PFSENSE Proxy Server provides false certificates for blocked https pages



  • Hi at all,
    We use pfsene 2.2 with the packages squid3 (v 3.4.10_2 pkg 0.2.6) and squidGuard (v 1.4_7 pkg v.1.9.10). We would like to use the system as a proxy server for http and https connections.

    This works perfectly for http connections. Https connections works well as long as the requested page is not blocked by us, after blocking a certificate error is shown.

    Example
    Work: https://www.google.de Certificate Domain Ca -> PFsense-SUB-CA -> www.google.de
    Page is blocked: https://www.google.de Certificate Domain Ca -> PFsense-SUB-CA -> http (cert error)
    In this case our error page is not shown, but a message appeared that my connection is attacked.

    May do you have an idea about what I did wrong?

    Thank you and greetings



  • If you are running in Transparent mode then you will have to install the pfSense certificate on every client that uses the proxy or you will get Man in the Middle attack warnings.  To avoid this, use Squid in standard mode and then use WPAD to help direct clients to the proxy.  Don't forget to block ports 80 and 443 on LAN.



  • hello

    Thanks for the answer.

    The certificate is valid only issued false. This is a domain environment and pfSense is a valid SUB-CA of the domain. The clients trust pfSense and also tell the certificate is valid only wrong, because if the Webpage are blocked pfsense use http in the certificate as Site Name und not the Url oft he Site.

    Example:

    Unblocked
    https://www.google.de cert valid -  certification path :  Domain CA -> PFSENSE-SUB-CA -> www.google.de

    Blocked
    https://www.google.de cert valid - certification path : Domain CA -> PFSENSE-SUB-CA -> http (This is of course wrong, but I do not know why pfSense makes)

    excuse my bad english

    Thank you and greetings


  • Banned

    Dude… just stop proxying HTTPS. Of course they provide "false" certificates. Otherwise, doing this stupid SSL MITM proxy thing would be impossible.


  • LAYER 8 Netgate

    What browser?  What domain?

    It sounds like you're trying to do things correctly but certificate pinning will still break it.  It will only get worse (or better, depending on your POV) from here.  As doktornotor said, stop trying to proxy SSL sessions.



  • As doktornotor said, stop trying to proxy SSL sessions.

    How is this at all practical advice?  Considering how the web is going to HTTPS more and more, how do you filter employee web access in the real world?  I know that in an idealized "perfect world" scenario, I could just tell my users to behave.  But that's completely naive in practice, and we're not about constantly monitoring and punishing wayward workers over Facebook access.


  • Rebel Alliance Developer Netgate

    You don't do so transparently.

    Put the proxy settings in the browser, setup WPAD, etc. Block HTTPS unless it goes through the proxy.

    Filtering is getting more and more worthless. Everyone has smartphones, they'll use Facebook on their phone rather than the company network, the time is still wasted.



  • You don't do so transparently.

    Well, there's a mile of difference between "Don't proxy HTTPS transparently" and "Don't proxy HTTPS".  The former is smart, the latter is stupid and why I posted.  Semantics, I guess.



  • Hi
    i  have same problem?

    Do you have solution?

    tks!


Log in to reply