OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: kojo1984 on March 19, 2018, 03:35:39 pm

Title: OpnSense 8.1.4. - TransparentProxy and SELF-SIGNED certs on Internet web pages
Post by: kojo1984 on March 19, 2018, 03:35:39 pm
Hi to all!

I have OpnSense 8.1.4. installed and working as TransparentProxy.

Everything works fine, except some web sites that are using self signed certificates.

I've put CA certs of those sites into "System: Trust: Authorities" on OpnSense and PC clients. Also added URLs of those web sites into " SSL no bump sites", but no good.

The error I get is:

Title: Re: OpnSense 8.1.4. - TransparentProxy and SELF-SIGNED certs on Internet web pages
Post by: kojo1984 on March 22, 2018, 10:08:57 am
I have upgraded to OPNsense 18.1.5-amd64 from OPNsense 18.1.4-amd64.

Maybe it has nothing to do with it, but I'm getting new error.

Is there a way to stop checking remote peer certificates? This is really causing me problems :( ...

See picture attached.

P.S. I added entry ".electrovoice.com" in NO SSL BUMP sites.
Title: Re: OpnSense 8.1.4. - TransparentProxy and SELF-SIGNED certs on Internet web pages
Post by: kojo1984 on March 22, 2018, 11:37:06 am
The web site I'm trying to access from the last error is missing an intermediate CA certificate ...

Is there any way to overcome this Squid checking and to avoid it?
Title: Re: OpnSense 8.1.4. - TransparentProxy and SELF-SIGNED certs on Internet web pages
Post by: fabian on March 22, 2018, 04:41:08 pm
Not via the GUI and I don't recommend doing that anywhere else.
Title: Re: OpnSense 8.1.4. - TransparentProxy and SELF-SIGNED certs on Internet web pages
Post by: kojo1984 on March 22, 2018, 08:25:23 pm
Hi Fabian,

thank you for replying.

This is a show-stopper for me, there's a lot of web sites that have various types of problems, like this one and there's no way to overcome it ...

Tried to do it manually, but the slightest change overwrites manual entries.

I really hope that there will be GUI option that can be checked, so this kind of sites can be accessed.
Title: Re: OpnSense 8.1.4. - TransparentProxy and SELF-SIGNED certs on Internet web pages
Post by: fabian on March 22, 2018, 09:39:31 pm
as a temporary workaround, you can add it to a template - this will get lost at the next software update but you can at least change some settings in the GUI. Please note that this is only a workaround for broken servers. It is the job ob the sysadmins to fix it.

Maybe you can contact the admin and tell him/her to fix the server.
Title: Re: OpnSense 8.1.4. - TransparentProxy and SELF-SIGNED certs on Internet web pages
Post by: kojo1984 on March 22, 2018, 10:06:24 pm
Thank you for the template heads-up, haven't thought of that.

I did notified 2 web admins, let's wait and see what happens.
Title: Re: OpnSense 8.1.4. - TransparentProxy and SELF-SIGNED certs on Internet web pages
Post by: kojo1984 on March 30, 2018, 08:15:36 am
Just want to post how I fixed it manually, because there's no settings in GUI panel.
I have changed Squid template file, so changes are kept, at least until next upgrade.(tnx fabian on the template idea  8) )

Backup before changing anything.

Edit
Code: [Select]
/usr/local/opnsense/service/templates/OPNsense/Proxy/squid.conf
Find a line
Code: [Select]
sslproxy_cert_error deny all, reconfigure it with
Code: [Select]
sslproxy_cert_error allow all
After this, restart the appliance, users should get only certificate warning.

Repeat after upgrade.
Title: Re: OpnSense 8.1.4. - TransparentProxy and SELF-SIGNED certs on Internet web pages
Post by: fabian on March 30, 2018, 11:38:40 am
Edit
Code: [Select]
/usr/local/opnsense/service/templates/OPNsense/Proxy/squid.conf
Find a line
Code: [Select]
sslproxy_cert_error deny all, reconfigure it with
Code: [Select]
sslproxy_cert_error allow all
After this, restart the appliance, users should get only certificate warning.

Repeat after upgrade.
And you will get a fully broken TLS implementation (easy to MITM invisibly to the user).
Title: Re: OpnSense 8.1.4. - TransparentProxy and SELF-SIGNED certs on Internet web pages
Post by: kojo1984 on March 31, 2018, 04:17:26 pm
Quote
And you will get a fully broken TLS implementation (easy to MITM invisibly to the user).

Unfortunately, true, but I can't force security over business demands, because it stops business in this case.

I can't fix "legit" servers all over the Internet that are misconfigured, where some of them have only certificates issued by their own CAs that are not trusted by OpnSense (or Squid).

I have other layers of security that are in force, this is serving me only for web trafic filtering, so it is acceptable for me.
Title: Re: OpnSense 8.1.4. - TransparentProxy and SELF-SIGNED certs on Internet web pages
Post by: Alphakilo on April 01, 2018, 03:01:34 pm
Unfortunately, true, but I can't force security over business demands, because it stops business in this case.
[...]
I have other layers of security that are in force, this is serving me only for web trafic filtering, so it is acceptable for me.

What's the business demand here? Getting pwned?
I suspect you're the sysadmin. So here's a word of unsolicited advise:

If your boss comes to you and asks you to implement shit like this, you tell her / him (in writing, i.e. email) what's it going to cause.
In this case: whatever security that may come from PKI being nullified. The TLS / SSL clients (browsers, email clients, updates, ...) will now happily accept anything *any* adversary will throw at them. There is no reliable "layer of security" that covers this. This is why TLS / SSL faults hurt that much.

Only after the boss fully acknowledges that and asks you continue (in writing) you do that.
Print the full conversation (including headers) and take it somewhere safe (i.e. home).

This is known in the industry as "cover your ass". For the setting you implemented you *need* to do that.
Godspeed.

Oh and if your intent is to only do filtering (no caching, no ICAP) please check if the forward proxy setting "Log SNI information only" without any other modification isn't exactly what you need.
Title: Re: OpnSense 8.1.4. - TransparentProxy and SELF-SIGNED certs on Internet web pages
Post by: Mks on April 01, 2018, 05:38:09 pm
Hi,

not directly topic related, but I fully agree with Alphakilo.

The whole security community puts a lot of effort in hardening the TLS stacks on server as well as on client side (Browser), and you deactivate all this (in your environment) with one line.

As Alphakilo said, "Cover your as", everything else is grossly negligent.

br

Title: Re: OpnSense 8.1.4. - TransparentProxy and SELF-SIGNED certs on Internet web pages
Post by: fabian on April 01, 2018, 05:48:05 pm
"grossly negligent" will probably also the answer of your insurance company in case something bad will happen to your company.
Title: Re: OpnSense 8.1.4. - TransparentProxy and SELF-SIGNED certs on Internet web pages
Post by: kojo1984 on April 02, 2018, 09:19:09 am
I agree with all of you, in all aspects, in every way.

Let me fill you with few details on this, for better understanding.

It's not my company, I'm working as a freelancer on a project.

This "issue" occurred one month ago and I went as far as creating them a presentations where all was explained in detail.

Despite having full support from theirs CTO and CISO, management decided to do this in a way it's done, me risking that someone else is going to finish the job. (also rejected a CTO's proposal to deploy separate VLAN and isolated, kiosk like, PC in every department, so it can serve this purpose of an unfiltered access).

As a freelancer, I found myself in a deadlock where client wants me to do something that's against best practice or I should end up with bad score and not getting paid ...

I have it in written form, they explicitly accepted the risk, so I won't fight the windmills.

At the end, I'm delivering my report, that will definitely include everything relevant



I really appreciate all your advices and efforts.



P.S. I got a response from one web admin, they have told me they won't chage this, since they have their own PKI infrastructure. It is mandatory that employees of the company can access that web site.
Title: Re: OpnSense 8.1.4. - TransparentProxy and SELF-SIGNED certs on Internet web pages
Post by: fabian on April 02, 2018, 09:56:51 am
Sure but you can also only whitelist broken servers to the rest is correctly validated.
Title: Re: OpnSense 8.1.4. - TransparentProxy and SELF-SIGNED certs on Internet web pages
Post by: kojo1984 on April 02, 2018, 01:01:38 pm
It's not working. I have entries in SSLBUMP and OpnSense (tried all combinations)
Title: Re: OpnSense 8.1.4. - TransparentProxy and SELF-SIGNED certs on Internet web pages
Post by: kojo1984 on April 02, 2018, 02:45:50 pm
Tried with Whitelisting, SSLBump, no good, getting same errors ...
Title: Re: OpnSense 8.1.4. - TransparentProxy and SELF-SIGNED certs on Internet web pages
Post by: fabian on April 02, 2018, 03:07:20 pm
With whitelisting I was thinking about the ACL. There is no need to use "all".
Title: Re: OpnSense 8.1.4. - TransparentProxy and SELF-SIGNED certs on Internet web pages
Post by: kojo1984 on April 05, 2018, 11:59:23 am
Sorry for not responding, wasn't around for a few days.

Tried manual config of an ACL, no good, different errors and still unavailable to access, unless I go with "allow all" or "sslproxy_flags DONT_VERIFY_PEER".

Don't know which one is worst  ???