Ssl filtering transparent and non-transparent

marcelloc

Anyone interested in it?

I'm trying to fix dansguardian code to support it.

Nachtfalke

I would be interested in such a feature but I need to use it with squid + squidguard ;-)

marcelloc

@Nachtfalke:

I would be interested in such a feature but I need to use it with squid + squidguard ;-)

I'll start tests with squid too.  ;)

marcelloc

On squid, it works!  ;D

with interception disabled

1359780382.176      0 172.16.3.65 NONE/000 0 CONNECT ssl.gstatic.com:443 - HIER_NONE/- -
1359780382.474      0 172.16.3.65 NONE/000 0 CONNECT www.gstatic.com:443 - HIER_NONE/- -

with interception enabled squid logs https url request.

1359779615.201     19 172.16.3.65 TCP_MISS/304 316 GET https://www.google.com.br/images/nav_logo117.png - HIER_DIRECT/74.125.234.191 -
1359779615.263     71 172.16.3.65 TCP_MISS/304 224 GET https://www.google.com.br/xjs/_/js/s/c,sb,cr,cdos,vm,tbui,mb,wobnm,klc,kat,esp,bihu,kp,lu,m,amcl,erh,hv,lc,ob,rsn,sf,sfa,shb,tbpr,hsm,j,p,pcc,csi/rt=j/ver=rXkZsHYxGmc.en_US./am=BA/d=1/sv=1/rs=AItRSTPxL_E1JO7l3HoY7bnG_Sb4_ggcyw - HIER_DIRECT/74.125.234.191 -
1359779615.434      0 172.16.3.65 NONE/000 0 CONNECT www.google.com.br:443 - HIER_NONE/- -
1359779615.511      0 172.16.3.65 NONE/000 0 CONNECT www.gstatic.com:443 - HIER_NONE/- -
1359779615.523     17 172.16.3.65 TCP_MISS/304 224 GET https://www.google.com.br/xjs/_/js/s/sy8,gf,tng,sy43,sy56,sy44,sy59,sy37,sy45,sy94,sy6,sy36,sy38,sy64,sy82,sy93,sy106,sy107,sy119,sy7,sy13,mbtt,wta/rt=j/ver=rXkZsHYxGmc.en_US./am=BA/d=0/sv=1/rs=AItRSTPxL_E1JO7l3HoY7bnG_Sb4_ggcyw - HIER_DIRECT/74.125.234.191 -
1359779615.557      0 172.16.3.65 NONE/000 0 CONNECT www.google.com.br:443 - HIER_NONE/- -
1359779615.713    154 172.16.3.65 TCP_MISS/204 303 GET https://www.google.com.br/csi? - HIER_DIRECT/74.125.234.191 image/gif

Nachtfalke

which version of squid?
Or does this work on both squid2 and squid3 ?

marcelloc

@Nachtfalke:

which version of squid?
Or does this work on both squid2 and squid3 ?

starts working on squid 3.1

wheelz

Are you talking about full content (not just connect host) using dansguardian for ssl including the dynamic certificate generation to avoid the security warnings?  I understand that the clients would have to trust my root via other means.  Also I'd need to keep all the current functionality that your squid3 package has.  If so I could put up $100 for this.

marcelloc

Yes, full content filtering. On squid3, full URL filtering with squidguard.  dansguardian will need more work as the source does not has a full working config.

wheelz

So yes, then I'd put up $100.  How much are you looking for to get dansguardian set up with it?

wheelz

Would this be easily adapted to IMspector as well?

marcelloc

@wheelz:

Would this be easily adapted to IMspector as well?

Imspector has already his working mitm function for jabber/ssl.

marcelloc

@wheelz:

So yes, then I'd put up $100.  How much are you looking for to get dansguardian set up with it?

First I need to get it working. The bounty could help me to speed up the process.

wheelz

@marcelloc:

@wheelz:

So yes, then I'd put up $100.  How much are you looking for to get dansguardian set up with it?

First I need to get it working. The bounty could help me to speed up the process.

Oh, I haven't done a bounty before.  I wasn't sure if you needed more people to put some money up first or not.  Is the $100 enough to be worth it for you to do it?  If so I can send it to you tomorrow.  If not then would I send to the escrow to see if we get some other people to get it high enough?  I know you already put a lot of work into your packages for free which is great.  I wish I had more to offer but I'm trying to get this set up for home so no company backed funds. :(

marcelloc

@wheelz:

I wasn't sure if you needed more people to put some money up first or not.  Is the $100 enough to be worth it for you to do it?  If so I can send it to you tomorrow.

It will be great if more sysadmin that needs this feature donate a value.
I'm not asking for a specific value, but how nice a ssl filtering feature will be on pfsense gui?
BTW If you have in mind that this donation is to help on development instead of be sure it will be fixed, you can send it to me.

Thanks for your help on it.

wheelz

I asked about an escrow but I guess you have to have the full required amount before they will do an escrow.  However right now we don't have a goal for it.

xbipin

i need this for squid and squidguard, dont require it much but will support development - $25

bytheway the current squid in packages is 2.7.9 pkg v.4.3.3 so would this be also upgraded to 3?

xbipin

on behalf of a client add another $25

Oliver_

ssl filtering in a non-transparent network would be nice!
but with HAVP or eq. Virus Scanning it would be a awesome!  ;D

greetings Oli

wheelz

marcelloc, could you give us a goal amount for this that would prioritize this feature set for you?

marcelloc

@wheelz:

marcelloc, could you give us a goal amount for this that would prioritize this feature set for you?

The package is almost done, I'll ask for package compilation and publish.

xbipin

bytheway, we would need to remove squid 2 and upgrade to squid 3 right?
would we still be able to use squid guard?

Nachtfalke

@xbipin:

bytheway, we would need to remove squid 2 and upgrade to squid 3 right?
would we still be able to use squid guard?

Yes!

on pfsense 2.0.3 you need to install first squidguard and then squid3
on pfsense 2.1 the package structure is new and you can first install squid3 and then squidguard

xbipin

is squid3 and squidguard currently stable compared to squid2 on 2.1 as i only use squid2 with squiguard on it currently

marcelloc

First squid3.3 devel release for pfsense is out.

What I'm sure is not working is antivirus integration via i-cap.
All other features should be working.

on packages I'll describe main changes.

att,
Marcello Coutinho

tester_02

marcelloc

I am just a home user but I love pfsense and the development community.  I have not done any pfsense donations for a while.  Can I send you a small token for your efforts?

Please PM me with details (paypal?).

marcelloc

@tester_02:

Please PM me with details (paypal?).

Thanks for you interest in donating! ;D

I've sent you a pm

marcelloc

Since version 2.1.2 of squid3-dev ssl filtering is working fine on 2.1 without patches and on 2.0.x using squid 3.3.4_1 from my repo.  :)

1368761856.278    210 192.168.0.3 TCP_MISS/200 978 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
1368761856.699    442 192.168.0.3 TCP_MISS/200 19903 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/jso                                                                                 n
1368761856.714    521 192.168.0.3 TCP_MISS/200 905 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
1368761857.121    203 192.168.0.3 TCP_MISS/204 328 GET https://www.google.com.br/gen_204? - PINNED/189.86.41.119 text/html
1368761857.136    219 192.168.0.3 TCP_MISS/200 680 GET https://www.google.com.br/xjs/_/js/k=-im9hrMhEvY.en_US./m=wta/am=wA/r                                                                                 t=j/d=0/sv=1/rs=AItRSTMxcUTKX7_k7F3jagv1ABf8swPrOg - PINNED/189.86.41.119 text/javascript
1368761858.327    632 192.168.0.3 TCP_MISS/200 915 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
1368761859.649   1548 192.168.0.3 TCP_MISS/200 14473 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/jso                                                                                 n
1368761859.661    228 192.168.0.3 TCP_MISS/200 850 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
1368761860.026    220 192.168.0.3 TCP_MISS/204 328 GET https://www.google.com.br/gen_204? - PINNED/189.86.41.119 text/html
1368761860.970    397 192.168.0.3 TCP_MISS/200 851 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
1368761861.121    388 192.168.0.3 TCP_MISS/200 856 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
1368761861.223    311 192.168.0.3 TCP_MISS/200 855 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
1368761861.410    397 192.168.0.3 TCP_MISS/200 860 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/json
1368761862.720   1537 192.168.0.3 TCP_MISS/200 18542 GET https://www.google.com.br/s? - PINNED/189.86.41.119 application/jso                                                                                 n
1368761863.104    222 192.168.0.3 TCP_MISS/204 328 GET https://www.google.com.br/gen_204? - PINNED/189.86.41.119 text/html
1368761865.464    232 192.168.0.3 TCP_MISS/204 328 GET https://www.google.com.br/gen_204? - PINNED/189.86.41.119 text/html
1368761866.209    507 192.168.0.3 TCP_MISS/200 982 POST http://ui.ff.avast.com/urlinfo - HIER_DIRECT/77.234.43.81 applicatio                                                                                 n/octet-stream
1368761866.684    479 192.168.0.3 TCP_MISS/200 982 POST http://ui.ff.avast.com/urlinfo - HIER_DIRECT/77.234.43.81 applicatio   

xbipin

so we first uninstall squid 2.7.9 and squidguard 1.4.4 and then install squid3-dev and squidguard again?

xbipin

i tried on a remote nanobsd test box and after configuring squid3-devl, it doesnt start the service and ig et this error in system log

May 23 13:25:11 	php: /status_services.php: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was '/libexec/ld-elf.so.1: Shared object "libgssapi.so.10" not found, required by "squid"'

marcelloc

Sasl needs some extra limbs from FreeBSD that is not included on pfsense.

You can fetch it from any 8.1 FreeBSD or from my personal repo

http://e-sac.siteseguro.ws/pfsense/8/All/ldd

marcelloc

Additional info can be found here

http://forum.pfsense.org/index.php/topic,62256.0.html

xbipin

can u add it to the package itself so my client can simply install it and get going rather than doing it manually?

marcelloc

@xbipin:

can u add it to the package itself so my client can simply install it and get going rather than doing it manually?

Unfortunately no  :(

I can only point package files to binaries on official repo.

I'll ping jimp again to put it on files.pfsense.org.

I can send you a patch/script that download all required missing libs.
Then you paste it on command prompt.

xbipin

try if jimp can do that if not then ill do it manually so send me that script

marcelloc

@xbipin:

try if jimp can do that if not then ill do it manually so send me that script

i386

fetch -o /usr/local/lib/libasn1.so.10 http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libasn1.so.10
fetch -o /usr/local/lib/libgssapi.so.10 http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libgssapi.so.10
fetch -o /usr/local/lib/libheimntlm.so.10 http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libheimntlm.so.10
fetch -o /usr/local/lib/libhx509.so.10 http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libhx509.so.10
fetch -o /usr/local/lib/libkrb5.so.10 http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libkrb5.so.10
fetch -o /usr/local/lib/libroken.so.10 http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libroken.so.10

amd64

fetch -o /usr/local/lib/libasn1.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libasn1.so.10
fetch -o /usr/local/lib/libgssapi.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libgssapi.so.10
fetch -o /usr/local/lib/libheimntlm.so.10 http://e-sac.siteseguro.ws/pfsense/amd64/8/All/ldd/libheimntlm.so.10
fetch -o /usr/local/lib/libhx509.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libhx509.so.10
fetch -o /usr/local/lib/libkrb5.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libkrb5.so.10
fetch -o /usr/local/lib/libroken.so.10 http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libroken.so.10

xbipin

for SSL filtering does it need to be a genuine certificate or a self signed certificate will do?

marcelloc

@xbipin:

for SSL filtering does it need to be a genuine certificate or a self signed certificate will do?

You need a CA for that.

To do not alert each ssl site filtered, you need to install CA crt on each client.

xbipin

i didnt understand that but what i need it to do is i want to block access to all sites, http and https and only allow the listed ones using squid and squidguard. the ones allowed are a few http and few https and i dont want to go about installing anything extra on client machines, is this possible?

marcelloc

@xbipin:

The ones allowed are a few http and few https and i dont want to go about installing anything extra on client machines, is this possible?

On current stable package(squid2 + squidguard), if you block domains and not urls and has clients browsers with proxy settings, then you can show squidguard error.

ssl_filtering from current squid-dev includes squidguard error message on

• transparente ssl connections using domains or urls acls

• non-transparent mode using url acls

With CA CRT installed on clients, you do not have Browsers cert alerts.

xbipin

basically im just blocking all domains by default and allowing the ones listed in transparent mode, i dont want it to do any content filtering, its just u block all and allow the listed and for the allowed ones u dont filter or restrict, full access.

currently on squid2 i allow domains and urls and its in transparent mode with no client side config and i squidguard gives errors as required but the problem is it does to port 80 only which is http, all i need is same but for port 443 (https) as well coz other than that all other ports r blocked for client using firewall rules