Problems with certificates

[Moosesu]

PROBLEMS WITH CERTIFICATES 

hi im kinda new on opnsense and im starting to use squid for my work so i can block pages but my problem here its the certificates cuz when i choose the one i made all the pages like google or like that says that theres a problem with certificates so i decide to dowload the plugin acme so with the acme client i made a new certificate with Let's Encrypt but the problem is that when i try to use it it doesnt appear on the certificates for the squid so i was wondering if y'all have some advices for me or if im doing something wrong hope can y'all could help me

[meyergru]

SSL inspection is one of the most complex, overrated and misunderstood concepts w/r to firewalls. My short recommendation is: DONT do it, unless you really know what you are doing. Its use is mostly limited to well-organized enterprise setups with full control over all clients - and in that case, you also can and should better use endpoint protection instead

1. It does not work like you obviously think it does.

2. It has to break up a 1:1 encrypted connection into two connections: a. one between your client and squid and b. one between squid and the target site (the latter is easy).

3. In order to do a., squid has to present a certificate for the target site to your clients, which you cannot get from an official CA because you usually do not own the target site. That is the reason why your attempt to use a LetsEncrypt/ACME certificate MUST fail: The certificate is either not for the target site or you cannot get it.

4. What you have to do is to build your own CA by which squid can create certificates for ANY target site on-the-fly. The downside of this is that this CA will not be trusted by your clients UNLESS you can and do actually import it into all of your clients. With some clients, this is infeasible, which means this attempt will not even work for such clients when they connect to a TLS secured site. Even with normal PC browsers, you will see that those target certificates are issued by a CA which is not one of the well-known ones.

5. Some target sites (e.g. banks) even use "certificate pinning", which serves a certificate fingerprint in order to make browsers aware of the fact that any other certificate is fake and that they should not trust this connection (aka "does not work"). So, you must have a list of sites for which you do not do a two-way connection, but pass traffic encrypted.

You can read about the correct setup here: https://wiki.squid-cache.org/Features/SslBump