Pfsense Squid SSL Intercept Some sites have issues



  • Hey all,

    Wondering if anyone has any idea what the issue is…. I've got Squid3 w/ SquidGuard installed. Latest packages available. I've got my own CA (Pfsense) and SSL enabled in Squid.

    When I hit a page say https://www.google.com it will work fine. I check the certificate and its verified by my CA. So this is good.

    However when I go to other sites like facebook or youtube,  the pages only partially load. It looks like mostly text or in the case of Youtube I see in replace of the add on the main page:

    
    Content was blocked because it was not signed by a valid security certificate. 
    
    For more information, see “About Certificate Errors” in Internet Explorer Help.
    
    

    I've uploaded a few example images of what I see.

    On top of all this all http/https pages seem to load really slowly.

    Does anyone have any idea what I can do? Check?

    Hope to hear from you.

    Cheers!






  • Could you try it in another browser ?

    Does anybody know if Internet Explorer use certificate pinning for sites like facebook ?


  • Banned

    1/ If you install EMET, IE will use certificate pinning for similar sites.

    Other browsers use pinning already for high risk domains:

    https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
    https://www.chromium.org/Home/chromium-security/security-faq#TOC-How-does-key-pinning-interact-with-local-proxies-and-filters-

    2/ Squid 3.4 branch does not handle SNI.

    3/ Finally, and most importantly - you are breaking HTTPS and replacing original certificates with MITM crap. If you have issues with that - do yourself and your users a favor and stop using similar misfeatures.



  • @S.:

    Could you try it in another browser ?

    Does anybody know if Internet Explorer use certificate pinning for sites like facebook ?

    Thanks for the reply S. Kirschner. I should have mentioned that I had tried this in different browsers. I believe I get similar results using Firefox.

    On YouTube I will see in replace of where the advertisement is:

    
    This Connection is Untrusted
    
    ...etc...
    
    

    Cheers!



  • I found squid in transparent mode far too much of a hassle with endless glitches.  Made it explicit and now I have no problems.



  • @doktornotor:

    1/ If you install EMET, IE will use certificate pinning for similar sites.

    Other browsers use pinning already for high risk domains:

    https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
    https://www.chromium.org/Home/chromium-security/security-faq#TOC-How-does-key-pinning-interact-with-local-proxies-and-filters-

    2/ Squid 3.4 branch does not handle SNI.

    3/ Finally, and most importantly - you are breaking HTTPS and replacing original certificates with MITM crap. If you have issues with that - do yourself and your users a favor and stop using similar misfeatures.

    Hi doktornotor,

    Not totally clear on what this is EMET? Though since pinning seems to already be enabled in other browsers I don't think this will solve my issue. ?

    3/ Yes I am aware MITM is breaking SSL. However how else can one filter https traffic?

    Cheers!



  • @KOM:

    I found squid in transparent mode far too much of a hassle with endless glitches.  Made it explicit and now I have no problems.

    Hey KOM,

    I'm not using transparent mode. I'm entering the info into my browsers proxy settings in order to enable using the proxy server.

    Cheers!



  • If you're not running transparent, why are you talking about certificates?  No certs required if you're running explicit.



  • @KOM:

    If you're not running transparent, why are you talking about certificates?  No certs required if you're running explicit.

    
    Select Certificate Authority to use when SSL interception is enabled.
    To create a CA on pfSense, go to System -> Cert Manager.
    Install the CA certificate as a Trusted Root CA on each computer you want to filter SSL on to avoid SSL error on each connection. 
    
    

    I was under the impression that I needed to intercept ssl in order to be able to filter sites that us it?



  • Wow I feel a bit silly now. Seems to be working better now without the SSL stuff turned on. :)

    Thanks!

    However is there anyway of getting rid of these type of pages? Using Youtube again as an example…

    See attached image.

    I've already got the options:

    
    Clean Advertising	
    Check this option to display a blank gif image instead of the default block page. With this option the user gets a cleaner webpage.
    
    and in my blacklist ads are set to deny
    
    

    Cheers!




  • No idea, perhaps your install is borked somehow by the configuration you chose.  You're making progress though.  Does it do this for all blocked ads?



  • @KOM:

    No idea, perhaps your install is borked somehow by the configuration you chose.  You're making progress though.  Does it do this for all blocked ads?

    It appears so far, yes.



  • At least now it looks like a squidguard issue.  If you turn off all blocking, do the ads appear normally?  Post screens of your squidguard settings.

    OK I just tried it and get the same result.  I can't immediately figure out how to prevent it.



  • So I'm still baffled.

    I've checked around online for various peoples tutorials on install SquidGuard 1.4. They all seem to imply there is a blank.gif image that is used. However when I check the actual package for 1.4 (from SquidGuard) it does not contain this.

    I did find a blank.gif on a Github site for SquidGuard Adblock and was trying to get this working but nothing I do seems to work.

    I mainly tried changing the redirection URL to point to the gif which I uploaded to my pfsense box. Still nothing.

    Starting to think that the "error" I see is potentially not related to the adblock. It does say:

    
    Can't establish a connection to the server at ad.doubleclick.net.
    
    

    Anyone have any thoughts? Suggestions?

    Cheers!



  • Anyone?


Log in to reply