Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
18.1 Legacy Series
»
[SOLVED]SSL certificat and suricata rules
« previous
next »
Print
Pages: [
1
]
Author
Topic: [SOLVED]SSL certificat and suricata rules (Read 3975 times)
bmail
Newbie
Posts: 37
Karma: 1
[SOLVED]SSL certificat and suricata rules
«
on:
May 22, 2018, 01:29:59 pm »
Hello,
I think I need help to understand how Opnsense is processing...
I use squid with https inspection. So I created an self signed authority inside Opnsense (called internal-ca).
When a user visits an https web page, every site show a certificat provided by my organisation, with, of course, a unique SHA1 fingerprint. I think this is normal. But ...
I try to block some site using "user defined rules" with Suricata. I give the fingerprint of the website I want to block, but no success ... the website isn't block by suricata.
Suricata works on wan interface only. If it works on wan + lan interface, no more access to Opnsense GUI caused by a rule:
SERVER-OTHER OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt
Alert sid 31484
Is there a way to use drop action based on ssl fingerprint if we want to use ssl inspection with Squid ?
Thank a lot for any advice.
Bertrand
«
Last Edit: May 22, 2018, 07:12:52 pm by bmail
»
Logged
bmail
Newbie
Posts: 37
Karma: 1
Re: SSL certificat and suricata rules
«
Reply #1 on:
May 22, 2018, 07:12:16 pm »
Found !
Ok, how can I be so stupid ?
Just adding the web site in the "SSL no bump sites", so the real certificat is transmitted and can be drop by suricata.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
18.1 Legacy Series
»
[SOLVED]SSL certificat and suricata rules