Messages

Sorry for not responding, wasn't around for a few days.

Tried manual config of an ACL, no good, different errors and still unavailable to access, unless I go with "allow all" or "sslproxy_flags DONT_VERIFY_PEER".

Don't know which one is worst  ???

Tried with Whitelisting, SSLBump, no good, getting same errors ...

It's not working. I have entries in SSLBUMP and OpnSense (tried all combinations)

I agree with all of you, in all aspects, in every way.

Let me fill you with few details on this, for better understanding.

It's not my company, I'm working as a freelancer on a project.

This "issue" occurred one month ago and I went as far as creating them a presentations where all was explained in detail.

Despite having full support from theirs CTO and CISO, management decided to do this in a way it's done, me risking that someone else is going to finish the job. (also rejected a CTO's proposal to deploy separate VLAN and isolated, kiosk like, PC in every department, so it can serve this purpose of an unfiltered access).

As a freelancer, I found myself in a deadlock where client wants me to do something that's against best practice or I should end up with bad score and not getting paid ...

I have it in written form, they explicitly accepted the risk, so I won't fight the windmills.

At the end, I'm delivering my report, that will definitely include everything relevant



I really appreciate all your advices and efforts.



P.S. I got a response from one web admin, they have told me they won't chage this, since they have their own PKI infrastructure. It is mandatory that employees of the company can access that web site.

And you will get a fully broken TLS implementation (easy to MITM invisibly to the user).

Unfortunately, true, but I can't force security over business demands, because it stops business in this case.

I can't fix "legit" servers all over the Internet that are misconfigured, where some of them have only certificates issued by their own CAs that are not trusted by OpnSense (or Squid).

I have other layers of security that are in force, this is serving me only for web trafic filtering, so it is acceptable for me.

Just want to post how I fixed it manually, because there's no settings in GUI panel.
I have changed Squid template file, so changes are kept, at least until next upgrade.(tnx fabian on the template idea  8) )

Backup before changing anything.

Edit

Code Select Expand

/usr/local/opnsense/service/templates/OPNsense/Proxy/squid.conf

Find a line

Code Select Expand

sslproxy_cert_error deny all, reconfigure it with

Code Select Expand

sslproxy_cert_error allow all

After this, restart the appliance, users should get only certificate warning.

Repeat after upgrade.

Thank you for the template heads-up, haven't thought of that.

I did notified 2 web admins, let's wait and see what happens.

Hi Fabian,

thank you for replying.

This is a show-stopper for me, there's a lot of web sites that have various types of problems, like this one and there's no way to overcome it ...

Tried to do it manually, but the slightest change overwrites manual entries.

I really hope that there will be GUI option that can be checked, so this kind of sites can be accessed.

The web site I'm trying to access from the last error is missing an intermediate CA certificate ...

Is there any way to overcome this Squid checking and to avoid it?

I have upgraded to OPNsense 18.1.5-amd64 from OPNsense 18.1.4-amd64.

Maybe it has nothing to do with it, but I'm getting new error.

Is there a way to stop checking remote peer certificates? This is really causing me problems :( ...

See picture attached.

P.S. I added entry ".electrovoice.com" in NO SSL BUMP sites.

Hi to all!

I have OpnSense 8.1.4. installed and working as TransparentProxy.

Everything works fine, except some web sites that are using self signed certificates.

I've put CA certs of those sites into "System: Trust: Authorities" on OpnSense and PC clients. Also added URLs of those web sites into " SSL no bump sites", but no good.

The error I get is: