Pfsense and squid proxy certificate sha1 issue



  • Love or hate the standard proxy, we are required to run it for regulatory reasons. All of our users are made very aware of the proxy and its function and more importantly what Can and cannot be seen. We do make exceptions for obvious sites that need privacy such as banks, mortgage companies and.gov sites etc. at no time is any attempt made to hide the fact that it is signed by our firewall.

    That said, we are having an issue with chrome. We formed the CA with PF sense according to the documentation With sha256 but the certificates created for the squid proxy come out showing as Sha1 in chrome.
    I know that I could disable chrome but that's not the real solution because a lot of users like chrome.
    No matter how we create a proxy certificate it seems to come out as Sha1 in chrome, creating the warning.
    Has anyone figured out how to make the proxy create a true sha256 certificate?
    If so, can you please share?
    We do have our own internal CA outside of PF sense that we can use if we need to.



  • forget SSL Interception! Did you tried with WPAD Configuration for your proxy? It's very simple to configurate.





  • We have the settings for testing the same as they would Wpad.
    I will try in the next suggestion in the morning and let you know.
    Thank you for your feedback.



  • Set things back up. Still an issue.
    The one in the CA is correct. It shows as sha256. The one generated by Squid is sha1. VERY odd!
    The certification path shows The website cert(sha1 created by squid) is child of the PFSense CA (sha256)



  • @trinidadrancheria:

    Set things back up. Still an issue.
    The one in the CA is correct. It shows as sha256. The one generated by Squid is sha1. VERY odd!
    The certification path shows The website cert(sha1 created by squid) is child of the PFSense CA (sha256)

    I could confirm these, its caused by the version of squid which is available for install in pfsense, it only could generate sha1 certificates .



  • This is a bug of squid version.

    sslproxy_cert_sign_hash

    The bug has been fixed as of version 3.5 that is not yet available in pfSense.



  • You can try manual install squid-3.5.3.
    1. Go to the pfSense console/terminal either via SSH or on the box itself (keyboard and monitor are a must), press 8 on either the num keypad or above the QWERTY keyboard, and press enter.
    2. type in fetch https://files.pfsense.org/packages/10/All/squid-3.5.3-i386.pbi or https://files.pfsense.org/packages/10/All/squid-3.5.3-amd64.pbi and press enter. The file will download to the /root directory (root/admin home folder)
    3. Type in pbi_add –no-checksig -f squid-3.5.3-i386.pbi or  pbi_add –no-checksig -f  squid-3.5.3-amd64.pbi and it will copy its files and dependencies without problems.



  • @azharkov:

    You can try manual install squid-3.5.3.
    1. Go to the pfSense console/terminal either via SSH or on the box itself (keyboard and monitor are a must), press 8 on either the num keypad or above the QWERTY keyboard, and press enter.
    2. type in fetch https://files.pfsense.org/packages/10/All/squid-3.5.3-i386.pbi or https://files.pfsense.org/packages/10/All/squid-3.5.3-amd64.pbi and press enter. The file will download to the /root directory (root/admin home folder)
    3. Type in pbi_add –no-checksig -f squid-3.5.3-i386.pbi or  pbi_add –no-checksig -f  squid-3.5.3-amd64.pbi and it will copy its files and dependencies without problems.

    Thanks, I will try it  ;)



  • Tried it, rebooted after to reload squid. Version showed right, but squid 3.5.3 would not start :(
    Had to restore backup.

    In the error log

    php: rc.bootup: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was '/usr/local/etc/rc.d/squid.sh: /usr/pbi/squid-amd64/sbin/squid: not found'

    3.4.10 was already installed and I ran pbi_add –no-checksig -f  squid-3.5.3-amd64.pbi 
    to update it (it overwrote the bins etc.) then rebooted.



  • @trinidadrancheria:

    Tried it, rebooted after to reload squid. Version showed right, but squid 3.5.3 would not start :(
    Had to restore backup.

    In the error log

    php: rc.bootup: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was '/usr/local/etc/rc.d/squid.sh: /usr/pbi/squid-amd64/sbin/squid: not found'

    3.4.10 was already installed and I ran pbi_add –no-checksig -f  squid-3.5.3-amd64.pbi 
    to update it (it overwrote the bins etc.) then rebooted.

    You should create shortcut of link folder etc, lib, libexec, sbin and share, may can help you.




  • We are using the FreeBSD appliances :P

    How would I do that?



  • Okay here is how I did it.

    1. Install Squid 3.4 from the packages menu.
    2. Backup the following files: (this keeps C-ICAP working)
    /usr/pbi/squid-amd64/local/etc/clamd.conf.pfsense
    /usr/pbi/squid-amd64/local/etc/freshclam.conf.pfsense
    /usr/pbi/squid-amd64/local/etc/c-icap/c-icap.conf.pfsense
    /usr/pbi/squid-amd64/local/etc/c-icap/c-icap.magic.pfsense
    /usr/pbi/squid-amd64/local/etc/c-icap/squidclamav.conf.pfsense

    I did cp clamd.conf.pfsense ~/ for each file which copied the pfsense files to my root folder.

    3. Download the 3.5.3 package file and install it as mentioned above.
    4. Create the following symbolic links
    Change to the following folder: /usr/pbi/squid-amd64/

    ln -s /usr/pbi/squid-amd64/local/etc .
    ln -s /usr/pbi/squid-amd64/local/lib .
    ln -s /usr/pbi/squid-amd64/local/libexec .
    ln -s /usr/pbi/squid-amd64/local/share .
    ln -s /usr/pbi/squid-amd64/bin sbin

    This creates the shortcuts listed above.

    5. Copy the files in step 2 back to where they belong.

    You might be able to just restart the service but I restarted pfsense entirely just to make sure.



  • @uncltom:

    Okay here is how I did it.

    1. Install Squid 3.4 from the packages menu.
    2. Backup the following files: (this keeps C-ICAP working)
    /usr/pbi/squid-amd64/local/etc/clamd.conf.pfsense
    /usr/pbi/squid-amd64/local/etc/freshclam.conf.pfsense
    /usr/pbi/squid-amd64/local/etc/c-icap/c-icap.conf.pfsense
    /usr/pbi/squid-amd64/local/etc/c-icap/c-icap.magic.pfsense
    /usr/pbi/squid-amd64/local/etc/c-icap/squidclamav.conf.pfsense

    I did cp clamd.conf.pfsense ~/ for each file which copied the pfsense files to my root folder.

    3. Download the 3.5.3 package file and install it as mentioned above.
    4. Create the following symbolic links
    Change to the following folder: /usr/pbi/squid-amd64/

    ln -s /usr/pbi/squid-amd64/local/etc .
    ln -s /usr/pbi/squid-amd64/local/lib .
    ln -s /usr/pbi/squid-amd64/local/libexec .
    ln -s /usr/pbi/squid-amd64/local/share .
    ln -s /usr/pbi/squid-amd64/bin sbin

    This creates the shortcuts listed above.

    You might be able to just restart the service but I restarted pfsense entirely just to make sure.

    Hey just wanted to say thanks again for the ICAP fix, that really helped me out.  I can confirm this is tested and working with 2.2.6-RELEASE (amd64).  Besides the fact that wildcard certs are now working correctly it's also nice to see the green padlock in chrome now.  :)

    In addition to your post I actually came across another set of instructions I thought I'd share for anyone running an x86 platform (hopefully not too many).

    Source: http://hubpages.com/technology/Intercepting-HTTPS-Traffic-Using-the-Squid-Proxy-in-pfSense

    Upgrading to Squid 3.5.3

    The upgrade instructions are slightly different depending on whether you are running the 32-bit or 64-bit version of pfSense.

    To determine which version you have open the pfSense dashboard and check the version section of the system information dashboard widget. If you see AMD64 then follow the 64-bit instructions. If you see i386, then use the 32-bit instructions.

    The commands can be run through an SSH terminal, or the web based terminal (Diagnostics \ Command Prompt)

    64-Bit (AMD64) Instructions

    Download the PBI by running the command: fetch https://files.pfsense.org/packages/10/All/squid-3.5.3-amd64.pbi

    Install the package by running: pbi_add –no-checksig -f squid-3.5.3-amd64.pbi

    Run the commands below to create the correct directory structure

    cd /usr/pbi/squid-amd64/
    rm -rf /usr/pbi/squid-amd64/etc
    ln -s /usr/pbi/squid-amd64/local/etc .
    ln -s /usr/pbi/squid-amd64/local/lib .
    ln -s /usr/pbi/squid-amd64/local/libexec .
    ln -s /usr/pbi/squid-amd64/local/share .
    ln -s /usr/pbi/squid-amd64/bin sbin

    Reboot pfSense after running the above commands (Diagnostics \ Reboot).

    32-Bit (i386) Instructions

    Download the PBI by running the command: fetch https://files.pfsense.org/packages/10/All/squid-3.5.3-i386.pbi

    Install the package by running: pbi_add –no-checksig -f squid-3.5.3-i386.pbi

    Run the commands below to create the correct directory structure

    cd /usr/pbi/squid-i386/
    rm -rf /usr/pbi/squid-i386/etc
    ln -s /usr/pbi/squid-i386/local/etc .
    ln -s /usr/pbi/squid-i386/local/lib .
    ln -s /usr/pbi/squid-i386/local/libexec .
    ln -s /usr/pbi/squid-i386/local/share .
    ln -s /usr/pbi/squid-i386/bin sbin

    Reboot pfSense after running the above commands (Diagnostics \ Reboot).
    Verifying the Installation of Squid 3.5.3

    After rebooting pfSense start a new SSH session (or use the web terminal) to verify the updated package was correctly installed.

    When you run the command below you should see version 3.5.3 listed in the output.

    /usr/local/sbin/squid -v



  • hey thx for info  ;D



  • I try bat have an isue!

    pbi_add –no-checksig -f squid-3.5.3-amd64.pbi
    pbi_add: Command not found.


  • Rebel Alliance Developer Netgate

    @andikovaci:

    I try bat have an isue!

    pbi_add –no-checksig -f squid-3.5.3-amd64.pbi
    pbi_add: Command not found.

    pfSense 2.3 does not use PBIs, the information in this thread is for 2.2.x and perhaps 2.1.x. Your issue, whatever it may be, is unlikely to be related to this thread. Start a new thread stating your problem in detail and someone can attempt to help from there.


Locked