
                        last edited by Jul 17, 2020, 1:26 PM

                        @viberua

                        Squid works with an internal intermediate certificate
                        you can't use example Lets' E or other

                        because of what is described above in this thread......

                        like:
                        e6d85e91-20c0-4c72-994d-63130e5c6ab0-image.png

                        d885c2db-48b4-4c2b-9e0c-6b930da4372b-image.png

                        50fd8d7b-58eb-4c5c-ac9f-46ffaaa060e6-image.png

                        Cats bury it so they can't see it!
                        (You know what I mean if you have a cat)

                        V 1 Reply Last reply Jul 17, 2020, 1:41 PM Reply Quote 0
                        • T
                          techtester-m @viberua
                          last edited by Jul 17, 2020, 1:35 PM

                          @viberua You need to "become" a CA (a local one of course) and have your own Public Key & Private Key in order for Squid to encrypt-decrypt.

                          1 Reply Last reply Reply Quote 0
                          • V
                            viberua @DaddyGo
                            last edited by Jul 17, 2020, 1:41 PM

                            @DaddyGo when i try to create an intermediate CA, the list of signing CA is empty
                            171ae991-dfe2-4980-8db2-c2a85ef36382-image.png but as i said i have our domain CA server and added his CA cert to CA settings
                            ff98755a-9058-42da-bc51-7c14b4c4d448-image.png

                            T D 2 Replies Last reply Jul 17, 2020, 1:47 PM Reply Quote 0
                            • T
                              techtester-m @viberua
                              last edited by techtester-m Jul 17, 2020, 1:49 PM Jul 17, 2020, 1:47 PM

                              @viberua said in Squid + https:

                              but as i said i have our domain CA server and added his CA

                              Won't work.

                              Do this from scratch:
                              Screen Shot 2020-07-17 at 16.44.04.png

                              And this is what you should see:
                              Screen Shot 2020-07-17 at 16.43.38.png

                              D 1 Reply Last reply Jul 17, 2020, 1:59 PM Reply Quote 0
                              • D
                                DaddyGo @viberua
                                last edited by Jul 17, 2020, 1:53 PM

                                @viberua

                                you are doing something wrong... 😉
                                because it works very well in pfSense

                                just watch squidSSL2 I just created for the sake of the test...

                                30181433-5b3d-43d3-9b81-6da6f43a1408-image.png

                                d8d8b847-ff3e-4824-878f-53a96e8f0017-image.png

                                Cats bury it so they can't see it!
                                (You know what I mean if you have a cat)

                                1 Reply Last reply Reply Quote 0
                                • D
                                  DaddyGo @techtester-m
                                  last edited by Jul 17, 2020, 1:59 PM

                                  @techtester-m

                                  😒
                                  I like you bro, but it is not appropriate to speak into an ongoing conversation...

                                  forum etiquette

                                  Cats bury it so they can't see it!
                                  (You know what I mean if you have a cat)

                                  T 1 Reply Last reply Jul 17, 2020, 2:02 PM Reply Quote 0
                                  • T
                                    techtester-m @DaddyGo
                                    last edited by techtester-m Jul 17, 2020, 2:03 PM Jul 17, 2020, 2:02 PM

                                    @DaddyGo
                                    Ok...I just saw notifications of his questions jump in my email so it caught my attention and just wanted to help.
                                    But I accept your point. Have a great one :), I'm out. No expert anyway lol

                                    D 1 Reply Last reply Jul 17, 2020, 2:04 PM Reply Quote 0
                                    • D
                                      DaddyGo @techtester-m
                                      last edited by Jul 17, 2020, 2:04 PM

                                      @techtester-m

                                      nothing happened...
                                      we taught you about these a few days ago
                                      I'm glad, you learned 🖐

                                      Cats bury it so they can't see it!
                                      (You know what I mean if you have a cat)

                                      1 Reply Last reply Reply Quote 1
                                      • G
                                        Gertjan
                                        last edited by Gertjan Jul 17, 2020, 2:23 PM Jul 17, 2020, 2:10 PM

                                        @viberua

                                        Your image :

                                        50323089-19ad-45f3-ad02-7df622380ee3-image.png

                                        This is mine :

                                        f55f3978-8c03-401a-b616-9fa142b31276-image.png

                                        More in detail :
                                        You :

                                        b8584d75-a4ee-465a-a725-0404f69e458a-image.png

                                        Me :

                                        a6d744be-bde0-4f14-bd53-02ec2c917072-image.png

                                        What is your pfSense version or what ?

                                        No "help me" PM's please. Use the forum, the community will thank you.
                                        Edit : and where are the logs ??

                                        D 1 Reply Last reply Jul 17, 2020, 2:17 PM Reply Quote 0
                                        • D
                                          DaddyGo @Gertjan
                                          last edited by Jul 17, 2020, 2:17 PM

                                          @Gertjan said in Squid + https:

                                          What is your pfSense version or what ?

                                          legitimate question anyway ✋

                                          Cats bury it so they can't see it!
                                          (You know what I mean if you have a cat)

                                          1 Reply Last reply Reply Quote 0
                                          40 out of 52
                                          • First post
                                            40/52
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received