OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: rokoman on May 15, 2018, 09:38:22 pm
-
See attach error
-
Hey Rokoman, I am trying to get an ssl proxy working too. I am not 100% sure, but I have come to believe that this is due to SSL Pinning https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning (https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning) The reason I want an ssl proxy is so I can scan viruses, and I would say that Facebook is safe. you can exclude it and it should work just fine. It is also recommended that you exclude any banking/known secure sites from ssl interception too
-
It looks like there is already a MITM going on on a Cisco device in front of the OPNsense. This shouldn't be facebook's CA chain.
Cheers,
Franco
-
It's because of the new TLS 1.3. Facebook already uses this on the servers. Even if you don't change the encrypted content, the logging of the SNI information will probably change the header so that a TSL 1.3 capable browser (correctly) displays an error. Adding now all domains that use TLS 1.3 as an exception is not a practical way.
But I can't think of a simple solution either.
-
Force downgrade to 1.2 when possible ...
-
How to force TLS 1.2 in squid 3.X ?
-
Not needed, on OPNsense an older version of OpenSSL/LibreSSL is used, which has no TLS 1.3 support. Frank and I are already waiting for it because we need a newer version for our plugins (HAProxy and nginx).
In your case you should try to find out who is responsible for the man in the middle in your network as it is the only issue.
TLS 1.3 is backward compatible to TLS 1.2 because some middle boxes would break otherwise btw.