Squid - SSLBump Windowsupdate

Started by AndyX90, April 14, 2018, 09:22:19 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 14, 2018, 09:22:19 AM
Hi, i am experiencing some problems with squid+SSL-Bump and windowsupdate(WSUS). I have set up Single-Sign-On.
I have inserted .microsoft.com and .windowsupdate.com to no-bump-sites.
Now i get the following error multiple times in squid log:
Code Select
kid1| Error negotiating SSL on FD 22: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
If I try to open https://update.microsoft.com/ directly without proxy i get a cert-warning in my browser too.
There seems to be an issue in their certificate chain.
How can i explicitly trust those sites? I tried to put them in whitelist, but it doesn't work.
Many thanks!
April 14, 2018, 01:10:37 PM #1
The nu bump sites should do the trick but this does not fix the real problem: the server uses an untrusted certificate. In that case, the proxy cannot see the traffic and the client has to validate the certificate.

Explicitly trust works if you edit the certificate database by hand.
April 15, 2018, 08:32:46 AM #2
Thanks, but no-bump sites don't work.
Maybe i have to edit the cert-db by hand.
Would it be possible to add a Feature in the Web-UI to view/edit the verification-ca's?
Like this on Sophos-UTM (see Attachment).
Thanks.
October 21, 2018, 09:06:34 AM #3
have already tried everything but under windows 10, the updates are not recorded. get exactly the same error message.

Code Select
kid1| Error negotiating SSL on FD 36: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)

does anyone know this or can implement such a feature in opnsense?
Supermicro A2SDi-4C-HLN4F
Team Rebellion Member (sidebar / themes: tukan, cicada & vicuna)
October 21, 2018, 09:12:36 AM #4
Strange, right in the moment I dropped my posting it worked. I will post my solution here then if I know what exactly where and must register and what domains now really work.

I use squid transparent with certificat.
Supermicro A2SDi-4C-HLN4F
Team Rebellion Member (sidebar / themes: tukan, cicada & vicuna)
October 21, 2018, 01:32:15 PM #5 Last Edit: October 21, 2018, 01:35:47 PM by noname12123
so sometimes it works and sometimes not. usually not. why it sometimes works is not clear to me.

most time proxy gets these errors:

cache:
Code Select
routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)

access:
Code Select
TAG_NONE/503 4283 POST https://fe3.delivery.mp.microsoft.com/ClientWebService/client.asmx - HIER_NONE/- text/html

Anyone knows how to fix this?
Supermicro A2SDi-4C-HLN4F
Team Rebellion Member (sidebar / themes: tukan, cicada & vicuna)
October 21, 2018, 09:09:18 PM #6
This means one of their servers has an invalid certificate (incorrect hostname, not in valid time range, untrusted CA etc.). It is usually not an error at your side.
October 22, 2018, 01:38:04 PM #7
Thx for your Information.

Regards,
Rene
Supermicro A2SDi-4C-HLN4F
Team Rebellion Member (sidebar / themes: tukan, cicada & vicuna)
October 22, 2018, 04:10:20 PM #8
Quote from: fabian on October 21, 2018, 09:09:18 PM
This means one of their servers has an invalid certificate (incorrect hostname, not in valid time range, untrusted CA etc.). It is usually not an error at your side.

Would be great if opnsense would have a solution as pfsense too.
I assume that I'm not the only one who uses windows clients.

According to squid wiki this should work here, only the options are missing in opnsense:
https://wiki.squid-cache.org/ConfigExamples/Caching/WindowsUpdates

Unfortunately, I know that this works for pfsense. Its only possible in opnsense by editing the config files only manuel. But I prefer to keep my fingers off.
Supermicro A2SDi-4C-HLN4F
Team Rebellion Member (sidebar / themes: tukan, cicada & vicuna)
Print
Go Up Pages1
User actions