Hi Mohan,
I think it needs SNI forwarding from client-request to squid-request
which seems that is not yet implemented in squid.
see: http://wiki.squid-cache.org/Features/SslPeekAndSplice
I think currently something like this is happening:
openssl s_client -connect gmail.com:443 | grep subject
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
While when the proper SNI value would have been send a different
certificate would be returned:
openssl s_client -connect gmail.com:443 -servername gmail.com | grep subject
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=gmail.com
That means google is using SNI to determine what certificate to send
back, and squid is probably sending the wrong or no SNI extension in the
request for a server-certificate.
Short of implementing those changes, getting them merged into a main
branche and getting it released, there is no workaround.. There seems to
be some work going on for that though.. If you can compile squid
yourself on FreeBSD 8.3 you might be able to use that specific
development branch.
My two cents,
PiBa-NL
Nicola Ferrari (#554252) schreef op 22-9-2014 8:24:
That's the correct behaviour: you're gettings cert warning because you
are doing https filtering, so your pfsense needs to "inspect" https
traffic: this is a sort of "man in the middle", so the browser detect
that the source cert is varied in his CommonName field.
Usually I don't use https filtering. If I need to filter HTTPS for
some reason, I simply work in a whitelisting configuration: https
traffic is denied exept for allowed domains.
N
Il 19/09/2014 17:49, A Mohan Rao ha scritto:
Hello experts,
I m struggling with https filtering anybody have idea how to i
configured it all other sites r working good but google and some other
reputed sites r given certificate errors a already check with ie Firefox
and chrome etc.
Same error.
Pls give idea how i resolve this prob.
Thanks
Mohan
_______________________________________________
List mailing list
[email protected]
https://lists.pfsense.org/mailman/listinfo/list
_______________________________________________
List mailing list
[email protected]
https://lists.pfsense.org/mailman/listinfo/list