Problem Opening Websities when using Transparent https (Squid)



  • I have followed;

    https://forum.pfsense.org/index.php?topic=72528.0

    to successfully implement https transparent with Squid Proxy.

    The Issue is for the following website;

    safemarine.com

    can anyone help me on this…..



  • may use ssl_bump none  ;D



  • not working.

    acl broken_sites dstdomain .safmarine.com
    ssl_bump none broken_sites



  • That site has an untrusted cert.  When I examine the cert, it appears to be self-signed.  Nobody in the world will trust that.

    Here are the problems:

    1.  This cert has been issued to accentosrl.origina.it, not www.safemarine.com
    2.  This cert is self-signed with no trusted Certificate Authority behind it
    3.  It's using the deprecated SHA1 algorithm

    They need to get a real certificate for the real domain using current encryption and try again.  You can ge ta free SSL cert good for one year from www.startssl.com.

    Lastly, questions about squid go in the Packages - Cache/Proxy forum.  This has nothing to do with the firewall.



  • @KOM:

    …. This has nothing to do with the firewall.

    Well … yes, it does somehow.
    It breaks the 'firewall' ... ;)

    [Ok, I leave]



  • Can I Bypass it somehow….



  • Can I Bypass it somehow….

    Yes, by clicking "I Understand The Risks" and continuing anyway after you have been warned about the bad cert.  However, this is Bad Security.  You don't want to train people to ignore errors and warnings.  Get a real certificate.  It isn't that hard nor that expensive.



  • @KOM:

    Can I Bypass it somehow….

    Yes, by clicking "I Understand The Risks" and continuing anyway after you have been warned about the bad cert.  However, this is Bad Security.  You don't want to train people to ignore errors and warnings.  Get a real certificate.  It isn't that hard nor that expensive.

    KOM,
    in some websites doesn't appear the option "I understand  the risks". Says the page only works with their certificates.
    When i use ssl_bump. squid skip this message, but immediatly appears squid with SQUID_X509_V_ERR_DOMAIN_MISMATCH.

    I tried with another certificate (free , starssl.com), when i import the certificate in pfsense. Squid doesn't want start.

    thanks for sharing your knowledge



  • You don't import certificates into pfSense, you import them into your web browser or PC operating system.  You should probably start your own thread since your problems don't seem to be similar.  Make a new thread with the problem you have and what you have done to fix it.



  • Maybe you want to pass the control to the users for this special cases. Sometimes you make use of a website that you know is safe, but the certificate is in "bad shape" showing that error page so, to "bypass" in this cases, you need to pass the control to the user. In  "proxy server"-> "general" tab -> "SSL man in the middle filtering" -> "Remote Cert checks" select "Accept remote server certificate erros"
    (screenshot attached)

    This must get rid of that page and show you the browser dialog reffering to the ssl certificate trouble, allowing you to add the site in the exception list.




  • KOM, I'll make my own thread.

    Chidgear, i have this option. i can access in some sites clicking in add to exception,on gmail.com not. Also when i have to updates my applications the proxy server doesn't let me update (Windows, antivirus, local software, etc) this is other problem, i'll make too other thread. like i said; i've tried with, ssl_bump, authentic certificate and my problem is the same.

    I'll tell you any notice


Log in to reply