Blocked Page
-
Just started using pfblockerng-devel and love it so far, just having one issue, the blocked page only appears for sites visited on port 80, anything on 443 just gives "ERR_SSL_PROTOCOL_ERROR"
If I go to a blocked site that is non TLS/SSL the blocked page shows up as wanted, I am blocking porn so if I google porn and go to the first site that shows up pornhub it gives that error, no blocked page. Tried different settings and ports and had no luck. If I try the LAN interface instead of localhost and chose port 8445 I get a cert error that I cannot get past. I am using the unbound python option and have the check for HSTS enabled by default. At first was using just unbound and ran into the same issue. Not sure how to get this fixed. Please let me know if any other info is needed.
pfsense 2.5.1
pfBlockerNG-devel 3.1.0 -
@ghostshell said in Blocked Page:
pfsense 2.5.1
There is a fix for this : pfSense 2.5.2 corrected many things.
@ghostshell said in Blocked Page:
anything on 443 just gives "ERR_SSL_PROTOCOL_ERROR"
That is what you want to happen.
When you visit the site of your bank, but the domain was listed in a DNSBL you use, and you are redirected to some 'pfBlokcerNG-devel' generated page that is not your bank (right ?!!), do you want that site/page to have the certificate stating that it is your bank ?
Because, if that was possible, it will be the end of secured connections.
The page that pops up to inform you that the site you wanted to visit is blocked by pfBlockerNG works great for non https connections : it must use port 80.
And you already knew you don't want this to happens when using https over port 443 as you browser is gona check the host or domain name that the web server returns. And the web page generated by pfBlockerNG can't have the certificate of the site of your bank, or any other https domain name of the Internet.
This boils down to : it's useless of having a page being popped up to inform the visitor that the site he wanted to visited is 'blocked'. There are no more public sites that use "port 80" as their main entry point. Everything is https these days.
You can disable the 'web server blocked page' facility of pfBlockertNG. No one will ever repair this functionality.So :
@ghostshell said in Blocked Page:
Not sure how to get this fixed.
the day this gets fixed, Internet is self will be gone ;)
-
@gertjan From the developer
https://www.reddit.com/r/pfBlockerNG/comments/lnczld/is_dnsbl_webserver_for_ssl_https_connections/
-
@ghostshell said in Blocked Page:
https://www.reddit.com/r/pfBlockerNG/comments/lnczld/is_dnsbl_webserver_for_ssl_https_connections/
I don't understand what has been said there.
pfBlockerNG-devel logging isn't the issue here. The internal unbound (python, or not) or Lighttpd logs are not available to our browsers.
Our browser see what the web server @10.10.10.10:443 is replying after a page request.
It doesn't understand the answer.What I think ** what is happening :
Our browser caches web server certificates, as HSTS has become wide spread.
So, our browsers knows what type of cert it should get back from web server. Because it caches certificates, for days, weeks, or even months (so naughty you, you've visited this site already ones without pfBlockerNG ;) - the cert was loaded and cached ).
Many encryption types exist, and the self generated (self signed) cert from the web server of pfBlockerNG cert does not have the right 'format'. If it had the right format, the host name would have been verified (and the date and many more aspects) and then a more understandable error would have been shown.This issue can not be resolved. Our browsers could show more comprehensible message, true, but it all boils down to :
You wanted to visit a.tld but b.tld replied.
That's a MITM situation and that's a no-go** Firefox is open source. So the source code will show the exact conditions of the error.
