Dansguardian package for 2.0
-
still have a lot more testing with SSL man-in-middle but when I try to access https sites, i'm getting the danguardian denied page "Certificate supplied by server was not valid"
still have to check logs and read the docs from danguardian site on this feature.
I am at the same point with ssl mitm. I found in the dansguardianf1.conf file there are two options:
one for mitm (sslmitm = on) and one for cert checking (sslcertcheck = off), however even with cert checking off, I'm still getting that message:
"Certificate supplied by server was not valid"
So either that option is not sticking or I'm missing something. I had a thought of actually feeding the cert checking function with all the trusted root certs from a popular browser. According to dansguardian.conf they should be placed in '/etc/ssl/certs/' though I'm not sure what format or exactly how to batch export them all… Thoughts? -
I am at the same point with ssl mitm. I found in the dansguardianf1.conf file there are two options:
one for mitm (sslmitm = on) and one for cert checking (sslcertcheck = off), however even with cert checking off, I'm still getting that message:
"Certificate supplied by server was not valid"Are you sure you deselected sslmint option(CTRL+CLICK)?
Every time I test dansguardian package, I can enable and disable this option via gui. -
I am at the same point with ssl mitm. I found in the dansguardianf1.conf file there are two options:
one for mitm (sslmitm = on) and one for cert checking (sslcertcheck = off), however even with cert checking off, I'm still getting that message:
"Certificate supplied by server was not valid"Are you sure you deselected sslmint option(CTRL+CLICK)?
Every time I test dansguardian package, I can enable and disable this option via gui.Yes toggling mitm works. Its the cert checking that won't disable. Even through the conf file.
-
Can you check on dansguardianfx.conf if this option is set on on all groups you have?
At my setup it changes from on/off without issues.
-
I should have been more clear, it toggles on and off in the conf file without issue. But once I enable mitm it apparently automatically enables cert checking Even though the conf file still says certcheck=off. I'm assuming this is the reason we are getting that invalid server cert error.
Maybe dansguardian has a built in dependency when you enable mitm you get cert checking. This makes sense because the user/browser can no longer check the authenticity of the original cert since we are only presenting him with a forged cert. The solution would be (as I see it) to fill the /etc/ssl/certs/ with a repository of the valid Root CAs on the internet and let the cert checking do its job.. That should clear the error.
@marcelloc:Can you check on dansguardianfx.conf if this option is set on on all groups you have?
At my setup it changes from on/off without issues.
-
Ok this appears to have worked. I no longer get the "Certificate supplied by server was not valid". However I now get a 404. It appears to be trying to use some sort of redirecting cgi that we don't have in the package yet?
Now when trying to go to https://mail.google.com it redirects to a url: http://PFSENSE_ip/modules/guardian/cgi-bin/mitm.cgi?https://mail.google.com/mail/?tab=wm which triggers a 404.
Bottom line I think I'm one step closer to working mitm…Here's what I did (maybe someone can suggest a cleaner route, I'm pretty new to this..)
-Ran a live ubuntu iso in virtualbox
-Grabbed the folder /etc/ssl/certs (which is a bunch of symlinks to the mozilla folder)
-Grabbed the folder /usr/share/ca-certificates/mozilla
-dumped them in same locations on pfsense
-violla certs now pass dansguardian inspectionNext step find the missing cgi and drop in www path?
-
It steps on mitm cert verify and on ssl filter?
If so, this is really a GOOD news! :D
-
Yes with mitm ON and cert check ON! Try it you'll get a 404 now..
If there's a way to post the tar's of the cert folders, I would but I'm not sure if that's allowed?It steps on mitm cert verify and on ssl filter?
If so, this is really a GOOD news! :D
-
Send a link to me on private Message.
If it is the same certs Every browser has to check sites, I think there is no problem.
EDIT
Are these the certs you did install?
http://www.FreeBSD.org/cgi/ports.cgi?query=Cert&stype=all&sektion=security
Port description for security/ca_root_nss
Root certificates from certificate authorities included in the Mozilla
NSS library and thus in Firefox and Thunderbird.This port directly tracks the version of NSS in the security/nss port.
Can you try to install this package and see if you get the same result?
amd64
http://e-sac.siteseguro.ws/packages/amd64/8/All/ca_root_nss-3.13.2.tbzi386
http://e-sac.siteseguro.ws/packages/8/All/ca_root_nss-3.13.2.tbzThis package install /usr/local/share/certs/ca-root-nss.crt and a symlink to /etc/ssl/cert.pem
-
Sent. That looks cool, if that could be incorporated into the package along with the missing cgi we may be in business.
Send a link to me on private Message.
If it is the same certs Every browser has to check sites, I think there is no problem.
EDIT
Are these the certs you did install?
http://www.FreeBSD.org/cgi/ports.cgi?query=Cert&stype=all&sektion=security
Port description for security/ca_root_nss
Root certificates from certificate authorities included in the Mozilla
NSS library and thus in Firefox and Thunderbird.This port directly tracks the version of NSS in the security/nss port.
Can you try to install this package and see if you get the same result?
amd64
http://e-sac.siteseguro.ws/packages/amd64/8/All/ca_root_nss-3.13.2.tbzi386
http://e-sac.siteseguro.ws/packages/8/All/ca_root_nss-3.13.2.tbzThis package install /usr/local/share/certs/ca-root-nss.crt and a symlink to /etc/ssl/cert.pem
-
The certs looks the same on both.
On freebsd/pfsense the package installs a unique file with all certs with info and on your tar It's a file for each ca.
I'm getting the same result here. with or without cert check enabled I can see all ssl sites not in blacklist.
But when I enable ssl mitm log show all ssl as
DENIED Certificate supplied by server was not valid: unable to get local issuer certificate CONNECT 0 0 SSL Site 1 200 - Default
Tried to copy pfsense created ca to /etc/ssl/certs/ with no success.
If you can test this, edit /usr/local/pkg/dansguardian.conf.template file to fix sslcertificatepath from pfsense ca-root package
#SSL certificate checking path
#Path to CA certificates used to validate the certificates of https sites.
sslcertificatepath = '/etc/ssl/certs/'After this file edit, apply conf on dansguardian gui.
att,
Marcello Coutinho -
You also need to have symlinks to each of the pem files. The name of symlink will be the computed hash of the cert. Without the properly named symlinks, dansguardian will not see the pem files.
See this site for a script to create a correct symlink: http://wiki.openwrt.org/doc/howto/wget-ssl-certsOr if you use the tars I sent they already have all the symlinks setup just do tar -xzf for both folders.
The certs looks the same on both.
On freebsd/pfsense the package installs a unique file with all certs with info and on your tar It's a file for each ca.
I'm getting the same result here. with or without cert check enabled I can see all ssl sites not in blacklist.
But when I enable ssl mitm log show all ssl as
DENIED Certificate supplied by server was not valid: unable to get local issuer certificate CONNECT 0 0 SSL Site 1 200 - Default
Tried to copy pfsense created ca to /etc/ssl/certs/ with no success.
If you can test this, edit /usr/local/pkg/dansguardian.conf.template file to fix sslcertificatepath from pfsense ca-root package
#SSL certificate checking path
#Path to CA certificates used to validate the certificates of https sites.
sslcertificatepath = '/etc/ssl/certs/'After this file edit, apply conf on dansguardian gui.
att,
Marcello Coutinho -
No luck. :(
using tar or using ca-root package and linking pfsense ca created I always get the same error.
using only cert check, all https that is not on blacklists goes with no erros
using ssl mitm every https that is not on whitelist fails withThe only thing that changed is that the error now says:
DENIED Failed to negotiate ssl connection to client CONNECT 0 0 SSL Site 1 200I did removed all certs, including ca-root package and folders.
I'll keep trying to identify how to reach each error.
-
Your symlinks are probably not working. You should have in the /etc/ssl/certs folder about 180 symlinks that look like similar to these:
f060240e.0
f081611a.0
f15719eb.0
f3377b1b.0
f387163d.0
f39fc864.0
f4996e82.0If you cat one of them you should see a certificate pem file.
This has nothing to do with the generated pfsense CA certificate. This is for dansguardian to verify the CA's on the genuine certs it's receiving from websites. It uses the symlinks to quickly locate the correct CA cert.
That's what cert checking does it checks the website cert against a repository of vaild public CA certs. What's interesting is that dansguardian apparently always does the cert checking if mitm is ON.I wonder how we can get that cgi, from the source code it appears to be doing some cookie work. The file mitm.cgi does not appear in the dansguardian-2.12.0.0.tar.gz tarball is that what you're working with?
-
I could not reproduce this file call, just errors or ssl sites normal access.
Try to copy error template to this cgi script.
The base folder is /usr/local/www
I'll commit latest package code with some fixes I did.
-
dumb question…but how do i install this package? i am on 2.0.1 amd64 iso
-
It's on system -> packages :)
-
Version 0.1.5 is out with some fixes and LDAP group based access lists.
-
Create group acl based on LDAP group name you want to filter
-
Define userlist frequency update
-
Apply ldap config
-
-
How do I see the logs and reports of whats blocked and what was searched from my network?
-
The dansguardian log file is /var/log/dansguardian/access.log
The sarg package will do it on gui but only when dansguardian report is set to squid format.
