[SOLVED] pfsense forum HTTPS problem



  • i have a problem.
    when i try to go to the forum in chrome i get this error

    You cannot visit forum.pfsense.org right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

    there are also some other sites that have this problem. Yesterday everything was working fine.

    i didn't change any settings that i can think of that are related to https.

    i am using pfsense 2.2.4  and the following plugins
    bind 0.3.9
    pfBlockerNG 1.09
    snort 3.2.6

    When i check google it seems something to do with the time. But time on my computer is correct. on the router i added 2 extra timeservers.
    when i check the time in snort alert list it shows the correct time.

    but when i check in pfblockerNG block list the time is off by 2 hours.

    i see new entries in pfblocker
    like Aug 4 11:43:36 my current time is Aug 4 13:43:36


  • Rebel Alliance Global Moderator

    Did you update your chrome version?  Why would you think pfsense would have anything to do with that error?

    Did you try a different browser? I show my chrome version as
    Version 44.0.2403.12

    I don't show pfsense.org using HSTS

    Did you go to chrome://net-internals/#hsts and look at your settings, you can query domain there.

    So you can do a simple test if a site has HSTS setup with curl - so I know dropbox has it setup, so do a simple curl looking for Strict in the headers and get back
    user@ubuntu:~$ curl -s -D- https://dropbox.com/ | grep Strict
    Strict-Transport-Security: max-age=15552000; includeSubDomains; preload

    But when I check pfsense.org - no they do not have it enabled.
    user@ubuntu:~$ curl -s -D- https://pfsense.org/ | grep Strict
    user@ubuntu:~$

    I know lastpass has it setup as well
    user@ubuntu:~$ curl -s -D- https://lastpass.com/ | grep Strict
    Strict-Transport-Security: max-age=86400000
    user@ubuntu:~$

    I am really curious why you think pfsense would do something with this sort of traffic to cause a problem in your browser..  Go to the chrom internals stuff and see if pfsense.org is in there.. I don't see how why it would be since they don't have it enabled from what I can see.

    Oh wait they have it enabled on forums
    user@ubuntu:~$ curl -s -D- https://forum.pfsense.org/ | grep Strict
    Strict-Transport-Security: max-age=63072000; includeSubdomains; preload

    I always thought it was suppose to be setup on the parent domain for your subdomains??  Hmmm, so do the query in chrome and what do you see?




  • @johnpoz:

    Did you update your chrome version?  Why would you think pfsense would have anything to do with that error?

    Did you try a different browser? I show my chrome version as
    Version 44.0.2403.12

    I don't show pfsense.org using HSTS

    Did you go to chrome://net-internals/#hsts and look at your settings, you can query domain there.

    So you can do a simple test if a site has HSTS setup with curl - so I know dropbox has it setup, so do a simple curl looking for Strict in the headers and get back
    user@ubuntu:~$ curl -s -D- https://dropbox.com/ | grep Strict
    Strict-Transport-Security: max-age=15552000; includeSubDomains; preload

    But when I check pfsense.org - no they do not have it enabled.
    user@ubuntu:~$ curl -s -D- https://pfsense.org/ | grep Strict
    user@ubuntu:~$

    I know lastpass has it setup as well
    user@ubuntu:~$ curl -s -D- https://lastpass.com/ | grep Strict
    Strict-Transport-Security: max-age=86400000
    user@ubuntu:~$

    I am really curious why you think pfsense would do something with this sort of traffic to cause a problem in your browser..  Go to the chrom internals stuff and see if pfsense.org is in there.. I don't see how why it would be since they don't have it enabled from what I can see.

    Oh wait they have it enabled on forums
    user@ubuntu:~$ curl -s -D- https://forum.pfsense.org/ | grep Strict
    Strict-Transport-Security: max-age=63072000; includeSubdomains; preload

    I always thought it was suppose to be setup on the parent domain for your subdomains??  Hmmm, so do the query in chrome and what do you see?

    Im using the latest version of Chrome 44.0.2403.125 m

    this is what i see in chrome.

    static_sts_domain:
    static_upgrade_mode: UNKNOWN
    static_sts_include_subdomains:
    static_sts_observed:
    static_pkp_domain:
    static_pkp_include_subdomains:
    static_pkp_observed:
    static_spki_hashes:
    dynamic_sts_domain: forum.pfsense.org
    dynamic_upgrade_mode: STRICT
    dynamic_sts_include_subdomains: true
    dynamic_sts_observed: 1438640510.60279
    dynamic_pkp_domain:
    dynamic_pkp_include_subdomains: false
    dynamic_pkp_observed: 0
    dynamic_spki_hashes:

    when i try the command i get curl: Command not found.

    so i had to install via (https://doc.pfsense.org/index.php/Installing_FreeBSD_Packages)
    curl first.

    so with dropbox i get the same as you
    Strict-Transport-Security: max-age=15552000; includeSubDomains; preload

    same with forum.pfsense.org

    I have Snort and pfblockerNG installed but they didnt gave a problem yesterday.

    edit:
    it also says
    Your connection is not private

    Attackers might be trying to steal your information from forum.pfsense.org (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID
    Subject: *.pfsense.org
    Issuer: Untrusted Bitdefender CA
    Expires on: Aug 21, 2015
    Current date: Aug 4, 2015



  • Ok i solved the problem.

    Which is strange i never had any problems with this at all.

    but my bitdefender also scans the sites SSL. i never changed that setting and its been like that for like 2 years now since i use that one.

    yesterday it was working fine and today it gives that error.

    When i disabled the SSL website scanning in bitdefender the sites loads again.
    and when i enable it gives the same error.

    the reason why i also thought it was PFsense is because i've been using it since yesterday and been testing it before i put it on the main network.


  • Rebel Alliance Global Moderator

    so what is bitdefender saying about the ssl ?

    As to using curl - I was not on my pfsense box doing that, notice the ubuntu prompt ;)

    Very curious to why your bitdefender was blocking.. Just did a scan of forum.pfsense.org on qualys
    https://www.ssllabs.com/ssltest/analyze.html?d=forum.pfsense.org

    They get a B because of some weak DH stuff, otherwise they look like they would be rocking an A..



  • @johnpoz:

    so what is bitdefender saying about the ssl ?

    As to using curl - I was not on my pfsense box doing that, notice the ubuntu prompt ;)

    Very curious to why your bitdefender was blocking.. Just did a scan of forum.pfsense.org on qualys
    https://www.ssllabs.com/ssltest/analyze.html?d=forum.pfsense.org

    They get a B because of some weak DH stuff, otherwise they look like they would be rocking an A..

    Bitdefender on my windows PC is the firewall/antivirus prog on my computer i had under websecurity SSL scan on. that scans if the ssl is valid i think. But not sure how or what they exactly scan.

    "You cannot visit forum.pfsense.org right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later."

    But when i have it enabled it gives that error. Which it never did before. it gave a "error' but i could always continu to the webpage but now i could not at all.
    but i have it disabled now and shall keep it disabled for now.


  • Rebel Alliance Global Moderator

    That is what your browser is saying, what is the event in bitdefender. I know what it is btw ;)

    If your software is scanning and blocking stuff - shouldn't there be a log??


  • Banned

    @musicwizard:

    but my bitdefender also scans the sites SSL. i never changed that setting and its been like that for like 2 years now since i use that one.

    You might want to disable that shitty "feature". https://forum.pfsense.org/index.php?topic=93188.0