HTTPS / SSL Inspection Errors



  • Hello friends, I have difficulties in pfSense 2.2.6.
    Installed squid3 and SquidGuard, I generated an internal certificate and imported on my Windows 7 computer When I enable HTTPS / SSL Inspection, using port 3129 on squid3, some sites have problems, such as facebook, some government websites and banks simply do not carry presents invalid certificate error in crhome, as in IE, presents DNS resolution error.

    Please, I would like your help, what can I be doing wrong?

    Thank you !



  • This is because of HSTS and HPKP - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security and https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning

    As far as I know, you cannot work around it as that's sort of the whole point of HSTS and HPKP, to prevent an attacker from performing a man-in-the-middle SSL hijack on an SSL site you've previously visited. Unfortunately, it breaks the traditional method proxies use for SSL interception and decryption also.



  • Okay friend, I read the article in the Wifi but did not understand what I do in pfSense to avoid this situation in websites, but specifically on Facebook, Google and others.

    What setting should I do pfSense?

    Or would the browser?


  • LAYER 8 Global Moderator

    dude your just not getting is are you!!!

    "you cannot work around it as that's sort of the whole point of HSTS and HPKP"



  • Forgiveness John Poz, do not understand !


  • LAYER 8 Global Moderator

    dude there is no setting you can do in pfsense/squid to get rid of the errors…  Your trying to do a MITM against a https site that is using HSTS/HPKP, preventing such a thing is the whole point of hsts/hpkp

    You will have to use a broswer that allows you to disable this features if you want to do it..  Thought you said you read the wiki..



  • Excuse me, I'm in Brazil and not mastered English, use the translator and unfortunately your previous message was not clear to me.

    Thank you !





  • @ivanildogalvao:

    I will do tests using the tip of this site.

    https://kamaradski.com/2856/chrome-clear-hsts-state-http-strict-transport-security

    That will clear the HSTS state, but you still won't be able to avoid the public key pinning (HPKP). HPKP is designed so the source server can tell the client what the thumbprint of the SSL certificate should be. If that doesn't match (and in your case it won't, since you're spoofing the certificate on your proxy) the browser will throw an error.

    I had a friend in Brazil translate it to Portuguese for you:

    Isso vai limpar o HSTS condição, mas ainda não pode evitar que a chave publico vai prender (HPKP). HPKP foi criado pra o servidor indicar pra a cliente que tipo de conteudo o certificado SSL deve ter. Se o certificado SSL não combine (e no seu caso, não vai combinar, porque não pode enganhar certificado SSL do seu proxy) , o browser vai mostrar um erro.



  • Hello, so I live with the error when accessing Facebook and Google ? These are some of the few sites that present the certificate error, even with the certificate installed normally on the workstation.

    I want to use SSL Inspection of squid3 but without displaying errors and inconvenience to users.

    What should I do ? Anything ?

    Thank you friend !

    Português :)

    Olá, então devo conviver com o erro ao acessar o Facebook e o Google ? São estes alguns dos poucos sites que apresentam o erro de certificado, mesmo com o certificado instalado normalmente na estação de trabalho.

    Quero usar o SSL Inspection do Squid3, mas sem apresentar erros e transtornos aos usuários.

    O que devo fazer ? Nada ?

    Obrigado amigo !



  • I want to use SSL Inspection of squid3 but without displaying errors and inconvenience to users.

    What should I do ? Anything ?

    Transparent proxy won't help you at all.  Run squid in explicit mode.  Configure WPAD to allow most OSes to find the proxy on their own.  Others will have to manually configure.


Log in to reply