[SOLVED] pfsense forum HTTPS problem
-
i have a problem.
when i try to go to the forum in chrome i get this errorYou cannot visit forum.pfsense.org right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.
there are also some other sites that have this problem. Yesterday everything was working fine.
i didn't change any settings that i can think of that are related to https.
i am using pfsense 2.2.4 and the following plugins
bind 0.3.9
pfBlockerNG 1.09
snort 3.2.6When i check google it seems something to do with the time. But time on my computer is correct. on the router i added 2 extra timeservers.
when i check the time in snort alert list it shows the correct time.but when i check in pfblockerNG block list the time is off by 2 hours.
i see new entries in pfblocker
like Aug 4 11:43:36 my current time is Aug 4 13:43:36
-
Did you update your chrome version? Why would you think pfsense would have anything to do with that error?
Did you try a different browser? I show my chrome version as
Version 44.0.2403.12I don't show pfsense.org using HSTS
Did you go to chrome://net-internals/#hsts and look at your settings, you can query domain there.
So you can do a simple test if a site has HSTS setup with curl - so I know dropbox has it setup, so do a simple curl looking for Strict in the headers and get back
user@ubuntu:~$ curl -s -D- https://dropbox.com/ | grep Strict
Strict-Transport-Security: max-age=15552000; includeSubDomains; preloadBut when I check pfsense.org - no they do not have it enabled.
user@ubuntu:~$ curl -s -D- https://pfsense.org/ | grep Strict
user@ubuntu:~$I know lastpass has it setup as well
user@ubuntu:~$ curl -s -D- https://lastpass.com/ | grep Strict
Strict-Transport-Security: max-age=86400000
user@ubuntu:~$I am really curious why you think pfsense would do something with this sort of traffic to cause a problem in your browser.. Go to the chrom internals stuff and see if pfsense.org is in there.. I don't see how why it would be since they don't have it enabled from what I can see.
Oh wait they have it enabled on forums
user@ubuntu:~$ curl -s -D- https://forum.pfsense.org/ | grep Strict
Strict-Transport-Security: max-age=63072000; includeSubdomains; preloadI always thought it was suppose to be setup on the parent domain for your subdomains?? Hmmm, so do the query in chrome and what do you see?
-
Did you update your chrome version? Why would you think pfsense would have anything to do with that error?
Did you try a different browser? I show my chrome version as
Version 44.0.2403.12I don't show pfsense.org using HSTS
Did you go to chrome://net-internals/#hsts and look at your settings, you can query domain there.
So you can do a simple test if a site has HSTS setup with curl - so I know dropbox has it setup, so do a simple curl looking for Strict in the headers and get back
user@ubuntu:~$ curl -s -D- https://dropbox.com/ | grep Strict
Strict-Transport-Security: max-age=15552000; includeSubDomains; preloadBut when I check pfsense.org - no they do not have it enabled.
user@ubuntu:~$ curl -s -D- https://pfsense.org/ | grep Strict
user@ubuntu:~$I know lastpass has it setup as well
user@ubuntu:~$ curl -s -D- https://lastpass.com/ | grep Strict
Strict-Transport-Security: max-age=86400000
user@ubuntu:~$I am really curious why you think pfsense would do something with this sort of traffic to cause a problem in your browser.. Go to the chrom internals stuff and see if pfsense.org is in there.. I don't see how why it would be since they don't have it enabled from what I can see.
Oh wait they have it enabled on forums
user@ubuntu:~$ curl -s -D- https://forum.pfsense.org/ | grep Strict
Strict-Transport-Security: max-age=63072000; includeSubdomains; preloadI always thought it was suppose to be setup on the parent domain for your subdomains?? Hmmm, so do the query in chrome and what do you see?
Im using the latest version of Chrome 44.0.2403.125 m
this is what i see in chrome.
static_sts_domain:
static_upgrade_mode: UNKNOWN
static_sts_include_subdomains:
static_sts_observed:
static_pkp_domain:
static_pkp_include_subdomains:
static_pkp_observed:
static_spki_hashes:
dynamic_sts_domain: forum.pfsense.org
dynamic_upgrade_mode: STRICT
dynamic_sts_include_subdomains: true
dynamic_sts_observed: 1438640510.60279
dynamic_pkp_domain:
dynamic_pkp_include_subdomains: false
dynamic_pkp_observed: 0
dynamic_spki_hashes:when i try the command i get curl: Command not found.
so i had to install via (https://doc.pfsense.org/index.php/Installing_FreeBSD_Packages)
curl first.so with dropbox i get the same as you
Strict-Transport-Security: max-age=15552000; includeSubDomains; preloadsame with forum.pfsense.org
I have Snort and pfblockerNG installed but they didnt gave a problem yesterday.
edit:
it also says
Your connection is not privateAttackers might be trying to steal your information from forum.pfsense.org (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID
Subject: *.pfsense.org
Issuer: Untrusted Bitdefender CA
Expires on: Aug 21, 2015
Current date: Aug 4, 2015
-
Ok i solved the problem.
Which is strange i never had any problems with this at all.
but my bitdefender also scans the sites SSL. i never changed that setting and its been like that for like 2 years now since i use that one.
yesterday it was working fine and today it gives that error.
When i disabled the SSL website scanning in bitdefender the sites loads again.
and when i enable it gives the same error.the reason why i also thought it was PFsense is because i've been using it since yesterday and been testing it before i put it on the main network.
-
so what is bitdefender saying about the ssl ?
As to using curl - I was not on my pfsense box doing that, notice the ubuntu prompt ;)
Very curious to why your bitdefender was blocking.. Just did a scan of forum.pfsense.org on qualys
https://www.ssllabs.com/ssltest/analyze.html?d=forum.pfsense.orgThey get a B because of some weak DH stuff, otherwise they look like they would be rocking an A..
-
so what is bitdefender saying about the ssl ?
As to using curl - I was not on my pfsense box doing that, notice the ubuntu prompt ;)
Very curious to why your bitdefender was blocking.. Just did a scan of forum.pfsense.org on qualys
https://www.ssllabs.com/ssltest/analyze.html?d=forum.pfsense.orgThey get a B because of some weak DH stuff, otherwise they look like they would be rocking an A..
Bitdefender on my windows PC is the firewall/antivirus prog on my computer i had under websecurity SSL scan on. that scans if the ssl is valid i think. But not sure how or what they exactly scan.
"You cannot visit forum.pfsense.org right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later."
But when i have it enabled it gives that error. Which it never did before. it gave a "error' but i could always continu to the webpage but now i could not at all.
but i have it disabled now and shall keep it disabled for now.
-
That is what your browser is saying, what is the event in bitdefender. I know what it is btw ;)
If your software is scanning and blocking stuff - shouldn't there be a log??
-
but my bitdefender also scans the sites SSL. i never changed that setting and its been like that for like 2 years now since i use that one.
You might want to disable that shitty "feature". https://forum.pfsense.org/index.php?topic=93188.0
