Man in the middle work around for squid?



  • Hi!

    With HTTPS/SSL interception enabled in squid, some desktop apps like google drive does not work.

    Any easy workaround for this?

    Thanks!



  • hi,
    read through this
    https://forum.pfsense.org/index.php?topic=73640.0

    Let me know how you go



  • Hi!

    Thank you for the reply.

    SSL Filtering is working fine. The problem is, it is blocking some desktop apps like GOOGLEDRIVE for desktop, BOX, DROPBOX, etc.

    If I disable SSL Filtering, those application works flawlessly but https://facebook will go flawlessly too.

    I hope there's an easier fix for this.

    Thank you in advance.



  • Hi, read page 2

    You need to create a certificate http://www.sxl.net/guides/how-to-setup-pfsense-ssl-certificate-authority/

    And install it on each computer.

    read this also https://forum.pfsense.org/index.php?topic=79389.0

    However I have been unable to get windows updates and adobe updates working.



  • Hi!

    As I have mentioned, SSL Filtering is working.

    I already setup CA and installed the certificate to each computer.

    It's just that, desktop application like google drive does not acknowledge the certificate as valid.

    Web browsing using Firefox, IE, Chrome, Opera works fine.

    I am hoping I can set exceptions to bypass ssl security say, for Google Drive.

    I can add Google's ranges of IP addresses as exception but that gives away youtube.com to be freely accessed by students which we don't want to happen.

    Thank you by the way for your response.

    Hopefully there's a better way to fix this issue.



  • I could be wrong but unless you can add the cert into the application like you can for the browsers; I dont think SSL Filtering will work. Maybe search the google groups to see if there there is way.

    I dont have SSL Filtering setup for my system but I use WPAD; in my squid log, I see every time Dropbox connects. Haven't tried but I assuming if I blacklist the dropbox, the app wont be about to connect.



  • Hi
    Unselect everything in Remote Cert checks and Certificate adapt (ctrl click)

    Then you must clear your cache (also try private browsing).

    This is how I got it to work for google drive and gmail

    Hope this helps



  • Prior to this post, I found that it is possible to exclude a CA, only that they did it in SonicWall.

    Here's the link to it:
    https://support.software.dell.com/sonicwall-e-class-nsa-series/kb/sw11691

    I don't actually have any of remote cert checks selected. Also, I've already cleared the squid cache as well as the client cache with the same effect.

    Google drive and mail on browser is working fine.

    As what Cino has pointed out, the Google Drive application should be accepting the CA as the browsers are doing. Hopefully it does.

    Also, this can be workaround by adding google ip ranges to an unfiltered/unproxied list but Google has a variety of services that we want blocked, e.g. youtube.com so this won't work.

    The other way around is to add the ability to exclude certain ssl certificates from known/popular sites but how to this in squid is still a ? to me.

    Google can also fix this by accepting the internal CA installed on the computer but to when is I don't know.

    Hopefully a better and easier fix can be made available to this.



  • You are running into the application cert pinning I think, I've seen this on a few IOS/android apps but makes sense here as well, and I've confirmed that is what they are doing as well in the following link:

    http://googleonlinesecurity.blogspot.com/2013/05/changes-to-our-ssl-certificates.html

    At this time, Google Drive's PC application does not support SNI and performs some degree of certificate pinning for transfers.  (This is going to cause you a lot of issues with SSL MITM setups).

    One fairly easy way to work around this is with a DNS based filter and with pfSense you can easily control what DNS server a client is using.

    Thanks,
    Adam