Re: [pfSense] Squid transparent with SSL interception - CA certificate problem
You may just want to switch to inspection. On Tue, Feb 6, 2018 at 10:44 AM, Paul Mather <p...@gromit.dlib.vt.edu> wrote: > On Feb 6, 2018, at 10:03 AM, Roberto Carna <robertocarn...@gmail.com> wrote: > >> Dear Alex, so there is no solution to the given problem ??? >> >> I refer to install a CA private certificate in mobile devices and let >> them navigate and use applications through a transparent proxy without >> SSL errors... > > > It could be that the applications and devices you consider "don't work > correctly" are employing certificate and public key pinning (see, e.g., > https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning > <https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning> and > https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning > <https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning>). It is a technique > intended to defend against the very kind of certificate misuse in which you > appear to be engaged. > > Cheers, > > Paul. > > >> >> Regards, >> >> 2018-02-06 11:35 GMT-03:00 Alex Threlfall <a...@cyberprog.net>: >>> They may be hard coded to look at only their own CA to prevent MiM attacks, >>> or use their own certificate store (for a similar behaviour). >>> >>> Alex. >>> >>>> -Original Message- >>>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Roberto >>>> Carna >>>> Sent: 06 February 2018 13:32 >>>> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> >>>> Subject: [pfSense] Squid transparent with SSL interception - CA >>> certificate >>>> problem >>>> >>>> People, I've setup a transparent Squid proxy for WiFi clients. I'm using >>> SSL >>>> interception so I had to generate a CA private certificate (generated from >>>> pfSense certificate manager tab). >>>> >>>> But when I add this CA private certificate to several Android an Iphone >>>> devices in order to proxify and filter SSL applications, some of the >>> Android >>>> devices don't work correctly: Facebook an Instagram don't load the >>> profiles >>>> and Mercadolibre doesn't open the menu. In the other Android and Iphone >>>> devices, everything works OK. >>>> >>>> Can this problem be related to the CA certificate (maybe I have to use a >>> given >>>> digest algorithm and key lenght) or is this an Android intrinsec problem >>>> depending of OS version??? >>>> >>>> Thanks a lot. >>>> >>>> ROBERT >>>> ___ >>>> pfSense mailing list >>>> https://lists.pfsense.org/mailman/listinfo/list >>>> Support the project with Gold! https://pfsense.org/gold >>> >>> ___ >>> pfSense mailing list >>> https://lists.pfsense.org/mailman/listinfo/list >>> Support the project with Gold! https://pfsense.org/gold >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold >> > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Squid transparent with SSL interception - CA certificate problem
On Feb 6, 2018, at 10:03 AM, Roberto Carna <robertocarn...@gmail.com> wrote: > Dear Alex, so there is no solution to the given problem ??? > > I refer to install a CA private certificate in mobile devices and let > them navigate and use applications through a transparent proxy without > SSL errors... It could be that the applications and devices you consider "don't work correctly" are employing certificate and public key pinning (see, e.g., https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning <https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning> and https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning <https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning>). It is a technique intended to defend against the very kind of certificate misuse in which you appear to be engaged. Cheers, Paul. > > Regards, > > 2018-02-06 11:35 GMT-03:00 Alex Threlfall <a...@cyberprog.net>: >> They may be hard coded to look at only their own CA to prevent MiM attacks, >> or use their own certificate store (for a similar behaviour). >> >> Alex. >> >>> -Original Message- >>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Roberto >>> Carna >>> Sent: 06 February 2018 13:32 >>> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> >>> Subject: [pfSense] Squid transparent with SSL interception - CA >> certificate >>> problem >>> >>> People, I've setup a transparent Squid proxy for WiFi clients. I'm using >> SSL >>> interception so I had to generate a CA private certificate (generated from >>> pfSense certificate manager tab). >>> >>> But when I add this CA private certificate to several Android an Iphone >>> devices in order to proxify and filter SSL applications, some of the >> Android >>> devices don't work correctly: Facebook an Instagram don't load the >> profiles >>> and Mercadolibre doesn't open the menu. In the other Android and Iphone >>> devices, everything works OK. >>> >>> Can this problem be related to the CA certificate (maybe I have to use a >> given >>> digest algorithm and key lenght) or is this an Android intrinsec problem >>> depending of OS version??? >>> >>> Thanks a lot. >>> >>> ROBERT >>> ___ >>> pfSense mailing list >>> https://lists.pfsense.org/mailman/listinfo/list >>> Support the project with Gold! https://pfsense.org/gold >> >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Squid transparent with SSL interception - CA certificate problem
Dear Alex, so there is no solution to the given problem ??? I refer to install a CA private certificate in mobile devices and let them navigate and use applications through a transparent proxy without SSL errors... Regards, 2018-02-06 11:35 GMT-03:00 Alex Threlfall <a...@cyberprog.net>: > They may be hard coded to look at only their own CA to prevent MiM attacks, > or use their own certificate store (for a similar behaviour). > > Alex. > >> -Original Message- >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Roberto >> Carna >> Sent: 06 February 2018 13:32 >> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> >> Subject: [pfSense] Squid transparent with SSL interception - CA > certificate >> problem >> >> People, I've setup a transparent Squid proxy for WiFi clients. I'm using > SSL >> interception so I had to generate a CA private certificate (generated from >> pfSense certificate manager tab). >> >> But when I add this CA private certificate to several Android an Iphone >> devices in order to proxify and filter SSL applications, some of the > Android >> devices don't work correctly: Facebook an Instagram don't load the > profiles >> and Mercadolibre doesn't open the menu. In the other Android and Iphone >> devices, everything works OK. >> >> Can this problem be related to the CA certificate (maybe I have to use a > given >> digest algorithm and key lenght) or is this an Android intrinsec problem >> depending of OS version??? >> >> Thanks a lot. >> >> ROBERT >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Squid transparent with SSL interception - CA certificate problem
They may be hard coded to look at only their own CA to prevent MiM attacks, or use their own certificate store (for a similar behaviour). Alex. > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Roberto > Carna > Sent: 06 February 2018 13:32 > To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> > Subject: [pfSense] Squid transparent with SSL interception - CA certificate > problem > > People, I've setup a transparent Squid proxy for WiFi clients. I'm using SSL > interception so I had to generate a CA private certificate (generated from > pfSense certificate manager tab). > > But when I add this CA private certificate to several Android an Iphone > devices in order to proxify and filter SSL applications, some of the Android > devices don't work correctly: Facebook an Instagram don't load the profiles > and Mercadolibre doesn't open the menu. In the other Android and Iphone > devices, everything works OK. > > Can this problem be related to the CA certificate (maybe I have to use a given > digest algorithm and key lenght) or is this an Android intrinsec problem > depending of OS version??? > > Thanks a lot. > > ROBERT > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Squid transparent with SSL interception - CA certificate problem
People, I've setup a transparent Squid proxy for WiFi clients. I'm using SSL interception so I had to generate a CA private certificate (generated from pfSense certificate manager tab). But when I add this CA private certificate to several Android an Iphone devices in order to proxify and filter SSL applications, some of the Android devices don't work correctly: Facebook an Instagram don't load the profiles and Mercadolibre doesn't open the menu. In the other Android and Iphone devices, everything works OK. Can this problem be related to the CA certificate (maybe I have to use a given digest algorithm and key lenght) or is this an Android intrinsec problem depending of OS version??? Thanks a lot. ROBERT ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
