Transparent SSL-Proxy not working correctly when using RBL

[WIT-Jansen]

Good Morning,

I have a specific problem with the web proxy on a currently running virtual OPNsense 22.7.6-amd64.

We are using the transparent ssl-proxy setup based on the guidelines of the documentation.
SSL-Bumps are all set, in general the setup is working but as soon as I activate the (we are using the UT1) RBL, some HTTPS-websites don't work anymore.
A few important ones for example banking sites can't be openend and even if I choose for example only the category "Manga" to block, these banking sites won't work anymore.

In the RBL-option I tried it with and without the button "ssl ignore cert" but nothing changes.
I also checked the content of the manga-category and searched the files for the specific problematic Domains and URLs but nothing there.
And I also put the domains on the whitelist with the simple and regular expression variants, nothing changes.
As soon as I deactivate the RBl again, everything is working fine but of course then the webproxy is useless for us.

In certain cases I get the HTTPs errors and in others I get an access denied via the OPNs but again those Domains/IPs are not present in the RBL-Files.
I also set the "alternate" DNS-Servers, so the OPNs uses the same ones as the server who wants to reach those websites.
Does anybody have a clue, what it could be?

Thanks in advance for any possible information or help to this case.

[Belarrine]

A few things to check:

SSL Bump & RBL order: Make sure the SSL-Bump happens before the RBL filtering. If RBL checks occur before the bump, it may not correctly see the actual domain names and could block HTTPS connections erroneously.

SNI inspection: Some RBLs rely on SNI to identify domains during TLS handshakes. If your setup isn't properly inspecting SNI, it might misinterpret connections.

Certificate pinning / strict TLS: Banking sites often use certificate pinning. If "ssl ignore cert" is on, some apps might still reject the connection due to mismatched certificates, even if the domain isn't blocked.

RBL data formatting: Double-check the UT1 RBL file formatting. Sometimes extra lines, unexpected characters, or UTF BOMs can cause false positives in filtering.

Logging & packet capture: Enable full logging for the proxy and capture traffic when a site fails. This usually reveals whether the block is happening at the RBL check or due to SSL handling.

Most likely, the combination of SSL-Bump and RBL processing is causing false positives. Adjusting the filter order or using SNI-based exceptions for banking sites usually resolves it.