Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    [SOLVED] pfsense forum HTTPS problem

    General pfSense Questions
    3
    8
    8045
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      musicwizard last edited by

      i have a problem.
      when i try to go to the forum in chrome i get this error

      You cannot visit forum.pfsense.org right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

      there are also some other sites that have this problem. Yesterday everything was working fine.

      i didn't change any settings that i can think of that are related to https.

      i am using pfsense 2.2.4  and the following plugins
      bind 0.3.9
      pfBlockerNG 1.09
      snort 3.2.6

      When i check google it seems something to do with the time. But time on my computer is correct. on the router i added 2 extra timeservers.
      when i check the time in snort alert list it shows the correct time.

      but when i check in pfblockerNG block list the time is off by 2 hours.

      i see new entries in pfblocker
      like Aug 4 11:43:36 my current time is Aug 4 13:43:36

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        Did you update your chrome version?  Why would you think pfsense would have anything to do with that error?

        Did you try a different browser? I show my chrome version as
        Version 44.0.2403.12

        I don't show pfsense.org using HSTS

        Did you go to chrome://net-internals/#hsts and look at your settings, you can query domain there.

        So you can do a simple test if a site has HSTS setup with curl - so I know dropbox has it setup, so do a simple curl looking for Strict in the headers and get back
        user@ubuntu:~$ curl -s -D- https://dropbox.com/ | grep Strict
        Strict-Transport-Security: max-age=15552000; includeSubDomains; preload

        But when I check pfsense.org - no they do not have it enabled.
        user@ubuntu:~$ curl -s -D- https://pfsense.org/ | grep Strict
        user@ubuntu:~$

        I know lastpass has it setup as well
        user@ubuntu:~$ curl -s -D- https://lastpass.com/ | grep Strict
        Strict-Transport-Security: max-age=86400000
        user@ubuntu:~$

        I am really curious why you think pfsense would do something with this sort of traffic to cause a problem in your browser..  Go to the chrom internals stuff and see if pfsense.org is in there.. I don't see how why it would be since they don't have it enabled from what I can see.

        Oh wait they have it enabled on forums
        user@ubuntu:~$ curl -s -D- https://forum.pfsense.org/ | grep Strict
        Strict-Transport-Security: max-age=63072000; includeSubdomains; preload

        I always thought it was suppose to be setup on the parent domain for your subdomains??  Hmmm, so do the query in chrome and what do you see?


        1 Reply Last reply Reply Quote 0
        • M
          musicwizard last edited by

          @johnpoz:

          Did you update your chrome version?  Why would you think pfsense would have anything to do with that error?

          Did you try a different browser? I show my chrome version as
          Version 44.0.2403.12

          I don't show pfsense.org using HSTS

          Did you go to chrome://net-internals/#hsts and look at your settings, you can query domain there.

          So you can do a simple test if a site has HSTS setup with curl - so I know dropbox has it setup, so do a simple curl looking for Strict in the headers and get back
          user@ubuntu:~$ curl -s -D- https://dropbox.com/ | grep Strict
          Strict-Transport-Security: max-age=15552000; includeSubDomains; preload

          But when I check pfsense.org - no they do not have it enabled.
          user@ubuntu:~$ curl -s -D- https://pfsense.org/ | grep Strict
          user@ubuntu:~$

          I know lastpass has it setup as well
          user@ubuntu:~$ curl -s -D- https://lastpass.com/ | grep Strict
          Strict-Transport-Security: max-age=86400000
          user@ubuntu:~$

          I am really curious why you think pfsense would do something with this sort of traffic to cause a problem in your browser..  Go to the chrom internals stuff and see if pfsense.org is in there.. I don't see how why it would be since they don't have it enabled from what I can see.

          Oh wait they have it enabled on forums
          user@ubuntu:~$ curl -s -D- https://forum.pfsense.org/ | grep Strict
          Strict-Transport-Security: max-age=63072000; includeSubdomains; preload

          I always thought it was suppose to be setup on the parent domain for your subdomains??  Hmmm, so do the query in chrome and what do you see?

          Im using the latest version of Chrome 44.0.2403.125 m

          this is what i see in chrome.

          static_sts_domain:
          static_upgrade_mode: UNKNOWN
          static_sts_include_subdomains:
          static_sts_observed:
          static_pkp_domain:
          static_pkp_include_subdomains:
          static_pkp_observed:
          static_spki_hashes:
          dynamic_sts_domain: forum.pfsense.org
          dynamic_upgrade_mode: STRICT
          dynamic_sts_include_subdomains: true
          dynamic_sts_observed: 1438640510.60279
          dynamic_pkp_domain:
          dynamic_pkp_include_subdomains: false
          dynamic_pkp_observed: 0
          dynamic_spki_hashes:

          when i try the command i get curl: Command not found.

          so i had to install via (https://doc.pfsense.org/index.php/Installing_FreeBSD_Packages)
          curl first.

          so with dropbox i get the same as you
          Strict-Transport-Security: max-age=15552000; includeSubDomains; preload

          same with forum.pfsense.org

          I have Snort and pfblockerNG installed but they didnt gave a problem yesterday.

          edit:
          it also says
          Your connection is not private

          Attackers might be trying to steal your information from forum.pfsense.org (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID
          Subject: *.pfsense.org
          Issuer: Untrusted Bitdefender CA
          Expires on: Aug 21, 2015
          Current date: Aug 4, 2015

          1 Reply Last reply Reply Quote 0
          • M
            musicwizard last edited by

            Ok i solved the problem.

            Which is strange i never had any problems with this at all.

            but my bitdefender also scans the sites SSL. i never changed that setting and its been like that for like 2 years now since i use that one.

            yesterday it was working fine and today it gives that error.

            When i disabled the SSL website scanning in bitdefender the sites loads again.
            and when i enable it gives the same error.

            the reason why i also thought it was PFsense is because i've been using it since yesterday and been testing it before i put it on the main network.

            1 Reply Last reply Reply Quote 0
            • johnpoz
              johnpoz LAYER 8 Global Moderator last edited by

              so what is bitdefender saying about the ssl ?

              As to using curl - I was not on my pfsense box doing that, notice the ubuntu prompt ;)

              Very curious to why your bitdefender was blocking.. Just did a scan of forum.pfsense.org on qualys
              https://www.ssllabs.com/ssltest/analyze.html?d=forum.pfsense.org

              They get a B because of some weak DH stuff, otherwise they look like they would be rocking an A..

              1 Reply Last reply Reply Quote 0
              • M
                musicwizard last edited by

                @johnpoz:

                so what is bitdefender saying about the ssl ?

                As to using curl - I was not on my pfsense box doing that, notice the ubuntu prompt ;)

                Very curious to why your bitdefender was blocking.. Just did a scan of forum.pfsense.org on qualys
                https://www.ssllabs.com/ssltest/analyze.html?d=forum.pfsense.org

                They get a B because of some weak DH stuff, otherwise they look like they would be rocking an A..

                Bitdefender on my windows PC is the firewall/antivirus prog on my computer i had under websecurity SSL scan on. that scans if the ssl is valid i think. But not sure how or what they exactly scan.

                "You cannot visit forum.pfsense.org right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later."

                But when i have it enabled it gives that error. Which it never did before. it gave a "error' but i could always continu to the webpage but now i could not at all.
                but i have it disabled now and shall keep it disabled for now.

                1 Reply Last reply Reply Quote 0
                • johnpoz
                  johnpoz LAYER 8 Global Moderator last edited by

                  That is what your browser is saying, what is the event in bitdefender. I know what it is btw ;)

                  If your software is scanning and blocking stuff - shouldn't there be a log??

                  1 Reply Last reply Reply Quote 0
                  • D
                    doktornotor Banned last edited by

                    @musicwizard:

                    but my bitdefender also scans the sites SSL. i never changed that setting and its been like that for like 2 years now since i use that one.

                    You might want to disable that shitty "feature". https://forum.pfsense.org/index.php?topic=93188.0

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post

                    Products

                    • Platform Overview
                    • TNSR
                    • pfSense
                    • Appliances

                    Services

                    • Training
                    • Professional Services

                    Support

                    • Subscription Plans
                    • Contact Support
                    • Product Lifecycle
                    • Documentation

                    News

                    • Media Coverage
                    • Press
                    • Events

                    Resources

                    • Blog
                    • FAQ
                    • Find a Partner
                    • Resource Library
                    • Security Information

                    Company

                    • About Us
                    • Careers
                    • Partners
                    • Contact Us
                    • Legal
                    Our Mission

                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                    Subscribe to our Newsletter

                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                    © 2021 Rubicon Communications, LLC | Privacy Policy