Topics

1

Web Proxy Filtering and Caching / "SSL no bump sites" doesn't work for Win Updates

« on: September 21, 2019, 03:25:02 pm »

Hi,

Goal
Get Windows Updates working over transparent HTTPS Squid Proxy.

Problem
Some entries in the "SSL no bump sites" list seem to be inactive.

Version
19.7.4_1

Description
For example, one of the sites used for windows updates seems to be settings-win.data.microsoft.com. No matter what I tried, I could not get this site to not be intercepted. The reason I know it is not intercepted is because I can see the full path in the logs. I tried the following no-bump configurations:

.microsoft.com -> Log shows https://settings-win.data.microsoft.com/settings/v2.0/WSD/WaaSAssessment? is being accessed.

settings-win.data.microsoft.com -> Log shows https://settings-win.data.microsoft.com/settings/v2.0/FlightSettings/FSService? is being accessed.

.data.microsoft.com -> Log shows https://settings-win.data.microsoft.com/settings/v2.0/wsd/muse? is being accessed.


So does it work at all? Yes it does. For example with a bank site:

.db.com -> Log shows 160.83.8.143:443 is being accessed. No path visible which means no-bump entry works.
Removed the .db.com entry again -> Log shows https://www.db.com/company/img/favicon.ico is being accessed.

In between I checked the content of the config file, looked good to me:

Code: [Select]

# less /usr/local/etc/squid/nobumpsites.acl
.data.microsoft.com
.db.com
Any hints will be greatly appreciated.

BR,
NR

2

Web Proxy Filtering and Caching / Squid blocking self-signed webinterface certificate ?

« on: March 09, 2018, 02:18:01 pm »

Hello,

I don't know since when this started but my webproxy setup somehow blocks access to the firewall webinterface:

Code: [Select]

Failed to establish a secure connection to 192.168....

The system returned:

(92) Protocol error (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
Self-signed SSL Certificate in chain: /C=CH/ST=Zuri/L=Zuri/O=Fulltier Gmbh/emailAddress=fulltier@localhost.local/CN=FulltierInternalCA

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

Your cache administrator is fulltier@localhost.local.

So yes, the certificate of the webinterface is self-signed by the internal CA of course. But this used to be no problem.
When I access the webinterface directly (without proxy) I have no issues, so I assume this has to do something with squid.

Setup:
- 18.1.3/18.1.4
- Webproxy local cache is disabled.
- Webinterface IP is in Proxy "SSL no bump sites"

Steps taken:
- Upgrade to 18.1.4
- Restart webproxy
- disable and re-enable SSL-Inspection

I even deleted the mentioned server certificate and created a new one under the same CA. Now when I try to access, I still see the old certificate which was deleted. Is this old certificate cached somewhere in squid?
Public HTTPS sites work fine.

PS: when I access with the proxy disabled, I see the new certificate...

Regards and good weekend

3

17.1 Legacy Series / Webproxy accepting revoked certificates

« on: May 27, 2017, 01:15:06 pm »

Hi guys,

I was playing around with HTTPS interception and noticed that the webproxy seems to accept revoked certificates (see screenshot revoked_interception.PNG).

If I disable HTTPS interception and try the testpage again, my browser blocks this page (see screenshot revoked_nointerception.PNG).

Is there something I can do to block those certificates using the webproxy? Other certificates, for example expired ones, get blocked correctly.

Cheers,
Netranger

4

17.1 Legacy Series / 17.1.6 - default gw missing / apinger won't start

« on: May 06, 2017, 12:08:28 pm »

Good morning guys!

I have a strange behavior after upgrading to 17.1.6:

It seems that my DHCP lease no more contains a default gateway I get my internal IP address as usual but default gateway is just empty. When I set a static IP and static default gateway on my client the connection works again. So in order to fix this I went to Services > DHCP > Server and in the "Gateway" field, which was empty, I did set the firewall IP (for example 192.168.1.1). And now after ipconfig /renew on the client, everything works again. I am not sure about the config of this field before my upgrade though... if this got deleted or the mechanics changed?

Another thing I noticed after the upgrade (not sure if this has something to do with this): The apinger Gateway Monitoring Daemon fails to start, it just stays red. Is there a log for this somewhere so I could get some information?

I updated from 17.1.3 with the bootstrap command because I wanted (needed) a clean installation because I originally came from the 17.1 beta version.

Best,
Net

5

17.1 Legacy Series / [WORKAROUND] 17.1.b - Can't boot on APU2 with USB3 slot

« on: January 20, 2017, 11:11:36 am »

Hello everyone!

I was not able to boot 16.7 on my brand new APU2 (https://forum.opnsense.org/index.php?topic=2327.0) so I thought I maybe just try the beta version.

Sorry I am a FreeBSD noob, do I have to type anything here?

Code: [Select]

SeaBIOS (version ?-20160307_153453-michael-desktop64)
XHCI init on dev 00:10.0: regs @ 0xfeb22000, 4 ports, 32

slots, 32 byte contexts
XHCI    extcap 0x1 @ feb22500
XHCI    protocol USB  3.00, 2 ports (offset 1), def 0
XHCI    protocol USB  2.00, 2 ports (offset 3), def 10
XHCI    extcap 0xa @ feb22540
Found 2 serial ports
ATA controller 1 at 4010/4020/0 (irq 0 dev 88)
EHCI init on dev 00:13.0 (regs=0xfeb25420)
ATA controller 2 at 4018/4024/0 (irq 0 dev 88)
Searching bootorder for: /pci@i0cf8/*@14,7
Searching bootorder for: /rom@img/memtest
Searching bootorder for: /rom@img/setup
XHCI port #4: 0x00200e03, powered, enabled, pls 0, speed

3 [High]
Searching bootorder for:

/pci@i0cf8/usb@10/storage@4/*@0/*@0,0
Searching bootorder for: /pci@i0cf8/usb@10/usb-*@4
USB MSC vendor='USB' product='DISK' rev='8.07' type=0

removable=1
USB MSC blksize=512 sectors=1978368
Initialized USB HUB (0 ports used)
All threads complete.
Scan for option roms
PCengines Press F10 key now for boot menu:
Select boot device:

1. USB MSC Drive USB DISK 8.07
2. Payload [memtest]
3. Payload [setup]

Searching bootorder for: HALT
drive 0x000f2e90: PCHS=0/0/0 translation=lba

LCHS=981/32/63 s=1978368
Space available for UMB: c1000-ef000, f0000-f2e90
Returned 258048 bytes of ZoneHigh
e820 map has 7 items:
  0: 0000000000000000 - 000000000009f800 = 1 RAM
  1: 000000000009f800 - 00000000000a0000 = 2

RESERVED
  2: 00000000000f0000 - 0000000000100000 = 2

RESERVED
  3: 0000000000100000 - 00000000dffad000 = 1 RAM
  4: 00000000dffad000 - 00000000e0000000 = 2 RESERVED
  5: 00000000f8000000 - 00000000fc000000 = 2 RESERVED
  6: 0000000100000000 - 000000011f000000 = 1 RAM
enter handle_19:
  NULL
Booting from Hard Disk...
Booting from 0000:7c00
No /boot/loader

FreeBSD/x86 boot
Default: 0:ad(0,a)/boot/kernel/kernel
boot:
No /boot/kernel/kernel

FreeBSD/x86 boot
Default: 0:ad(0,a)/boot/kernel/kernel
boot:

Cheers