OPNsense Forum

Is there any documentation on running the Webproxy with signed certificates?  I don't want to install a certificate on every machine. 

It's not clear to me since my only option is to use a CA.  I would have assumed I could just install a certificate that's signed and is already in the client trust chain.  But i'm not a certificate expert.

So I was just wondering if there were any videos or documentation on how to do it?  The only thing I could seem to find was doing an internal CA.

If this would be possible, you could inspect and modify encrypted traffic coming from any machine without ever touching that machine. That's exactly what TLS is supposed to prevent.

The proxy needs valid certificates for every website your machines visit. So it needs its own CA certificate to issue these certificates. All of your machines have to trust this CA. You could use the certificate of a trusted public CA, but they won't give you the matching private key. Even if you ask very nicely.

Cheers
Maurice

@Maurice have you tried asking Honest Ahmed?  ;)

@Patrick Yes, he actually offered me a free private key to his root CA if I buy a used car from him. But I don't need a car right now, so... meh.  ¯\_(ツ)_/¯

I wish I understood this one and knew who he is or is the reference. Funny none the less though.

https://bugzilla.mozilla.org/show_bug.cgi?id=647959

thanks @Maurice. Sorry OP for polluting. Over now.

Quote from: Maurice on July 27, 2023, 01:37:43 PM
If this would be possible, you could inspect and modify encrypted traffic coming from any machine without ever touching that machine. That's exactly what TLS is supposed to prevent.

The proxy needs valid certificates for every website your machines visit. So it needs its own CA certificate to issue these certificates. All of your machines have to trust this CA. You could use the certificate of a trusted public CA, but they won't give you the matching private key. Even if you ask very nicely.

Yeah,exactly.  It's a proxy server.  So if you don't break and inspect SSL, how is it supposed to categorize websites or any other function of a proxy?  It's a fairly common practice these days since everything is TLS based.  But I don't want to install a certificate on every machine.  I want to install a certificate that would already be trusted by the clients are part of installed root CA's on the major browsers.  But it seems that Opnsense wants me to use it as it's own CA, which would still require me to install a certificate on every machine.

Breaking and inspecting TLS is what the proxy is supposed to do, correct. But this requires every machine which uses the proxy to explicitly agree with this. You do this by installing a custom CA certificate on the proxy and on each machine. If breaking TLS would be possible without installing a custom certificate, TLS would be completely pointless. Everyone could just break TLS everwhere.

This is not specific to OPNsense, this is just how TLS proxies (and TLS in general) work.

Quote from: lomax0990 on July 27, 2023, 07:06:05 PM
Yeah,exactly.  It's a proxy server.  So if you don't break and inspect SSL, how is it supposed to categorize websites or any other function of a proxy?  It's a fairly common practice these days since everything is TLS based.  But I don't want to install a certificate on every machine.  I want to install a certificate that would already be trusted by the clients are part of installed root CA's on the major browsers.

That's not possible. The "certificate that would already be trusted" would need to cover all host names on the Internet.

If you used a trusted certificate and client would want to call e.g. google.com - there would be a host name mismatch and the browser would complain.

So what happens is that you create a CA for your proxy and install that on each client as trustworthy. Client wants to go to google.com, OPNsense creates a certificate for google.com on the fly signed by that CA. Client wants to go to opnsense.org, OPNsense creates a certificate for opnsense.org on the fly. And so on ...

Quote from: Maurice on July 27, 2023, 07:21:10 PM
Breaking and inspecting TLS is what the proxy is supposed to do, correct. But this requires every machine which uses the proxy to explicitly agree with this. You do this by installing a custom CA certificate on the proxy and on each machine. If breaking TLS would be possible without installing a custom certificate, TLS would be completely pointless. Everyone could just break TLS everwhere.

This is not specific to OPNsense, this is just how TLS proxies (and TLS in general) work.

Yes I get all that.  But I would just think it would be possible for me to purchase an SSL certificate for my domain (ex. opnsenseproxy.testdomain.com) and install it on the proxy.  Then the clients would already have a chain of trust because I purchased it from a reputable CA.  For example, Entrust.  Which would prevent me from having to install/manage certificates on every machine.  Because the browser has root certs installed for Entrust and the proxy is using an Entrust certificate.

It just feels like there has to be a better way than installing certificates on every machine.

Installing a custom CA certificate on every machine is the only way, really. This is the essence of how every TLS proxy works.

Of course you can buy a certificate for opnsenseproxy.testdomain.com, but that's only valid for this domain. If you only want to use the proxy for accessing your own website(s), that would work. But if you want to access any other site, let's say google.com, your proxy needs a certificate for google.com. Which no-one will sell you, so the proxy has to issue the certificate itself. Which is why it needs a CA certificate. And no-one will sell you a CA certificate which can be used for issuing random certificates. So you have to create your own CA certificate. Which your machines won't trust unless you tell them to do so (by installing it).

Quote from: lomax0990 on July 27, 2023, 07:29:57 PM
Yes I get all that.  But I would just think it would be possible for me to purchase an SSL certificate for my domain (ex. opnsenseproxy.testdomain.com) and install it on the proxy.  Then the clients would already have a chain of trust because I purchased it from a reputable CA.

The client wants to connect to google.com and gets presented a certificate with CN=opnsenseproxy.testdomain.com - won't accept.

The client needs to be presented a trusted certificate matching each of the host names it wants to connect to. These are generated on the fly by your trusted CA.

EDIT ... unless of course ... you use explicit proxy configuration on each client. The general approach today is a transparent proxy, so we took that as a given. What's your approach?

QuoteThe general approach today is a transparent proxy, so we took that as a given. What's your approach?

The approach is a transparent proxy.

QuoteThe client needs to be presented a trusted certificate matching each of the host names it wants to connect to. These are generated on the fly by your trusted CA.

Ok thanks.  I guess I just didn't understand how it worked.  I thought as long as the browser trusted the certificate on the proxy that it would work.  Because with a self-signed CA cert the browser is presented the certificate for the self-signed cert, and not the certificate of the destination domain.  The concept of the CA generating the destination domain on the fly is new to me. 

Quote from: lomax0990 on July 27, 2023, 08:48:29 PM
I thought as long as the browser trusted the certificate on the proxy that it would work.

You're not wrong. As long as the browser trusts the certificate on the proxy, it works.

But this can't be just any certificate, it needs to be a signing certificate, typically an intermediate certificate. And you can't purchase this type of certificate. If a CA would sell such certificates, they would get banned by all the browser vendors immediately.

So you have to create your own signing certificate. Which no browser will trust by default.

So one more question...

How do people handle BYOD situations for say like student cell phones were we can't install a certificate?

We have some DNS filtering in place but were hoping to proxy that traffic also.

Use a separate VLAN with plain Internet.

And VPN combined with MDM if these users must access company resources.

What's your actual goal?

You can't and shouldn't proxy anyone's HTTPS traffic without their consent and cooperation. That's exactly what TLS is for, to prevent you from doing this.

If you want to block access to certain websites from your network, use IP blocklists. DNS filtering might work to some degree, too, but (thankfully) is becoming more and more ineffective with the spread of DoT / DoH.

My goal is to allow students/staff to bring their own device but be able to block malicious sites, reverse proxies, porn, etc.

Then I would have other networks with different proxy rules.

These are already segmented by vlan. 

IP blocklists seems to defeat the point.  I can't possibly block all of the bad sites by an ip blocklist.

You can and should protect the devices owned and managed by your organisation, but not personal devices owned by students or staff. This is neither technically viable nor, frankly, your job. From their perspective, the WiFi they are allowed to use with personal devices is no different from any other public WiFi or mobile data (where no-one "protects" you either). Just make sure this network is isolated from the networks used by your organisation's devices.

If this is about accessing internal resources (not just the Internet) with personal devices, that's a whole can of worms on its own. Organisations which allow this typically require these devices to be managed by them, even though they are personally owned (MDM as suggested by Patrick).

However institutions are expected to block content in their networks, even when not accessing internal resources.
So say a guest network. If users were able to access questionable content, there is potential for reputational damage; so it's less of not being the admin's job to protect the users' devices. I imagine this is where the OP is coming from.
OP, you might want to see what Zenarmor can do for you.

@cookiemonster "Reputational damage" to an institution because it provides a simple guest network with plain Internet access? Now I've heard everything.

yup, maybe is different in different geopgraphies but where I am, the press is brutal. But it doesn't stop there.
There are statutory requirements too https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1105569/Online_safety_in_schools_and_colleges.Questions_from_the_Governing_Board__2022_.pdf
https://learning.nspcc.org.uk/research-resources/schools/e-safety-for-schools
https://www.gov.uk/guidance/meeting-digital-and-technology-standards-in-schools-and-colleges/filtering-and-monitoring-standards-for-schools-and-colleges
So the relationship is that if the institution fails its duty, the goverment will intervene. The press will ensure it doesn't go unnoticed.