OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: netranger on March 09, 2018, 02:18:01 pm

Title: Squid blocking self-signed webinterface certificate ?
Post by: netranger on March 09, 2018, 02:18:01 pm
Hello,

I don't know since when this started but my webproxy setup somehow blocks access to the firewall webinterface:

Code: [Select]
Failed to establish a secure connection to 192.168....

The system returned:

(92) Protocol error (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
Self-signed SSL Certificate in chain: /C=CH/ST=Zuri/L=Zuri/O=Fulltier Gmbh/emailAddress=fulltier@localhost.local/CN=FulltierInternalCA

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

Your cache administrator is fulltier@localhost.local.

So yes, the certificate of the webinterface is self-signed by the internal CA of course. But this used to be no problem.
When I access the webinterface directly (without proxy) I have no issues, so I assume this has to do something with squid.

Setup:
- 18.1.3/18.1.4
- Webproxy local cache is disabled.
- Webinterface IP is in Proxy "SSL no bump sites"

Steps taken:
- Upgrade to 18.1.4
- Restart webproxy
- disable and re-enable SSL-Inspection

I even deleted the mentioned server certificate and created a new one under the same CA. Now when I try to access, I still see the old certificate which was deleted. Is this old certificate cached somewhere in squid?
Public HTTPS sites work fine.

PS: when I access with the proxy disabled, I see the new certificate...

Regards and good weekend
Title: Re: Squid caching deleted webinterface certificate ?
Post by: netranger on March 18, 2018, 01:10:54 am
Could you please move my thread to the "Web Proxy Filtering" chapter if it is placed wrong here.

Shouldn't an entry in the "SSL no bump site" be enough in order to not get any warnings about self-signed certificates? :o
Title: Re: Squid caching deleted webinterface certificate ?
Post by: fabian on March 18, 2018, 08:10:36 am
Squid blocks the connection because it does not trust the certificate. This is a problem with the server certificate or the local trust store (can be fixed at both places).
Title: Re: Squid caching deleted webinterface certificate ?
Post by: netranger on March 18, 2018, 12:41:34 pm
Okay so this means I can either place a valid server certificate for all admin-webinterfaces in my LAN (which I don't really want as there are quite a few) or I can make squid trust these certificates. How can I do the latter?
Title: Re: Squid caching deleted webinterface certificate ?
Post by: fabian on March 18, 2018, 02:04:06 pm
You must add the signing CA to the local trust store.
Title: Re: Squid caching deleted webinterface certificate ?
Post by: netranger on March 18, 2018, 05:58:46 pm
you mean "local" to the client? yes that's already the case, public HTTPS sites are intercepted just fine.

I only have this problem with admin-webpages in the LAN (also for the router interface as I just found out).
Title: Re: Squid blocking self-signed webinterface certificate ?
Post by: fabian on March 18, 2018, 07:53:31 pm
with local I mean the OpenSSL trust store on OPNsense which is used by squid.
Title: Re: Squid blocking self-signed webinterface certificate ?
Post by: netranger on March 20, 2018, 10:43:14 pm
Code: [Select]
openssl s_client -connect routerIP:443
output:
Code: [Select]
....
Verify return code: 18 (self signed certificate)
....

According to this source I tried the following: https://www.madboa.com/geek/openssl/#verify-system

Code: [Select]
mkdir /etc/ssl/certs
cd /usr/local/share/certs/
openssl s_client -showcerts -connect routerIP:443 < /dev/null | openssl x509 -outform PEM > router.pem
openssl x509 -noout -hash -in router.pem

output:
12345678 (8-digit hash of the cert)

Code: [Select]
ln -s /usr/local/share/certs/router.pem /etc/ssl/certs/12345678.0
openssl s_client -connect routerIP:443

output:
Code: [Select]
...
Verify return code: 0 (ok)
...

So my understanding is that now openssl trusts my router-certificate but when I try via proxy, I still cannot connect and get the same original error in the browser. Any hints? ::)
Title: Re: Squid blocking self-signed webinterface certificate ?
Post by: fabian on March 21, 2018, 09:58:27 pm
afaik programs don't use certdir.