Transparent Proxy - ssl_error_bad_cert_domain

slu

Hi,

install today a https proxy and install my CA in the browser.
Most https pages work, but on some I get the following error: Error code: ssl_error_bad_cert_domain

Did I do something wrong in my config?

killmasta93

Why not better with WPAD? much easier and no need to install cert on each computer

slu

No option for this setup, it is much easier to install the certs.
Lot of products use this transparent proxy, why it should work with pfsense?

Maybe it is a setting and my fault?

slu

If i understand this right, the problem on this web server is the SNI.
Open the website without squid show as CN the FQDN, with ssl_bump is the CN the ip address.

Maybe Squid 3.5 solve this issue?

killmasta93

Not really sure if 3.5 will fix your issue but give it a try but when i mean WPAD you can run it along with transparent proxy too just the wpad will block https and the transparent proxy will block the http

chidgear

@killmasta93:

Not really sure if 3.5 will fix your issue but give it a try but when i mean WPAD you can run it along with transparent proxy too just the wpad will block https and the transparent proxy will block the http

OMFG!!!! blowmind!!!!
I never thought that where possible!
I have to try that… when i get some PC to do the tests. I cannot risk to do it on the working enviroment.
Thanks for the advise.

@slu:

Hi,

install today a https proxy and install my CA in the browser.
Most https pages work, but on some I get the following error: Error code: ssl_error_bad_cert_domain

Did I do something wrong in my config?

slu, I had similar troubles (a blue squid with the word "NOW" appears on the upper left corner) I solved this obtaining the IP address, sometimes it appears in the screen followed by the port, example:```
123.45.167.89:443

So, in this case, you need to add 123.45.167.89 to the "Bypass Proxy for These Destination IPs" field in "Transparent Proxy Settings" (if using squid3). I suggest you to use an alias (Firewall -> Aliases). This way, you only need to edit the alias, and avoid to fill the proxy settings every time, and get lost by the amount of IP's in the future.

Good Luck!

killmasta93

OMFG!!!! blowmind!!!!
I never thought that where possible!
I have to try that… when i get some PC to do the tests. I cannot risk to do it on the working enviroment.
Thanks for the advise.

yeah cool but if you want limiter it will break it :( but now not sure if limiter is worth it when traffic shaping using codel seems to work wonders for now on the VOIP