Messages

Hello Guys,

i just got some new Hardware and can put mine for sale if you are interested. I used it to run opnsense in hyperV. Just let me know.
Details:

ASRock H170M-ITX/DL Intel H170 So.1151 Dual Channel DDR4 Mini-ITX Retail DUAL NIC
Intel Celeron G3900 2x 2.80GHz So.1151 BOX
4GB Crucial CT4G4DFS8213 DDR4-2133 DIMM CL15 Single
120GB SanDisk Plus 2.5" (6.4cm) SATA 6Gb/s TLC Toggle (SDSSDA-120G-G26)
Chieftec Flyer FI-01B-U3 Mini Tower schwarz ohne NT
BeQuiet! TFX POWER 2 300 W GOLD class

Around 310 €
Pictures:
https://www.ebay-kleinanzeigen.de/s-anzeige/intel-celeron-g3900-2-2-8ghz-mini-pc-4gb-ddr4-120gb-ssd-2x-nic/663067710-228-1631

Ich hatte die gleichen Probleme und der Thread hat sehr geholfen. Allerdings ist mir nicht ganz klar was die Funktion  SSL Domain/IP only bewirkt. Kann mir das kurz jemand erläutern?

I still have problems with ssl proxy. I made sure to add all domains wo ssl bump list. But SSL connection for the game app are beeing reseted with TLS Fatal Handshake error 40. All other connections work fine so far.

Thanks for that info. Still trying to figure out everything. Have CISSP / TISP certification but still it´s a challenge building all from scratch and being alone. The cert is imported and works fine with safari and so on. But seems some apps are not using it.

Im using the DNS resolver as my one and only dns. But i still have this forgery errors. Could it have to do with a AVM Fritzbox beeing used as the modem? It is using nat and im afraid it may intercept the dns traffic. Going to inspect the traffic next weekend more thoroughly.

1. Thank you for implementing the fix. I still have issues with this textbox. I habe around 40 entries by now. sometimes after entering an url in format ".domain.com," i cannot set the ",". I have to work with copy and paste and just type around to make it happen.

2. Another question about the transparent squid proxy with ssl.
I´m receiving this error messages in the cache logfile:

2017/01/29 15:12:21 kid1|   SECURITY ALERT: on URL: graph.instagram.com:443
2017/01/29 15:12:21 kid1|   SECURITY ALERT: Host header forgery detected on local=52.21.37.241:443 remote=192.168.1.121:41192 FD 73 flags=33 (local IP does not match any domain IP)

I unterstand the problem behind this error based on http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery but how can i actually fix this problem in a sense of an opnsense gui solution?

3. I have a popular game running on IOS (War Dragons). But with SSL scanning enabled Squid / OpenSSL won´t let the device connect to the game servers. Apparently they only support SSLv3. It seems kind of strange to me that IOS doesnt have a problem with that. Does anyone have experience with similar cases?

Error negotiating SSL connection on FD 92: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher (1/-1)

Error negotiating SSL connection on FD 186: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0)

Error negotiating SSL connection on FD 99: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (1/0)

I have been able to restart the service. But once i enable the option "Register DHCP leases in the DNS Resolver" the service fails. Restart is possible after deactivating the option.

Hello Friends,

i had the DNS Resolver unbound running for a few days uptime. Suddenly it stopped working. I noticed the service stopped and i was unable to restart it. Tried VM restart and Host restart all without success. DNS forwarder works fine. I have not been able to find anything in the system log. Is there any place else i could find information to provide to you?

Thank you. This fix works fine for me!

Hello Guys,

first thank you for your work on the 17.1 series.

I currently have a freshly setup system with 17.1r1 running. Web Proxy with transparent mode and ssl inspection is running. I´m having issues to enter more than 3 URLs to the ssl bump field. Im only adding in .domain.tld mode. After adding

.apple.com,.consorsbank.de,.comdirect.de,.google.de,.google.com

i cannot add more. For example this:

.apple.com,.consorsbank.de,.comdirect.de,.google.de,.google.com,.finanzen-broker.net,

returns me the following error message:

Please correct validation errors in form

and

Please enter ip addresses or domain names here

What am I doing wrong, or is it a bug ?