Re: [pfSense] [Bulk] Re: Https proxy squid3 squidguard squid3 not working

Mon, 22 Sep 2014 10:13:03 -0700 

Hi Mohan,
I think it needs SNI forwarding from client-request to squid-request which seems that is not yet implemented in squid. 
see: http://wiki.squid-cache.org/Features/SslPeekAndSplice

I think currently something like this is happening:
openssl s_client -connect gmail.com:443 | grep subject
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
While when the proper SNI value would have been send a different certificate would be returned: 
openssl s_client -connect gmail.com:443 -servername gmail.com | grep subject
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=gmail.com
That means google is using SNI to determine what certificate to send back, and squid is probably sending the wrong or no SNI extension in the request for a server-certificate.
Short of implementing those changes, getting them merged into a main branche and getting it released, there is no workaround.. There seems to be some work going on for that though.. If you can compile squid yourself on FreeBSD 8.3 you might be able to use that specific development branch. 

My two cents,
PiBa-NL

Nicola Ferrari (#554252) schreef op 22-9-2014 8:24:
That's the correct behaviour: you're gettings cert warning because you are doing https filtering, so your pfsense needs to "inspect" https traffic: this is a sort of "man in the middle", so the browser detect that the source cert is varied in his CommonName field.
Usually I don't use https filtering. If I need to filter HTTPS for some reason, I simply work in a whitelisting configuration: https traffic is denied exept for allowed domains. 

N


Il 19/09/2014 17:49, A Mohan Rao ha scritto:

Hello experts,

I m struggling with https filtering anybody have idea how to i
configured it all other sites r working good but google and some other
reputed sites r given certificate errors a already check with ie Firefox
and chrome etc.
Same error.

Pls give idea how i resolve this prob.

Thanks
Mohan



_______________________________________________
List mailing list
[email protected]
https://lists.pfsense.org/mailman/listinfo/list






_______________________________________________
List mailing list
[email protected]
https://lists.pfsense.org/mailman/listinfo/list

Reply via email to