Squid3-dev, SSL-filtering and certificates


  • I'm trying to get Squid3 working with SSL.  After reading a zillion forum pages, blogs etc, I thought I knew what I was doing.

    First I create a Certificate Authority via System - Cert Manager - CAs - +
    Then I used the down arrow button to Export CA Cert
    I copied the .crt file to my test client
    I right-clicked to install the cert on my test client and manually chose to place it in the Trusted Root Certification Authorities folder

    When I use IE (don't ask) to go to a site like Gmail or Facebook, I get a browser warning.  It complains about a mismatched address.  You don't enter an address anywhere in the CA cert, so I don't know why it's complaining.  Do you need both a CA root cert and a Server cert?  I tried that without success.


  • Are you using squid-dev 3


  • Yes


  • Hi KOM.

    I'm wondering if you had any success in fixing this?  I have the exact same issue and have been working on this for a couple of days now with no success.

    Here's what I've done:

    1.  Fresh install of pfSense 2.1.4 Release (i386) - June 30th build (did not compile from source)
    2.  Installed squid3-dev 3.3.10  pkg 2.2.6
    3.  Set up a transparent proxy (http) with default settings
    4.  Created a CA Certificate called "TestCert1" within pfSense
    5.  Installed this certificate on a number of browsers.  In Debian, Iceweasel and Chrome.  In Windows: firefox, chrome (I set the trust level to accept the cert for websites)
    6a.  In the proxy server checked the HTTPS/SSL interception box.
    6b.  interface = LAN
    6c.  SSL Proxy port = 3129
    6d.  Remote cert checks = Do not verify remote certificate
    6e.  Certificate adapt = none (default)

    After restarting squid I go into my browser and try to browse to https://google.com or https://ibm.com (and all other https sites for that matter) and I get the untrusted website screen.  When I view the certificate it's receiving it's the TestCert1 crt that I created above; however, what gets passed to the browser is google's or ibm's certificate and it's causing a mismatch.  I'm not sure how to prevent google's cert from being evaluated on my browser so that it will only evaluate my TestCert1 that I created above.

    I also viewed the following page (with SSL filtering turned off):
    https://translate.googleusercontent.com/translate_c?depth=1&hl=en&rurl=translate.google.ca&sl=es&tl=en&u=https://forum.pfsense.org/index.php%3FPHPSESSID%3D9rcorlg5bdvm1f3fdjn6abf9k7%26topic%3D73007.msg402349&usg=ALkJrhgbJWjSzHO5AqLxA9l2QafG-Qc3mg#msg402349

    • In my WAN setting under IPV6 configuration type I set it to "track interface" because if I set it to DHCP6 I cannot connect to the internet.
    • I also have not compiled pfSense from its sources so I have not added in the missing libraries - I assume that this issue has been resolved in the later releases of squid3-dev (perhaps a naive assumption, I admit) - I'm using squid3-dev 3.3.10  pkg 2.2.6

    Any thoughts or help on this will be appreciated!

    Thanks
    Chon


  • No, I never did get this working.  I gave up and went back to Squid2.  At least it works.  Even in my test lab, I could break Squid3 very easily and get it to the point where I would have to restore my pfSense image from a snapshot.


  • Thank KOM.

    I'm going to put a bit more time into this to see what comes of it and I'll let you know if I have any success.


  • Hi KOM.

    I believe I solved this…..

    In addition to everything I did above, I simply added the two lines of code to get this to work.  Although you are now working with Squid2 you may want to attempt this in your test lab.

    Navigate to "Proxy server'
    In the Custom Settings section
    In the Custom ACLS (Before_Auth) I simply added the following code:

    always_direct allow all
    ssl_bump server-first all

    I found this solution on the following thread in this forum:  squid 3.3.10 para pfsense com filtro de SSL/HTTPS
    Although it's in Portuguese you can easily translate the page using google translate.

    Hope this helps.
    Chon


  • I will take a second look when I get a chance.  Thanks a lot for your reply to this thread.  I suspect that I'll still stick with Squid2 for now.  Squid3 is just too fragile for production use.

    Brilliant!  Works like a charm.  I'll tuck that away in the bag of tricks.


  • @KOM:

    I'm trying to get Squid3 working with SSL.  After reading a zillion forum pages, blogs etc, I thought I knew what I was doing.

    First I create a Certificate Authority via System - Cert Manager - CAs - +
    Then I used the down arrow button to Export CA Cert
    I copied the .crt file to my test client
    I right-clicked to install the cert on my test client and manually chose to place it in the Trusted Root Certification Authorities folder

    When I use IE (don't ask) to go to a site like Gmail or Facebook, I get a browser warning.  It complains about a mismatched address.  You don't enter an address anywhere in the CA cert, so I don't know why it's complaining.  Do you need both a CA root cert and a Server cert?  I tried that without success.

    Better is u can move to Endian Firewall 3.0 its works great with https proxy.
    Thanks


  • I'm not sure of the value of your comment.  After spending a lot of time learning and configuring pfSense, I'm not very likely to throw it all out and start again with some other product just so that I have an easier time with an SSL Filtering issue that I already have the solution for.

    Plus, it's considered not very good form to come on a product's forum and suggest people try a different product.


  • Hey KOM, I used QLProxy and these instructions and it works great:

    http://sichent.wordpress.com/2014/02/22/filtering-https-traffic-with-squid-on-pfsense-2-1/

    You have to do a bit of console work but it is worth it. 199 euros per year for a big organization is a really good deal especially since all the site categories are being updated daily. 12 earos per year for personal use is a really good deal.

    Just need to setenv PACKAGESITE http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-8.3-release/Latest/  to get python/apache loaded.

    Jim