OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: bmail on May 22, 2018, 01:29:59 pm

Title: [SOLVED]SSL certificat and suricata rules
Post by: bmail on May 22, 2018, 01:29:59 pm

Hello,

I think I need help to understand how Opnsense is processing...

I use squid with https inspection. So I created an self signed authority inside Opnsense (called internal-ca).
When a user visits an https web page, every site show a certificat provided by my organisation, with, of course, a unique SHA1 fingerprint. I think this is normal. But ...
I try to block some site using "user defined rules" with Suricata. I give the fingerprint of the website I want to block, but no success ... the website isn't block by suricata.

Suricata works on wan interface only. If it works on wan + lan interface, no more access to Opnsense GUI caused by a rule:

   SERVER-OTHER OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt
Alert sid   31484

Is there a way to use drop action based on ssl fingerprint if we want to use ssl inspection with Squid ?

Thank a lot for any advice.
Bertrand

Title: Re: SSL certificat and suricata rules
Post by: bmail on May 22, 2018, 07:12:16 pm

Found !

Ok, how can I be so stupid ?
Just adding the web site in the "SSL no bump sites", so the real certificat is transmitted and can be drop by suricata.