Web Proxy: SSL Bump setting

[Markus700]

Hello Guys,

first thank you for your work on the 17.1 series.

I currently have a freshly setup system with 17.1r1 running. Web Proxy with transparent mode and ssl inspection is running. I´m having issues to enter more than 3 URLs to the ssl bump field. Im only adding in .domain.tld mode. After adding

.apple.com,.consorsbank.de,.comdirect.de,.google.de,.google.com

i cannot add more. For example this:

.apple.com,.consorsbank.de,.comdirect.de,.google.de,.google.com,.finanzen-broker.net,

returns me the following error message:

Please correct validation errors in form

and

Please enter ip addresses or domain names here

What am I doing wrong, or is it a bug ?

[fabian]

can you try this patch:
https://github.com/fabianfrz/core/commit/3e621f9644943bad04d32f6cfd8a99d7d826c2d6

[Markus700]

Thank you. This fix works fine for me!

[fabian]

Thank you. This fix works fine for me!

Thanks for your report and testing - problem was the dash in the URL which is fixed the new version - I created a pull request, so this may be in the next version.

Kind regards

Fabian

[Markus700]

1. Thank you for implementing the fix. I still have issues with this textbox. I habe around 40 entries by now. sometimes after entering an url in format ".domain.com," i cannot set the ",". I have to work with copy and paste and just type around to make it happen.

2. Another question about the transparent squid proxy with ssl.
I´m receiving this error messages in the cache logfile:

2017/01/29 15:12:21 kid1|   SECURITY ALERT: on URL: graph.instagram.com:443
2017/01/29 15:12:21 kid1|   SECURITY ALERT: Host header forgery detected on local=52.21.37.241:443 remote=192.168.1.121:41192 FD 73 flags=33 (local IP does not match any domain IP)

I unterstand the problem behind this error based on http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery but how can i actually fix this problem in a sense of an opnsense gui solution?

3. I have a popular game running on IOS (War Dragons). But with SSL scanning enabled Squid / OpenSSL won´t let the device connect to the game servers. Apparently they only support SSLv3. It seems kind of strange to me that IOS doesnt have a problem with that. Does anyone have experience with similar cases?

Error negotiating SSL connection on FD 92: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher (1/-1)

Error negotiating SSL connection on FD 186: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0)

   Error negotiating SSL connection on FD 99: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (1/0)

[fabian]

2. Another question about the transparent squid proxy with ssl.
I´m receiving this error messages in the cache logfile:

2017/01/29 15:12:21 kid1|   SECURITY ALERT: on URL: graph.instagram.com:443
2017/01/29 15:12:21 kid1|   SECURITY ALERT: Host header forgery detected on local=52.21.37.241:443 remote=192.168.1.121:41192 FD 73 flags=33 (local IP does not match any domain IP)

I unterstand the problem behind this error based on http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery but how can i actually fix this problem in a sense of an opnsense gui solution?

That would be easy: you just need to force your client and your proxy to use the same resolver, which does not rotate (always return the same A records for the same request as long as the cache does not time out).

3. I have a popular game running on IOS (War Dragons). But with SSL scanning enabled Squid / OpenSSL won´t let the device connect to the game servers. Apparently they only support SSLv3. It seems kind of strange to me that IOS doesnt have a problem with that. Does anyone have experience with similar cases?

Error negotiating SSL connection on FD 92: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher (1/-1)

This means you should check, which cryptographic algorithms are supported on your phone. Try to capture the traffic if possible and check the client hello messages.

Error negotiating SSL connection on FD 186: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0)

   Error negotiating SSL connection on FD 99: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (1/0)

Your client has not imported your CA certificate - import it and this should be gone (except certificate pinning apps)

[Markus700]

Thanks for that info. Still trying to figure out everything. Have CISSP / TISP certification but still it´s a challenge building all from scratch and being alone. The cert is imported and works fine with safari and so on. But seems some apps are not using it.

Im using the DNS resolver as my one and only dns. But i still have this forgery errors. Could it have to do with a AVM Fritzbox beeing used as the modem? It is using nat and im afraid it may intercept the dns traffic. Going to inspect the traffic next weekend more thoroughly.

[fabian]

Thanks for that info. Still trying to figure out everything. Have CISSP / TISP certification but still it´s a challenge building all from scratch and being alone. The cert is imported and works fine with safari and so on. But seems some apps are not using it.

If an app you are required to use cannot work with a proxy intercepting the traffic, you will have to white list it (no bump sites).

[Markus700]

I still have problems with ssl proxy. I made sure to add all domains wo ssl bump list. But SSL connection for the game app are beeing reseted with TLS Fatal Handshake error 40. All other connections work fine so far.