pfblockerng ssl interception

TomTheOne

Hi all

Any chance to make SSL interception working with pfblockerng and dnsbl, after beeing redirected to the DNSBL webserver/VIP?

I played around with a certificate configured in /var/unbound/pfb_dnsbl_lighty.conf that has one wildcard only as CN and SAN - but browsers do not accept such certificates as trusted with the error "NET::ERR_CERT_COMMON_NAME_INVALID".

My goal would be to prevent the SSL warning that appears in the browsers of the useres, if a encrypted website that is on a DNS backlist is opened.

I'm using pfBlockerNG-devel 3.0.0_16 only.

Best regards
Tom

noplan

@tomtheone

You mean the ssl warning site when they reach the pfb website that's saying this site is blocked by pfb?

Thx

TomTheOne

@noplan

i mean:

1. i open blockedsite.com
2. hostname is resolved to the webserver/vip address
3. certificate error appears in browser, because certificate Common Name does not match with blockedsite.com
4. ignore the warning in browser
5. pfblockerng warning appears

i would like to get rid of the ssl certificate warning before the pfblocker website with the ‚website blocked‘-message appears.

for this i would need ssl interception functionalities on the pfblockerng, as i understand.

is there a chance to realize that? maybe in conjunction with another service who can handle that? i saw the squid proxy has this possibilities.

maybe we mean the same?

noplan

@tomtheone

Yeah we r on the same page...
I have to look it up how we solved it here cuz we r running acme and haproxy too

I'll keep u posted
Np

keyser

@tomtheone said in pfblockerng ssl interception:

@noplan

i mean:

1. i open blockedsite.com
2. hostname is resolved to the webserver/vip address
3. certificate error appears in browser, because certificate Common Name does not match with blockedsite.com
4. ignore the warning in browser
5. pfblockerng warning appears

i would like to get rid of the ssl certificate warning before the pfblocker website with the ‚website blocked‘-message appears.

for this i would need ssl interception functionalities on the pfblockerng, as i understand.

is there a chance to realize that? maybe in conjunction with another service who can handle that? i saw the squid proxy has this possibilities.

maybe we mean the same?

At this time there is no “Man in the Middle” certificate issuing authority features in the pfBlockerNG Webservice.
I don’t know if it’s possible to have a MITM proxy service intercept requests that are bound for the DNSBL Webservice.

Regardless - you need to remember this would also only work, if you are able to install the private Certificate Authority’s certificate on all client devices.

TomTheOne

@keyser

Thank you for your answer

At this time there is no “Man in the Middle” certificate issuing authority features in the pfBlockerNG Webservice.

I suspected that.

I don’t know if it’s possible to have a MITM proxy service intercept requests that are bound for the DNSBL Webservice.

You wrote before ‚there is no cert issuing feature‘ - here you wrote ‚i don’t know if it‘s possible to intercept requests‘. Maybe like me: you don‘t know how to configure it properly?

Regardless - you need to remember this would also only work, if you are able to install the private Certificate Authority’s certificate on all client devices.

What do you mean with ‚this‘? If i guess correct, then you mean the SSL interception thing: it depends on the implementation of the SSL interception. Yes, i expect to use my own internal CA, in case the implementation requires it.

But not even in such a scenario, with a internal CA, i can currently use the DNSBL webservice - fact: without SSL interception techniques, the whole DNSBL webservice-thing becomes broken and totally unusable.

I could not imagine that such a functionality would be released in such a case - why should it, if it’s not useable like it was designed?

I search the issue on my side: i expect i do not configure the service correctly - so i asked the question in the initial post.

Is there a clear answer to this?

keyser

@tomtheone said in pfblockerng ssl interception:

You wrote before ‚there is no cert issuing feature‘ - here you wrote ‚i don’t know if it‘s possible to intercept requests‘. Maybe like me: you don‘t know how to configure it properly?

Ehh, yes I do know - there is no SSL interception features in the pfBlockerNG webservice or pfSense itself - so the answer is no.
What I said here is: It may be possible to use a SSL interception 3rd party package like Squid in some “creative” config, where it runs in a combination of reverse and resign mode. The next issue would be to hit it when Unbound sends the client to the DNSBL VIP webserver - perhaps a “creative” destination NAT rule could help here as NAT is processed before Access rules.
But it would be a very non-intuituve configuration to say the least.

Regardless - you need to remember this would also only work, if you are able to install the private Certificate Authority’s certificate on all client devices.

What do you mean with ‚this‘? If i guess correct, then you mean the SSL interception thing: it depends on the implementation of the SSL interception. Yes, i expect to use my own internal CA, in case the implementation requires it.

To hit the DNSBL VIP Webserver and it’s errorpage without a certificate error notification on the client, you cannot avoid using a local certificate service that signs and issues certificates to the names the client is requesting - and the client HAVE to trust that CA. Hence you cannot aviod installing the CA certificate on clients if they should have no certificate errors.

But not even in such a scenario, with a internal CA, i can currently use the DNSBL webservice - fact: without SSL interception techniques, the whole DNSBL webservice-thing becomes broken and totally unusable.

Yes - The DNSBL VIP Webserver is by design “broken” on HTTPS blocks as things stand now. That’s why most people are happy to use the new python mode so you can run “Null blocking (logging)” mode to skip hitting the VIP server, but still get proper logging. Before python mode, logging of HTTPS requests only worked if the client used SNI in the SSL session setup request.

Gertjan

@tomtheone said in pfblockerng ssl interception:

My goal would be to prevent the SSL warning

You can't. I can't. An the day some one manages to do so, we can all power down our pfSense and do other thing, as the final judgement day had arrived.

See here why you can't - the browser will always show an error.

True, browsers could show a more "friendlier" message.

And true, with a proxy solution, you could make all involved browser (all your local LAN devices) trust the cert of the DNSBL pfBlokcerNG web server. But that means you control every device involved and in that case you could simply tell every user involved : "If a site doesn't seem to show up, don't worry - you didn't want to look at it anyway".

Btw : all this isn't related to pfSense, as pfSense doesn't care about encryption protocols etc. https, or TLS. It's about how and why web servers and web browsers allow secured connections.
Install Youtube, ask for some "TLS" videos' and a couple of instances later you will become aware of how it all works.