Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense and squid proxy certificate sha1 issue

    Scheduled Pinned Locked Moved Cache/Proxy
    17 Posts 11 Posters 8.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      trinidadrancheria
      last edited by

      Love or hate the standard proxy, we are required to run it for regulatory reasons. All of our users are made very aware of the proxy and its function and more importantly what Can and cannot be seen. We do make exceptions for obvious sites that need privacy such as banks, mortgage companies and.gov sites etc. at no time is any attempt made to hide the fact that it is signed by our firewall.

      That said, we are having an issue with chrome. We formed the CA with PF sense according to the documentation With sha256 but the certificates created for the squid proxy come out showing as Sha1 in chrome.
      I know that I could disable chrome but that's not the real solution because a lot of users like chrome.
      No matter how we create a proxy certificate it seems to come out as Sha1 in chrome, creating the warning.
      Has anyone figured out how to make the proxy create a true sha256 certificate?
      If so, can you please share?
      We do have our own internal CA outside of PF sense that we can use if we need to.

      1 Reply Last reply Reply Quote 0
      • C
        chavarriaa
        last edited by

        forget SSL Interception! Did you tried with WPAD Configuration for your proxy? It's very simple to configurate.

        1 Reply Last reply Reply Quote 0
        • A
          aGeekhere
          last edited by

          try this
          https://www.sxl.net/guides/cloud-vps/pfsense/5482/

          Never Fear, A Geek is Here!

          1 Reply Last reply Reply Quote 0
          • T
            trinidadrancheria
            last edited by

            We have the settings for testing the same as they would Wpad.
            I will try in the next suggestion in the morning and let you know.
            Thank you for your feedback.

            1 Reply Last reply Reply Quote 0
            • T
              trinidadrancheria
              last edited by

              Set things back up. Still an issue.
              The one in the CA is correct. It shows as sha256. The one generated by Squid is sha1. VERY odd!
              The certification path shows The website cert(sha1 created by squid) is child of the PFSense CA (sha256)

              1 Reply Last reply Reply Quote 0
              • S
                S. Kirschner
                last edited by

                @trinidadrancheria:

                Set things back up. Still an issue.
                The one in the CA is correct. It shows as sha256. The one generated by Squid is sha1. VERY odd!
                The certification path shows The website cert(sha1 created by squid) is child of the PFSense CA (sha256)

                I could confirm these, its caused by the version of squid which is available for install in pfsense, it only could generate sha1 certificates .

                1 Reply Last reply Reply Quote 0
                • B
                  bcpereiraa
                  last edited by

                  This is a bug of squid version.

                  sslproxy_cert_sign_hash

                  The bug has been fixed as of version 3.5 that is not yet available in pfSense.

                  1 Reply Last reply Reply Quote 0
                  • A
                    azharkov
                    last edited by

                    You can try manual install squid-3.5.3.
                    1. Go to the pfSense console/terminal either via SSH or on the box itself (keyboard and monitor are a must), press 8 on either the num keypad or above the QWERTY keyboard, and press enter.
                    2. type in fetch https://files.pfsense.org/packages/10/All/squid-3.5.3-i386.pbi or https://files.pfsense.org/packages/10/All/squid-3.5.3-amd64.pbi and press enter. The file will download to the /root directory (root/admin home folder)
                    3. Type in pbi_add –no-checksig -f squid-3.5.3-i386.pbi or  pbi_add –no-checksig -f  squid-3.5.3-amd64.pbi and it will copy its files and dependencies without problems.

                    1 Reply Last reply Reply Quote 0
                    • A
                      agixdota
                      last edited by

                      @azharkov:

                      You can try manual install squid-3.5.3.
                      1. Go to the pfSense console/terminal either via SSH or on the box itself (keyboard and monitor are a must), press 8 on either the num keypad or above the QWERTY keyboard, and press enter.
                      2. type in fetch https://files.pfsense.org/packages/10/All/squid-3.5.3-i386.pbi or https://files.pfsense.org/packages/10/All/squid-3.5.3-amd64.pbi and press enter. The file will download to the /root directory (root/admin home folder)
                      3. Type in pbi_add –no-checksig -f squid-3.5.3-i386.pbi or  pbi_add –no-checksig -f  squid-3.5.3-amd64.pbi and it will copy its files and dependencies without problems.

                      Thanks, I will try it  ;)

                      1 Reply Last reply Reply Quote 0
                      • T
                        trinidadrancheria
                        last edited by

                        Tried it, rebooted after to reload squid. Version showed right, but squid 3.5.3 would not start :(
                        Had to restore backup.

                        In the error log

                        php: rc.bootup: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was '/usr/local/etc/rc.d/squid.sh: /usr/pbi/squid-amd64/sbin/squid: not found'

                        3.4.10 was already installed and I ran pbi_add –no-checksig -f  squid-3.5.3-amd64.pbi 
                        to update it (it overwrote the bins etc.) then rebooted.

                        1 Reply Last reply Reply Quote 0
                        • A
                          agixdota
                          last edited by

                          @trinidadrancheria:

                          Tried it, rebooted after to reload squid. Version showed right, but squid 3.5.3 would not start :(
                          Had to restore backup.

                          In the error log

                          php: rc.bootup: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was '/usr/local/etc/rc.d/squid.sh: /usr/pbi/squid-amd64/sbin/squid: not found'

                          3.4.10 was already installed and I ran pbi_add –no-checksig -f  squid-3.5.3-amd64.pbi 
                          to update it (it overwrote the bins etc.) then rebooted.

                          You should create shortcut of link folder etc, lib, libexec, sbin and share, may can help you.

                          1.jpg
                          1.jpg_thumb

                          1 Reply Last reply Reply Quote 0
                          • T
                            trinidadrancheria
                            last edited by

                            We are using the FreeBSD appliances :P

                            How would I do that?

                            1 Reply Last reply Reply Quote 0
                            • U
                              uncltom
                              last edited by

                              Okay here is how I did it.

                              1. Install Squid 3.4 from the packages menu.
                              2. Backup the following files: (this keeps C-ICAP working)
                              /usr/pbi/squid-amd64/local/etc/clamd.conf.pfsense
                              /usr/pbi/squid-amd64/local/etc/freshclam.conf.pfsense
                              /usr/pbi/squid-amd64/local/etc/c-icap/c-icap.conf.pfsense
                              /usr/pbi/squid-amd64/local/etc/c-icap/c-icap.magic.pfsense
                              /usr/pbi/squid-amd64/local/etc/c-icap/squidclamav.conf.pfsense

                              I did cp clamd.conf.pfsense ~/ for each file which copied the pfsense files to my root folder.

                              3. Download the 3.5.3 package file and install it as mentioned above.
                              4. Create the following symbolic links
                              Change to the following folder: /usr/pbi/squid-amd64/

                              ln -s /usr/pbi/squid-amd64/local/etc .
                              ln -s /usr/pbi/squid-amd64/local/lib .
                              ln -s /usr/pbi/squid-amd64/local/libexec .
                              ln -s /usr/pbi/squid-amd64/local/share .
                              ln -s /usr/pbi/squid-amd64/bin sbin

                              This creates the shortcuts listed above.

                              5. Copy the files in step 2 back to where they belong.

                              You might be able to just restart the service but I restarted pfsense entirely just to make sure.

                              1 Reply Last reply Reply Quote 0
                              • J
                                JStyleG7X
                                last edited by

                                @uncltom:

                                Okay here is how I did it.

                                1. Install Squid 3.4 from the packages menu.
                                2. Backup the following files: (this keeps C-ICAP working)
                                /usr/pbi/squid-amd64/local/etc/clamd.conf.pfsense
                                /usr/pbi/squid-amd64/local/etc/freshclam.conf.pfsense
                                /usr/pbi/squid-amd64/local/etc/c-icap/c-icap.conf.pfsense
                                /usr/pbi/squid-amd64/local/etc/c-icap/c-icap.magic.pfsense
                                /usr/pbi/squid-amd64/local/etc/c-icap/squidclamav.conf.pfsense

                                I did cp clamd.conf.pfsense ~/ for each file which copied the pfsense files to my root folder.

                                3. Download the 3.5.3 package file and install it as mentioned above.
                                4. Create the following symbolic links
                                Change to the following folder: /usr/pbi/squid-amd64/

                                ln -s /usr/pbi/squid-amd64/local/etc .
                                ln -s /usr/pbi/squid-amd64/local/lib .
                                ln -s /usr/pbi/squid-amd64/local/libexec .
                                ln -s /usr/pbi/squid-amd64/local/share .
                                ln -s /usr/pbi/squid-amd64/bin sbin

                                This creates the shortcuts listed above.

                                You might be able to just restart the service but I restarted pfsense entirely just to make sure.

                                Hey just wanted to say thanks again for the ICAP fix, that really helped me out.  I can confirm this is tested and working with 2.2.6-RELEASE (amd64).  Besides the fact that wildcard certs are now working correctly it's also nice to see the green padlock in chrome now.  :)

                                In addition to your post I actually came across another set of instructions I thought I'd share for anyone running an x86 platform (hopefully not too many).

                                Source: http://hubpages.com/technology/Intercepting-HTTPS-Traffic-Using-the-Squid-Proxy-in-pfSense

                                Upgrading to Squid 3.5.3

                                The upgrade instructions are slightly different depending on whether you are running the 32-bit or 64-bit version of pfSense.

                                To determine which version you have open the pfSense dashboard and check the version section of the system information dashboard widget. If you see AMD64 then follow the 64-bit instructions. If you see i386, then use the 32-bit instructions.

                                The commands can be run through an SSH terminal, or the web based terminal (Diagnostics \ Command Prompt)

                                64-Bit (AMD64) Instructions

                                Download the PBI by running the command: fetch https://files.pfsense.org/packages/10/All/squid-3.5.3-amd64.pbi

                                Install the package by running: pbi_add –no-checksig -f squid-3.5.3-amd64.pbi

                                Run the commands below to create the correct directory structure

                                cd /usr/pbi/squid-amd64/
                                rm -rf /usr/pbi/squid-amd64/etc
                                ln -s /usr/pbi/squid-amd64/local/etc .
                                ln -s /usr/pbi/squid-amd64/local/lib .
                                ln -s /usr/pbi/squid-amd64/local/libexec .
                                ln -s /usr/pbi/squid-amd64/local/share .
                                ln -s /usr/pbi/squid-amd64/bin sbin

                                Reboot pfSense after running the above commands (Diagnostics \ Reboot).

                                32-Bit (i386) Instructions

                                Download the PBI by running the command: fetch https://files.pfsense.org/packages/10/All/squid-3.5.3-i386.pbi

                                Install the package by running: pbi_add –no-checksig -f squid-3.5.3-i386.pbi

                                Run the commands below to create the correct directory structure

                                cd /usr/pbi/squid-i386/
                                rm -rf /usr/pbi/squid-i386/etc
                                ln -s /usr/pbi/squid-i386/local/etc .
                                ln -s /usr/pbi/squid-i386/local/lib .
                                ln -s /usr/pbi/squid-i386/local/libexec .
                                ln -s /usr/pbi/squid-i386/local/share .
                                ln -s /usr/pbi/squid-i386/bin sbin

                                Reboot pfSense after running the above commands (Diagnostics \ Reboot).
                                Verifying the Installation of Squid 3.5.3

                                After rebooting pfSense start a new SSH session (or use the web terminal) to verify the updated package was correctly installed.

                                When you run the command below you should see version 3.5.3 listed in the output.

                                /usr/local/sbin/squid -v

                                1 Reply Last reply Reply Quote 0
                                • A
                                  agixdota
                                  last edited by

                                  hey thx for info  ;D

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    andikovaci
                                    last edited by

                                    I try bat have an isue!

                                    pbi_add –no-checksig -f squid-3.5.3-amd64.pbi
                                    pbi_add: Command not found.

                                    1 Reply Last reply Reply Quote 0
                                    • jimpJ
                                      jimp Rebel Alliance Developer Netgate
                                      last edited by

                                      @andikovaci:

                                      I try bat have an isue!

                                      pbi_add –no-checksig -f squid-3.5.3-amd64.pbi
                                      pbi_add: Command not found.

                                      pfSense 2.3 does not use PBIs, the information in this thread is for 2.2.x and perhaps 2.1.x. Your issue, whatever it may be, is unlikely to be related to this thread. Start a new thread stating your problem in detail and someone can attempt to help from there.

                                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                      Need help fast? Netgate Global Support!

                                      Do not Chat/PM for help!

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.