Let's Encrypt and SSL Content Filtering

Started by ejball02, June 12, 2021, 09:54:45 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 12, 2021, 09:54:45 PM Last Edit: June 13, 2021, 03:12:30 AM by ejball02
Is it possible to use Let's Encrypt cert for SSL filtering (transparent proxy)? I'm using the internal one right now, but everyone on the guest network gets the famous ERR_CERT_AUTHORITY_INVALID message. It's a guest network, that means, tablets, phones, laptops all kinds of different devices and different people. So, not possible to tell everyone they have to save the internal certificate into their browser. None of the guests even knows what that means!

If it's not possible then how can SSL be filtered? I created an AWS cert, and downloaded that to Opnsense, but that didn't do anything. I've also added Sensei plugin, free version, which gives some level of control, but still looking for a solution. Any ideas?
June 13, 2021, 08:27:34 AM #1 Last Edit: June 13, 2021, 08:29:29 AM by fabian
No, that would not be allowed by them to give you that certificate.

Search for the Symantec / Blue Coat case.
June 13, 2021, 02:28:42 PM #2
Google search didn't pull up anything on Symantec / Blue Coat case. But I'll keep looking.

Next question. Does Opnsense have a plugin which will push an internal certificate to connected devices when the network doesn't have group policies or active directory?

There are some humanitarian non-profit organizations, who don't have budgets for IT hardware/software and staff to support. So it seems there would be a big demand for a product that can both allow/block ports as well as allow/block content easily. Doesn't necessarily have to be turn-key but something a volunteer, like myself, can add to a network.
June 13, 2021, 03:29:53 PM #3
Quote from: ejball02 on June 13, 2021, 02:28:42 PM
Next question. Does Opnsense have a plugin which will push an internal certificate to connected devices when the network doesn't have group policies or active directory?

Let me rephrase the above question... Has anyone used Captive Portal to push a self-signed cert to a guest machine, when there is no GPO/AD?
June 13, 2021, 05:36:22 PM #4
To explain both:

Blue Coat / Symantec:
Symantec issued a intermediate CA certificate to blue coat (sub company of them) for their testing (at least that is what was officially said) and Google caught them.
Then the trust was more and more removed until Symantec finally sold their certificate business.
In my opinion, the process was too soft. I would have removed the certificate after a grace period of two weeks. From the browsers trust store.

Captive Portal:
You can upload your own templates and they can offer the file for the download. However you can also do hostname based blocking, which does not require a certificate.
June 16, 2021, 11:08:47 AM #5
Quote from: ejball02 on June 13, 2021, 03:29:53 PM
Quote from: ejball02 on June 13, 2021, 02:28:42 PM
Next question. Does Opnsense have a plugin which will push an internal certificate to connected devices when the network doesn't have group policies or active directory?

Let me rephrase the above question... Has anyone used Captive Portal to push a self-signed cert to a guest machine, when there is no GPO/AD?

No, this does not work. You can't push certificates to a client, that you don't have access.
February 02, 2022, 11:32:37 PM #6
on guest network where u dont control client CA store, you could rely on SNI only inspection.
February 09, 2022, 09:51:15 PM #7
For content filtering you're probably better off using ZenArmor or DNS filtering.
SSL inspection at least on OPNsense using Squid is not a clean experience. Lots of caveats. Best left for very corner case situations.
If absolutely needed, then I would advise to look at other vendors but that comes with more $$$
Print
Go Up Pages1
User actions