Transparent Proxy - ssl_error_bad_cert_domain



  • Hi,

    install today a https proxy and install my CA in the browser.
    Most https pages work, but on some I get the following error: Error code: ssl_error_bad_cert_domain

    Did I do something wrong in my config?



  • Why not better with WPAD? much easier and no need to install cert on each computer



  • No option for this setup, it is much easier to install the certs.
    Lot of products use this transparent proxy, why it should work with pfsense?

    Maybe it is a setting and my fault?



  • If i understand this right, the problem on this web server is the SNI.
    Open the website without squid show as CN the FQDN, with ssl_bump is the CN the ip address.

    Maybe Squid 3.5 solve this issue?



  • Not really sure if 3.5 will fix your issue but give it a try but when i mean WPAD you can run it along with transparent proxy too just the wpad will block https and the transparent proxy will block the http



  • @killmasta93:

    Not really sure if 3.5 will fix your issue but give it a try but when i mean WPAD you can run it along with transparent proxy too just the wpad will block https and the transparent proxy will block the http

    OMFG!!!! blowmind!!!!
    I never thought that where possible!
    I have to try that… when i get some PC to do the tests. I cannot risk to do it on the working enviroment.
    Thanks for the advise.

    @slu:

    Hi,

    install today a https proxy and install my CA in the browser.
    Most https pages work, but on some I get the following error: Error code: ssl_error_bad_cert_domain

    Did I do something wrong in my config?

    slu, I had similar troubles (a blue squid with the word "NOW" appears on the upper left corner) I solved this obtaining the IP address, sometimes it appears in the screen followed by the port, example:```
    123.45.167.89:443

    So, in this case, you need to add 123.45.167.89 to the "Bypass Proxy for These Destination IPs" field in "Transparent Proxy Settings" (if using squid3). I suggest you to use an alias (Firewall -> Aliases). This way, you only need to edit the alias, and avoid to fill the proxy settings every time, and get lost by the amount of IP's in the future.
    
    Good Luck!


  • OMFG!!!! blowmind!!!!
    I never thought that where possible!
    I have to try that… when i get some PC to do the tests. I cannot risk to do it on the working enviroment.
    Thanks for the advise.

    yeah cool but if you want limiter it will break it :( but now not sure if limiter is worth it when traffic shaping using codel seems to work wonders for now on the VOIP