Re: [pfSense] Problem with Chrome - HTTP trasnparent proxy with SSL filtering

2017-11-03 Thread Rainer Duffner

> Am 03.11.2017 um 14:40 schrieb Richard A. Relph :
> 
> I’ve heard Google will be removing certificate pinning from Chrome soon…
> 


Yeah, for public sites. They’ll still make sure nobody can sign anything 
*.google.*, have users import a private root certificate and then sniff 
connections to them.

Not. Gonna. Happen.

Public CAs will also not sign anything that contains the word „google“, BTW.
Most will just silently drop it.




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] CARP Demotion Not Working

2017-11-03 Thread Melvin
But think of the time you would have wasted instead. Just trading a little 
pride for time. Seems like a good deal most times. 

On Nov 3, 2017, 15:02, at 15:02, Andrew Kester  wrote:
>Actually, it looks like Node B was indeed in maintenance mode.  Setting
>
>it back to normal seems to have resolved the problem.
>
>(That always seems to happen: send mail to a mailing list and it's 
>something silly on my end)
>
>---
>Thanks!
>
>Andrew Kester
>The Storehouse
>https://sthse.co
>
>On 11/3/17 11:23 AM, Steve Yates wrote:
>>  Are you using the "enter persistent maintenance mode" here?  I'm
>trying to remember when I looked at this a couple years ago but overall
>if we shut down node A, node B takes over, and when A boots up it
>becomes Master again.  However if I enter maintenance mode first
>(forcing B to Master) then B stays as Master after A comes up again.
>> 
>>  I have seen the occasional situation where we exit maintenance mode
>and the IPv6 CARP WAN IP ends up with *both* routers showing as Master,
>but at that point I restart node B and it clears out (we have CARP IPs
>for two LANs and a WAN, and both IPv4 and IPv6, on two virtualized
>routers).
>> 
>> --
>> 
>> Steve Yates
>> ITS, Inc.
>> 
>> -Original Message-
>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of
>Andrew Kester
>> Sent: Friday, November 3, 2017 10:49 AM
>> To: list@lists.pfsense.org
>> Subject: Re: [pfSense] CARP Demotion Not Working
>> 
>> An update on this, if the master node is rebooted during a failure,
>the
>> secondary node takes cover correctly and remains the master as would
>be
>> expected.
>> 
>> This makes me think that the priority is set correctly but the second
>> node for some reason isn't honoring the advskew set by the master
>correctly.
>> 
>> To illustrate what I mean-
>> 
>> ---
>> | Node A | Node B |
>> ---
>> | M M| B B| Normal, Node A is master on all CARP IP's
>> | M X| B M| Failure, incorrect though.  Node B should be
>master.
>> | - -| M M| Node A Offline, B takes over as master correctly
>> | B X| M M| After restart, correct behavior.  Node B is
>master.
>> ---
>> M - Master
>> X - Down
>> B - Backup
>> 
>> I've also ran through the CARP troubleshooting guide here to no
>avail.
>> https://doc.pfsense.org/index.php/CARP_Configuration_Troubleshooting
>> 
>> Let me know if you need more information or clarification, I'm not
>sure
>> the best way to illustrate / communicate my problem.
>> 
>> ---
>> Thanks,
>> 
>> Andrew Kester
>> The Storehouse
>> https://sthse.co
>> 
>> On 11/1/17 3:30 PM, Andrew Kester wrote:
>>> Hi List,
>>>
>>> I'm having an issue with CARP preempt.  I have two pfSense machines
>>> running 2.4.1-RELEASE.  CARP fails over all individual IPs
>correctly,
>>> but doesn't preempt correctly in the case of a single failure.
>>>
>>> On both machines, I've checked that net.inet.carp.preempt is
>enabled.
>>> The master appears to be detecting the demotion, as it sets
>>> net.inet.carp.demotion to 240 during a failure, but ifconfig still
>>> reports advskew as 0.
>>>
>>> I'm not 100% sure if that number should update, or if the demotion
>>> number is added to the advskew reported by ifconfig.
>>>
>>> Relevent sysctl, ifconfig, and log output taken from the master
>firewall
>>> during a failure is attached.
>>>
>>> Any help is greatly appreciated!
>>>
>>> ---
>>> Thanks,
>>>
>>> Andrew Kester
>>> The Storehouse
>>> https://sthse.co
>>>
>>>
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>>>
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> 
>___
>pfSense mailing list
>https://lists.pfsense.org/mailman/listinfo/list
>Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] CARP Demotion Not Working

2017-11-03 Thread Andrew Kester
Actually, it looks like Node B was indeed in maintenance mode.  Setting 
it back to normal seems to have resolved the problem.


(That always seems to happen: send mail to a mailing list and it's 
something silly on my end)


---
Thanks!

Andrew Kester
The Storehouse
https://sthse.co

On 11/3/17 11:23 AM, Steve Yates wrote:

Are you using the "enter persistent maintenance mode" here?  I'm trying 
to remember when I looked at this a couple years ago but overall if we shut down node A, 
node B takes over, and when A boots up it becomes Master again.  However if I enter 
maintenance mode first (forcing B to Master) then B stays as Master after A comes up 
again.

I have seen the occasional situation where we exit maintenance mode and 
the IPv6 CARP WAN IP ends up with *both* routers showing as Master, but at that 
point I restart node B and it clears out (we have CARP IPs for two LANs and a 
WAN, and both IPv4 and IPv6, on two virtualized routers).

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Andrew Kester
Sent: Friday, November 3, 2017 10:49 AM
To: list@lists.pfsense.org
Subject: Re: [pfSense] CARP Demotion Not Working

An update on this, if the master node is rebooted during a failure, the
secondary node takes cover correctly and remains the master as would be
expected.

This makes me think that the priority is set correctly but the second
node for some reason isn't honoring the advskew set by the master correctly.

To illustrate what I mean-

---
| Node A | Node B |
---
| M M| B B| Normal, Node A is master on all CARP IP's
| M X| B M| Failure, incorrect though.  Node B should be master.
| - -| M M| Node A Offline, B takes over as master correctly
| B X| M M| After restart, correct behavior.  Node B is master.
---
M - Master
X - Down
B - Backup

I've also ran through the CARP troubleshooting guide here to no avail.
https://doc.pfsense.org/index.php/CARP_Configuration_Troubleshooting

Let me know if you need more information or clarification, I'm not sure
the best way to illustrate / communicate my problem.

---
Thanks,

Andrew Kester
The Storehouse
https://sthse.co

On 11/1/17 3:30 PM, Andrew Kester wrote:

Hi List,

I'm having an issue with CARP preempt.  I have two pfSense machines
running 2.4.1-RELEASE.  CARP fails over all individual IPs correctly,
but doesn't preempt correctly in the case of a single failure.

On both machines, I've checked that net.inet.carp.preempt is enabled.
The master appears to be detecting the demotion, as it sets
net.inet.carp.demotion to 240 during a failure, but ifconfig still
reports advskew as 0.

I'm not 100% sure if that number should update, or if the demotion
number is added to the advskew reported by ifconfig.

Relevent sysctl, ifconfig, and log output taken from the master firewall
during a failure is attached.

Any help is greatly appreciated!

---
Thanks,

Andrew Kester
The Storehouse
https://sthse.co


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] CARP Demotion Not Working

2017-11-03 Thread Steve Yates
Are you using the "enter persistent maintenance mode" here?  I'm trying 
to remember when I looked at this a couple years ago but overall if we shut 
down node A, node B takes over, and when A boots up it becomes Master again.  
However if I enter maintenance mode first (forcing B to Master) then B stays as 
Master after A comes up again.

I have seen the occasional situation where we exit maintenance mode and 
the IPv6 CARP WAN IP ends up with *both* routers showing as Master, but at that 
point I restart node B and it clears out (we have CARP IPs for two LANs and a 
WAN, and both IPv4 and IPv6, on two virtualized routers).

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Andrew Kester
Sent: Friday, November 3, 2017 10:49 AM
To: list@lists.pfsense.org
Subject: Re: [pfSense] CARP Demotion Not Working

An update on this, if the master node is rebooted during a failure, the 
secondary node takes cover correctly and remains the master as would be 
expected.

This makes me think that the priority is set correctly but the second 
node for some reason isn't honoring the advskew set by the master correctly.

To illustrate what I mean-

---
| Node A | Node B |
---
| M M| B B| Normal, Node A is master on all CARP IP's
| M X| B M| Failure, incorrect though.  Node B should be master.
| - -| M M| Node A Offline, B takes over as master correctly
| B X| M M| After restart, correct behavior.  Node B is master.
---
M - Master
X - Down
B - Backup

I've also ran through the CARP troubleshooting guide here to no avail. 
https://doc.pfsense.org/index.php/CARP_Configuration_Troubleshooting

Let me know if you need more information or clarification, I'm not sure 
the best way to illustrate / communicate my problem.

---
Thanks,

Andrew Kester
The Storehouse
https://sthse.co

On 11/1/17 3:30 PM, Andrew Kester wrote:
> Hi List,
> 
> I'm having an issue with CARP preempt.  I have two pfSense machines 
> running 2.4.1-RELEASE.  CARP fails over all individual IPs correctly, 
> but doesn't preempt correctly in the case of a single failure.
> 
> On both machines, I've checked that net.inet.carp.preempt is enabled. 
> The master appears to be detecting the demotion, as it sets 
> net.inet.carp.demotion to 240 during a failure, but ifconfig still 
> reports advskew as 0.
> 
> I'm not 100% sure if that number should update, or if the demotion 
> number is added to the advskew reported by ifconfig.
> 
> Relevent sysctl, ifconfig, and log output taken from the master firewall 
> during a failure is attached.
> 
> Any help is greatly appreciated!
> 
> ---
> Thanks,
> 
> Andrew Kester
> The Storehouse
> https://sthse.co
> 
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> 
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] (no subject)

2017-11-03 Thread Roberto Carna
OK thank you so much!!!

2017-11-02 11:57 GMT-03:00 Roberto Carna :
> People, I have pfSEnse 2.4 with Squid and Squidguard.
>
> I enable HTTP transparent proxy and SSL filtering with Splice All.
>
> From our Android cell phones, if we use Firefox TO NAVIGATE everything
> is OK, but if we use Chrome we can't go to Google and some other HTTPS
> sites.
>
> We reviewed firewall rules, NAT and denied target categories and
> everything seems OK.
>
> What can be the problem with Chrome ???
>
> Thanks a lot,
>
> ROBERTO
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] CARP Demotion Not Working

2017-11-03 Thread Andrew Kester
An update on this, if the master node is rebooted during a failure, the 
secondary node takes cover correctly and remains the master as would be 
expected.


This makes me think that the priority is set correctly but the second 
node for some reason isn't honoring the advskew set by the master correctly.


To illustrate what I mean-

---
| Node A | Node B |
---
| M M| B B| Normal, Node A is master on all CARP IP's
| M X| B M| Failure, incorrect though.  Node B should be master.
| - -| M M| Node A Offline, B takes over as master correctly
| B X| M M| After restart, correct behavior.  Node B is master.
---
M - Master
X - Down
B - Backup

I've also ran through the CARP troubleshooting guide here to no avail. 
https://doc.pfsense.org/index.php/CARP_Configuration_Troubleshooting


Let me know if you need more information or clarification, I'm not sure 
the best way to illustrate / communicate my problem.


---
Thanks,

Andrew Kester
The Storehouse
https://sthse.co

On 11/1/17 3:30 PM, Andrew Kester wrote:

Hi List,

I'm having an issue with CARP preempt.  I have two pfSense machines 
running 2.4.1-RELEASE.  CARP fails over all individual IPs correctly, 
but doesn't preempt correctly in the case of a single failure.


On both machines, I've checked that net.inet.carp.preempt is enabled. 
The master appears to be detecting the demotion, as it sets 
net.inet.carp.demotion to 240 during a failure, but ifconfig still 
reports advskew as 0.


I'm not 100% sure if that number should update, or if the demotion 
number is added to the advskew reported by ifconfig.


Relevent sysctl, ifconfig, and log output taken from the master firewall 
during a failure is attached.


Any help is greatly appreciated!

---
Thanks,

Andrew Kester
The Storehouse
https://sthse.co


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Problem with Chrome - HTTP trasnparent proxy with SSL filtering

2017-11-03 Thread Yaroslav Samoylenko
Public or private CA, the issue will persist.

On Nov 3, 2017 8:39 AM, "Roberto Carna"  wrote:

> OK Jon, thanks for your time and explanation.
>
> So a last qustion please: now I put in Squid of pfSense a private CA
> certificate...is it the same if I put a public CA certificate? Will I
> experience the same HTTPS behaviour related to Chrome and Firefox?
>
> Thanks a lot again.
>
> ROBERTO
>
> 2017-11-02 20:47 GMT-03:00 Jon Gerdes :
> > Roberto
> >
> > NFF: Product working as designed
> >
> > When you use splice, you are doing a Man In The Middle (MitM) attack on
> > your own users.  Chrome is a Google product and they have enabled https
> > ://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning and other things to
> > detect this sort of thing.
> >
> > This could be seen as an abuse by Google https://www.troyhunt.com/bypas
> > sing-browser-security-warnings-with-pseudo-password-fields/ or you
> > could consider that end users should have an expectation of privacy by
> > default.  For example, what if your users do on line banking through
> > your proxy?  You could easily grab usernames and passwords and other
> > personal details or worse if you abuse the trust that SSL/TLS should
> > allow.
> >
> > Think very hard about the implications of attempting to break the
> > contract that SSL/TLS is designed to provide - end to end encryption
> > with no tampering and guaranteed privacy.
> >
> > Cheers
> > Jon
> >
> >
> >
> >
> > On Thu, 2017-11-02 at 12:00 -0300, Roberto Carna wrote:
> >> People, I have pfSEnse 2.4 with Squid and Squidguard.
> >>
> >> I enable HTTP transparent proxy and SSL filtering with Splice All.
> >>
> >> From our Android cell phones, if we use Firefox TO NAVIGATE
> >> everything
> >> is OK, but if we use Chrome we can't go to Google and some other
> >> HTTPS
> >> sites.
> >>
> >> We reviewed firewall rules, NAT and denied target categories and
> >> everything seems OK.
> >>
> >> What can be the problem with Chrome ???
> >>
> >> Thanks a lot,
> >>
> >> ROBERTO
> >> ___
> >> pfSense mailing list
> >> https://lists.pfsense.org/mailman/listinfo/list
> >> Support the project with Gold! https://pfsense.org/gold
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Problem with Chrome - HTTP trasnparent proxy with SSL filtering

2017-11-03 Thread Richard A. Relph
I’ve heard Google will be removing certificate pinning from Chrome soon...

> On Nov 3, 2017, at 8:26 AM, Yaroslav Samoylenko  wrote:
> 
> Chrome has a Certificate Pinninng feature. This feature takes the Google
> certs and checks their finger prints against the good known.
> 
> AFAIK this is an issue with all HTTPS proxies from at least BlueCoat,
> Cisco, SonicWall and Checkpoint.
> 
> The suggested solution is to bypass SSL filtering those sites. Depending on
> your organizational policy, you may block them all together.
> 
> Regards,
> Yaroslav
> 
> On Nov 2, 2017 11:00 AM, "Roberto Carna"  wrote:
> 
>> People, I have pfSEnse 2.4 with Squid and Squidguard.
>> 
>> I enable HTTP transparent proxy and SSL filtering with Splice All.
>> 
>> From our Android cell phones, if we use Firefox TO NAVIGATE everything
>> is OK, but if we use Chrome we can't go to Google and some other HTTPS
>> sites.
>> 
>> We reviewed firewall rules, NAT and denied target categories and
>> everything seems OK.
>> 
>> What can be the problem with Chrome ???
>> 
>> Thanks a lot,
>> 
>> ROBERTO
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Problem with Chrome - HTTP trasnparent proxy with SSL filtering

2017-11-03 Thread Yaroslav Samoylenko
Chrome has a Certificate Pinninng feature. This feature takes the Google
certs and checks their finger prints against the good known.

AFAIK this is an issue with all HTTPS proxies from at least BlueCoat,
Cisco, SonicWall and Checkpoint.

The suggested solution is to bypass SSL filtering those sites. Depending on
your organizational policy, you may block them all together.

Regards,
Yaroslav

On Nov 2, 2017 11:00 AM, "Roberto Carna"  wrote:

> People, I have pfSEnse 2.4 with Squid and Squidguard.
>
> I enable HTTP transparent proxy and SSL filtering with Splice All.
>
> From our Android cell phones, if we use Firefox TO NAVIGATE everything
> is OK, but if we use Chrome we can't go to Google and some other HTTPS
> sites.
>
> We reviewed firewall rules, NAT and denied target categories and
> everything seems OK.
>
> What can be the problem with Chrome ???
>
> Thanks a lot,
>
> ROBERTO
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Problem with Chrome - HTTP trasnparent proxy with SSL filtering

2017-11-03 Thread Roberto Carna
OK Jon, thanks for your time and explanation.

So a last qustion please: now I put in Squid of pfSense a private CA
certificate...is it the same if I put a public CA certificate? Will I
experience the same HTTPS behaviour related to Chrome and Firefox?

Thanks a lot again.

ROBERTO

2017-11-02 20:47 GMT-03:00 Jon Gerdes :
> Roberto
>
> NFF: Product working as designed
>
> When you use splice, you are doing a Man In The Middle (MitM) attack on
> your own users.  Chrome is a Google product and they have enabled https
> ://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning and other things to
> detect this sort of thing.
>
> This could be seen as an abuse by Google https://www.troyhunt.com/bypas
> sing-browser-security-warnings-with-pseudo-password-fields/ or you
> could consider that end users should have an expectation of privacy by
> default.  For example, what if your users do on line banking through
> your proxy?  You could easily grab usernames and passwords and other
> personal details or worse if you abuse the trust that SSL/TLS should
> allow.
>
> Think very hard about the implications of attempting to break the
> contract that SSL/TLS is designed to provide - end to end encryption
> with no tampering and guaranteed privacy.
>
> Cheers
> Jon
>
>
>
>
> On Thu, 2017-11-02 at 12:00 -0300, Roberto Carna wrote:
>> People, I have pfSEnse 2.4 with Squid and Squidguard.
>>
>> I enable HTTP transparent proxy and SSL filtering with Splice All.
>>
>> From our Android cell phones, if we use Firefox TO NAVIGATE
>> everything
>> is OK, but if we use Chrome we can't go to Google and some other
>> HTTPS
>> sites.
>>
>> We reviewed firewall rules, NAT and denied target categories and
>> everything seems OK.
>>
>> What can be the problem with Chrome ???
>>
>> Thanks a lot,
>>
>> ROBERTO
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold