OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: AndyX90 on April 14, 2018, 09:22:19 am

Title: Squid - SSLBump Windowsupdate
Post by: AndyX90 on April 14, 2018, 09:22:19 am

Hi, i am experiencing some problems with squid+SSL-Bump and windowsupdate(WSUS). I have set up Single-Sign-On.
I have inserted .microsoft.com and .windowsupdate.com to no-bump-sites.
Now i get the following error multiple times in squid log:

Code: [Select]

kid1| Error negotiating SSL on FD 22: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)If I try to open https://update.microsoft.com/ directly without proxy i get a cert-warning in my browser too.
There seems to be an issue in their certificate chain.
How can i explicitly trust those sites? I tried to put them in whitelist, but it doesn't work.
Many thanks!

Title: Re: Squid - SSLBump Windowsupdate
Post by: fabian on April 14, 2018, 01:10:37 pm

The nu bump sites should do the trick but this does not fix the real problem: the server uses an untrusted certificate. In that case, the proxy cannot see the traffic and the client has to validate the certificate.

Explicitly trust works if you edit the certificate database by hand.

Title: Re: Squid - SSLBump Windowsupdate
Post by: AndyX90 on April 15, 2018, 08:32:46 am

Thanks, but no-bump sites don't work.
Maybe i have to edit the cert-db by hand.
Would it be possible to add a Feature in the Web-UI to view/edit the verification-ca's?
Like this on Sophos-UTM (see Attachment).
Thanks.

Title: Re: Squid - SSLBump Windowsupdate
Post by: opnsenseuser on October 21, 2018, 09:06:34 am

have already tried everything but under windows 10, the updates are not recorded. get exactly the same error message.

Code: [Select]

kid1| Error negotiating SSL on FD 36: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
does anyone know this or can implement such a feature in opnsense?

Title: Re: Squid - SSLBump Windowsupdate
Post by: opnsenseuser on October 21, 2018, 09:12:36 am

Strange, right in the moment I dropped my posting it worked. I will post my solution here then if I know what exactly where and must register and what domains now really work.

I use squid transparent with certificat.

Title: Re: Squid - SSLBump Windowsupdate
Post by: opnsenseuser on October 21, 2018, 01:32:15 pm

so sometimes it works and sometimes not. usually not. why it sometimes works is not clear to me.

most time proxy gets these errors:

cache:

Code: [Select]

routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
access:

Code: [Select]

TAG_NONE/503 4283 POST https://fe3.delivery.mp.microsoft.com/ClientWebService/client.asmx - HIER_NONE/- text/html
Anyone knows how to fix this?

Title: Re: Squid - SSLBump Windowsupdate
Post by: fabian on October 21, 2018, 09:09:18 pm

This means one of their servers has an invalid certificate (incorrect hostname, not in valid time range, untrusted CA etc.). It is usually not an error at your side.

Title: Re: Squid - SSLBump Windowsupdate
Post by: opnsenseuser on October 22, 2018, 01:38:04 pm

Thx for your Information.

Regards,
Rene

Title: Re: Squid - SSLBump Windowsupdate
Post by: opnsenseuser on October 22, 2018, 04:10:20 pm

Quote from: fabian on October 21, 2018, 09:09:18 pm

This means one of their servers has an invalid certificate (incorrect hostname, not in valid time range, untrusted CA etc.). It is usually not an error at your side.

Would be great if opnsense would have a solution as pfsense too.
I assume that I'm not the only one who uses windows clients.

According to squid wiki this should work here, only the options are missing in opnsense:
https://wiki.squid-cache.org/ConfigExamples/Caching/WindowsUpdates

Unfortunately, I know that this works for pfsense. Its only possible in opnsense by editing the config files only manuel. But I prefer to keep my fingers off.