OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: ejball02 on June 12, 2021, 09:54:45 pm
-
Is it possible to use Let's Encrypt cert for SSL filtering (transparent proxy)? I'm using the internal one right now, but everyone on the guest network gets the famous ERR_CERT_AUTHORITY_INVALID message. It's a guest network, that means, tablets, phones, laptops all kinds of different devices and different people. So, not possible to tell everyone they have to save the internal certificate into their browser. None of the guests even knows what that means!
If it's not possible then how can SSL be filtered? I created an AWS cert, and downloaded that to Opnsense, but that didn't do anything. I've also added Sensei plugin, free version, which gives some level of control, but still looking for a solution. Any ideas?
-
No, that would not be allowed by them to give you that certificate.
Search for the Symantec / Blue Coat case.
-
Google search didn't pull up anything on Symantec / Blue Coat case. But I'll keep looking.
Next question. Does Opnsense have a plugin which will push an internal certificate to connected devices when the network doesn't have group policies or active directory?
There are some humanitarian non-profit organizations, who don't have budgets for IT hardware/software and staff to support. So it seems there would be a big demand for a product that can both allow/block ports as well as allow/block content easily. Doesn't necessarily have to be turn-key but something a volunteer, like myself, can add to a network.
-
Next question. Does Opnsense have a plugin which will push an internal certificate to connected devices when the network doesn't have group policies or active directory?
Let me rephrase the above question... Has anyone used Captive Portal to push a self-signed cert to a guest machine, when there is no GPO/AD?
-
To explain both:
Blue Coat / Symantec:
Symantec issued a intermediate CA certificate to blue coat (sub company of them) for their testing (at least that is what was officially said) and Google caught them.
Then the trust was more and more removed until Symantec finally sold their certificate business.
In my opinion, the process was too soft. I would have removed the certificate after a grace period of two weeks. From the browsers trust store.
Captive Portal:
You can upload your own templates and they can offer the file for the download. However you can also do hostname based blocking, which does not require a certificate.
-
Next question. Does Opnsense have a plugin which will push an internal certificate to connected devices when the network doesn't have group policies or active directory?
Let me rephrase the above question... Has anyone used Captive Portal to push a self-signed cert to a guest machine, when there is no GPO/AD?
No, this does not work. You can't push certificates to a client, that you don't have access.
-
on guest network where u dont control client CA store, you could rely on SNI only inspection.
-
For content filtering you're probably better off using ZenArmor or DNS filtering.
SSL inspection at least on OPNsense using Squid is not a clean experience. Lots of caveats. Best left for very corner case situations.
If absolutely needed, then I would advise to look at other vendors but that comes with more $$$