Gmail Throwing Certificate Error

pksinghlinux

Hi,

I am using pfsense 2.1.5 with squid3-dev + squidguard3 package, I have placed the certificate inside the box and everything is working fine, I am able to access HTTPS site and filter the https sites without any issue, except issue with gmail, gmail throwing me certificate error "Untrusted Connection"

www.gmail.com uses an invalid security certificate. The certificate is only valid for the following names: mail.google.com, inbox.google.com (Error code: ssl_error_bad_cert_domain)

I am able to open mail.google.com and inbox.google.com without any issue, can any one help me out what is the issue ?

pksinghlinux

IE working fine with gmail, but Google Chrome and Firefox throwing this Error, How I can resolve this ?

doktornotor

@pksinghlinux:

How I can resolve this ?

You can resolve this extremely easily as soon as you stop proxying/MITM SSL content. You're just breaking things everywhere with this.

Harvy66

To elaborate a bit. In order to proxy HTTPS, you must man in the middle the connection and inject your certificate. The clients do not trust your cert, but they trust Google's.

You can install your public cert on the client machines, then they'll trust it and stop prompting. It is a dangerous thing to do and has been used as an attack vector in the past. Some software uses the cert system as a trusted system, which it should be, and you're plastering your cert on every site, which means the client cannot tell the difference between Google, a bank, or some malicious site, because all sites will come back claiming to be your cert.

Derelict

To elaborate even more, even if you get a root CA installed on the client and generate, on-the-fly, a certificate for www.google.com which the client will now happily accept, Google Chrome knows all the valid certificates that should be presented by google (cert pinning) and will STILL throw a certificate error because it knows your cert is bullshit.

kejianshi

Basically the whole concept of "HTTPS sites" is to prevent people from doing exactly what you are trying to do and to "throw a certificate error" whenever anyone tries to do it.

doktornotor

@Derelict:

Google Chrome knows all the valid certificates that should be presented by google (cert pinning) and will STILL throw a certificate error because it knows your cert is bullshit.

It's not limited to just Chrome. EMET has certificate pinning (called Certificate Trust by MS) as well.

heper

squid developers should remove the https functionality. It's evil.

Harvy66

@heper:

squid developers should remove the https functionality. It's evil.

Some people absolutely need it because of law, like schools.

The road to hell is paved with good intentions.