OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Web Proxy Filtering and Caching (Moderator: fabian) »
  • Squid SSL Inspection and Windows Updates
« previous next »
  • Print
Pages: [1]

Author Topic: Squid SSL Inspection and Windows Updates  (Read 7247 times)

XeroX

  • Full Member
  • ***
  • Posts: 114
  • Karma: 7
    • View Profile
Squid SSL Inspection and Windows Updates
« on: October 08, 2020, 07:37:06 pm »
Hello,
Microsoft is using Certificate Pinning for Windows Update. I can't get this working properly.

Can anyone help me to paste this to the correct section? I feel this is overwritten by the bump settings of OPNSense.

https://wiki.squid-cache.org/SquidFaq/WindowsUpdate
Logged

AndyX90

  • Jr. Member
  • **
  • Posts: 55
  • Karma: 2
    • View Profile
Re: Squid SSL Inspection and Windows Updates
« Reply #1 on: October 15, 2020, 05:50:48 am »
You have to import the Microsoft-CA in System --> Trust --> Authorities. The Windows Update CA is not trusty on other Clients than Windows..

I think this one: https://update.microsoft.com/

Gesendet von meinem Mi 10 mit Tapatalk

Logged

XeroX

  • Full Member
  • ***
  • Posts: 114
  • Karma: 7
    • View Profile
Re: Squid SSL Inspection and Windows Updates
« Reply #2 on: June 15, 2021, 03:06:55 pm »
Hello,
I know this is a little old topic started by me but I got the time to set this up and got it working!

You've to add this to squid bump, make sure to include the leading "." It will include the domain itself and all subdomains:
Code: [Select]
.microsoft.com.akadns.net
.windowsupdate.com
.microsoft.com

The URLs listed in Squid Wiki are to much, I reduced this. However you can do it more granular. (https://wiki.squid-cache.org/ConfigExamples/Caching/WindowsUpdates)

Additionally (Thx AndyX90) you have to import the following certificates:
Microsoft Root Certificate Authority 2011 - ROOT
Microsoft Update Secure Server CA 2.1 - INTERMEDIATE
Microsoft ECC Product Root Certificate Authority 2018 - ROOT
Microsoft ECC Content Distribution Secure Server CA 2.1 - INTERMEDIATE

You have to import every certificate that throws the following error in Cache Log:
kid1| ERROR: negotiating TLS on FD 49: error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed (1/-1/0)   

Good luck ;)
« Last Edit: June 15, 2021, 03:22:10 pm by XeroX »
Logged

randomwalk

  • Newbie
  • *
  • Posts: 33
  • Karma: 2
    • View Profile
Re: Squid SSL Inspection and Windows Updates
« Reply #3 on: September 08, 2021, 11:13:15 pm »
I just want to say that the procedure by XeroX works!  To help folks who are interested in getting Windows Update to work with Squid SSL inspection, below are the certificates that you need to import into OPNsense. 

Go to OPNsense --> System --> Trust --> Authorities.  Click "Add," put in whatever descriptive name you want, method should be "Import and existing Certificate Authority," then paste in the below into the "Certificate Data" box.  You must include all of the text, including the part with BEGIN CERTIFICATE and END CERTIFICATE.

The first two certificates below can probably be found in your own Windows 10 installation.  Type "certmgr" into the Windows search box and that should find the certificate manager.  Under the folder "Trusted Root Certification Authorities," you should be able to find the first two certificates.  You can export them in the "Base-64 encoded X.509" format, then open the file in Notepad, which will show you what I pasted below.

The other two certificates I found online here:

https://censys.io/certificates/6139e2df97dc93bf7e90a303f75b3968fd06c57316b45e94dcff773707cf2754

https://censys.io/certificates/e39f93f3b2b40fd3c41de7dfa7d0b0cb6c4d8f97cbab2bb81c178f4b5f3c7eed

I don't know censys.io, but the certificate appears legit as when you open it, it tells you that they are issued by the other two root authorities.


Microsoft Root Certificate Authority 2011

Code: [Select]
-----BEGIN CERTIFICATE-----
MIIF7TCCA9WgAwIBAgIQP4vItfyfspZDtWnWbELhRDANBgkqhkiG9w0BAQsFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMp
TWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTEwHhcNMTEw
MzIyMjIwNTI4WhcNMzYwMzIyMjIxMzA0WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv
c29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5IDIwMTEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCygEGqNThNE3IyaCJNuLLx/9VSvGzH9dJKjDbu0cJcfoyKrq8TKG/Ac+M6
ztAlqFo6be+ouFmrEyNozQwph9FvgFyPRH9dkAFSWKxRxV8qh9zc2AodwQO5e7BW
6KPeZGHCnvjzfLnsDbVU/ky2ZU+I8JxImQxCCwl8MVkXeQZ4KI2JOkwDJb5xalwL
54RgpJki49KvhKSn+9GY7Qyp3pSJ4Q6g3MDOmT3qCFK7VnnkH4S6Hri0xElcTzFL
h93dBWcmmYDgcRGjuKVB4qRTufcyKYMME782XgSzS0NHL2vikR7TmE/dQgfI6B0S
/Jmpaz6SfsjWaTr8ZL22CZ3K/QwLopt3YEsDlKQwaRLWQi3BQUzK3Kr9j1uDRprZ
/LHR47PJf0h6zSTwQY9cdNCssBAgBkm3xy0hyFfj0IbzA2j70M5xwYmZSmQBbP3s
MJHPQTySx+W6hh1hhMdfgzlirrSSL0fzC/hV66AfWdC7dJse0Hbm8ukG1xDo+mTe
acY1logC8Ea4PyeZb8txiSk190gWAjWP1Xl8TQLPX+uKg09FcYj5qQ1OcunCnAfP
SRtOBA5jUYxe2ADBVSy2xuDCZU7JNDn1nLPEfuhhbhNfFcRf2X7tHc7uROzLLoax
7Dj2cO2rXBPB2Q8Nx4CyVe0096yb5MPa50c8prWPMd/FS6/r8QIDAQABo1EwTzAL
BgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUci06AjGQQ7kU
BU7h6qfHMdEjiTQwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggIB
AH9yzw+3xRXbm8BJyiZb/p4T5tPw0tuXX/JLP02zrhmu7deXoKzvqTqjwkGw5biR
nhOBJAPmCf0/V0A5ISRW0RAvS0CpNoZLtFNXmvvxfomPEf4YbFGq6O0JlbXlccmh
6Yd1phV/yX43VF50k8XDZ8wNT2uoFwxtCJJ+i92Bqi1wIcM9BhS7vyRep4TXPw8h
Ir1LAAbblxzYXtTFC1yHblCk6MM4pPvLLMWSZpuFXst6bJN8gClYW1e1QGm6CHmm
ZGIVnYeWRbVmIyADixxzoNOieTPgUFmG2y/lAiXqcyqfABTINseSO+lOAOzYVgm5
M0kS0lQLAausR7aRKX1MtHWAUgHoyoL2n8ysnI8X6i8msKtyrAv+nlEex0NVZ09R
s1fWtuzuUrc66U7h14GIvE+OdbtLqPA1qibUZ2dJsnBMO5PcHd94kIZysjik0dyS
TclY6ysSXNQ7roxrsIPlAT/4CTL2kzU0Iq/dNw13CYArzUgA8YyZGUcFAenRv9FO
0OYoQzeZpApKCNmacXPSqs0xE2N2oTdvkjgefRI8ZjLny23h/FKJ3crWZgWalmG+
oijHHKOnNlA8OqTfSm7mhzvO6/DggTedEzxSjr25HTTGHdUKaj2YKXCMiSrRq4IQ
SB/c9O+lxbtVGjhjhE63bK2VVOxlIhBJF7jAHscPrFRH
-----END CERTIFICATE-----

Microsoft ECC Product Root Certificate Authority 2018

Code: [Select]
-----BEGIN CERTIFICATE-----
MIIDIzCCAqigAwIBAgIQFJgmZtx8zY9AU2d7uZnshTAKBggqhkjOPQQDAzCBlDEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1v
bmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE+MDwGA1UEAxM1TWlj
cm9zb2Z0IEVDQyBQcm9kdWN0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIw
MTgwHhcNMTgwMjI3MjA0MjA4WhcNNDMwMjI3MjA1MDQ2WjCBlDELMAkGA1UEBhMC
VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNV
BAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE+MDwGA1UEAxM1TWljcm9zb2Z0IEVD
QyBQcm9kdWN0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTgwdjAQBgcq
hkjOPQIBBgUrgQQAIgNiAATHERYqdh1Wjr65YmXUw8608MMw7I9t1245vMhJq6u4
40N41YEGXe/HfZ/O1rOQdd4MsJDeI7rI0T5n4BmpG4YxHl80Le4X/RX7fieKMqHq
yY/JfhjLLzssSHp9pvQBB6yjgbwwgbkwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB
/wQFMAMBAf8wHQYDVR0OBBYEFEPvcIe4nb/siBncxsRrdQ11NDMIMBAGCSsGAQQB
gjcVAQQDAgEAMGUGA1UdIAReMFwwBgYEVR0gADBSBgwrBgEEAYI3TIN9AQEwQjBA
BggrBgEFBQcCARY0aHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9Eb2Nz
L1JlcG9zaXRvcnkuaHRtADAKBggqhkjOPQQDAwNpADBmAjEAocBJRF0yVSfMPpBu
JSKdJFubUTXHkUlJKqP5b08czd2c4bVXyZ7CIkWbBhVwHEW/AjEAxdMo63LHPrCs
Jwl/Yj1geeWS8UUquaUC5GC7/nornGCntZkU8rC+8LsFllZWj8Fo
-----END CERTIFICATE-----

Microsoft Update Secure Server CA 2.1

Code: [Select]
-----BEGIN CERTIFICATE-----
MIIF7TCCA9WgAwIBAgIQP4vItfyfspZDtWnWbELhRDANBgkqhkiG9w0BAQsFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMp
TWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTEwHhcNMTEw
MzIyMjIwNTI4WhcNMzYwMzIyMjIxMzA0WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv
c29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5IDIwMTEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCygEGqNThNE3IyaCJNuLLx/9VSvGzH9dJKjDbu0cJcfoyKrq8TKG/Ac+M6
ztAlqFo6be+ouFmrEyNozQwph9FvgFyPRH9dkAFSWKxRxV8qh9zc2AodwQO5e7BW
6KPeZGHCnvjzfLnsDbVU/ky2ZU+I8JxImQxCCwl8MVkXeQZ4KI2JOkwDJb5xalwL
54RgpJki49KvhKSn+9GY7Qyp3pSJ4Q6g3MDOmT3qCFK7VnnkH4S6Hri0xElcTzFL
h93dBWcmmYDgcRGjuKVB4qRTufcyKYMME782XgSzS0NHL2vikR7TmE/dQgfI6B0S
/Jmpaz6SfsjWaTr8ZL22CZ3K/QwLopt3YEsDlKQwaRLWQi3BQUzK3Kr9j1uDRprZ
/LHR47PJf0h6zSTwQY9cdNCssBAgBkm3xy0hyFfj0IbzA2j70M5xwYmZSmQBbP3s
MJHPQTySx+W6hh1hhMdfgzlirrSSL0fzC/hV66AfWdC7dJse0Hbm8ukG1xDo+mTe
acY1logC8Ea4PyeZb8txiSk190gWAjWP1Xl8TQLPX+uKg09FcYj5qQ1OcunCnAfP
SRtOBA5jUYxe2ADBVSy2xuDCZU7JNDn1nLPEfuhhbhNfFcRf2X7tHc7uROzLLoax
7Dj2cO2rXBPB2Q8Nx4CyVe0096yb5MPa50c8prWPMd/FS6/r8QIDAQABo1EwTzAL
BgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUci06AjGQQ7kU
BU7h6qfHMdEjiTQwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggIB
AH9yzw+3xRXbm8BJyiZb/p4T5tPw0tuXX/JLP02zrhmu7deXoKzvqTqjwkGw5biR
nhOBJAPmCf0/V0A5ISRW0RAvS0CpNoZLtFNXmvvxfomPEf4YbFGq6O0JlbXlccmh
6Yd1phV/yX43VF50k8XDZ8wNT2uoFwxtCJJ+i92Bqi1wIcM9BhS7vyRep4TXPw8h
Ir1LAAbblxzYXtTFC1yHblCk6MM4pPvLLMWSZpuFXst6bJN8gClYW1e1QGm6CHmm
ZGIVnYeWRbVmIyADixxzoNOieTPgUFmG2y/lAiXqcyqfABTINseSO+lOAOzYVgm5
M0kS0lQLAausR7aRKX1MtHWAUgHoyoL2n8ysnI8X6i8msKtyrAv+nlEex0NVZ09R
s1fWtuzuUrc66U7h14GIvE+OdbtLqPA1qibUZ2dJsnBMO5PcHd94kIZysjik0dyS
TclY6ysSXNQ7roxrsIPlAT/4CTL2kzU0Iq/dNw13CYArzUgA8YyZGUcFAenRv9FO
0OYoQzeZpApKCNmacXPSqs0xE2N2oTdvkjgefRI8ZjLny23h/FKJ3crWZgWalmG+
oijHHKOnNlA8OqTfSm7mhzvO6/DggTedEzxSjr25HTTGHdUKaj2YKXCMiSrRq4IQ
SB/c9O+lxbtVGjhjhE63bK2VVOxlIhBJF7jAHscPrFRH
-----END CERTIFICATE-----

Microsoft ECC Content Distribution Secure Server CA 2.1

Code: [Select]
-----BEGIN CERTIFICATE-----
MIIEbzCCA/agAwIBAgITMwAAAAkGbLYB5EGOcwAAAAAACTAKBggqhkjOPQQDAzCB
lDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE+MDwGA1UEAxM1
TWljcm9zb2Z0IEVDQyBQcm9kdWN0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
IDIwMTgwHhcNMTgxMjA3MjAwNTM1WhcNMzMxMjA3MjAxNTM1WjCBljELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAc
BgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjFAMD4GA1UEAxM3TWljcm9zb2Z0
IEVDQyBDb250ZW50IERpc3RyaWJ1dGlvbiBTZWN1cmUgU2VydmVyIENBIDIuMTB2
MBAGByqGSM49AgEGBSuBBAAiA2IABJZFwxWVPpORXxdExmMwhhRWYMWmvV8dA2gQ
KJOa6+MFlSq7AFchZZTP4ElW6B/w5cIz/7XYsQylwGwMWzB75vF2sgZEinv89FCC
Ee10iRmPAXMdypIyKGovmxy7hapay6OCAgQwggIAMA4GA1UdDwEB/wQEAwIBhjAQ
BgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQURVR4uCOsreQqjLsBQVK0nI6Bke4w
VQYDVR0gBE4wTDBKBgRVHSAAMEIwQAYIKwYBBQUHAgEWNGh0dHA6Ly93d3cubWlj
cm9zb2Z0LmNvbS9wa2lvcHMvRG9jcy9SZXBvc2l0b3J5Lmh0bQAwEwYDVR0lBAww
CgYIKwYBBQUHAwEwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwDwYDVR0TAQH/
BAUwAwEB/zAfBgNVHSMEGDAWgBRD73CHuJ2/7IgZ3MbEa3UNdTQzCDB6BgNVHR8E
czBxMG+gbaBrhmlodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9N
aWNyb3NvZnQlMjBFQ0MlMjBQcm9kdWN0JTIwUm9vdCUyMENlcnRpZmljYXRlJTIw
QXV0aG9yaXR5JTIwMjAxOC5jcmwwgYcGCCsGAQUFBwEBBHsweTB3BggrBgEFBQcw
AoZraHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0cy9NaWNyb3Nv
ZnQlMjBFQ0MlMjBQcm9kdWN0JTIwUm9vdCUyMENlcnRpZmljYXRlJTIwQXV0aG9y
aXR5JTIwMjAxOC5jcnQwCgYIKoZIzj0EAwMDZwAwZAIwGbO8ZwbR88S4RMjDqeR+
hG14h7sLuPMWicdmt6lPyx/q2CdJc4eXo39Aol7hR19eAjAIqH0bfMxzM8sxNI4M
W1oR30+Ncas1w44Wh9PoHf6+REAkEDuKjtpW9XqcBEmVh9I=
-----END CERTIFICATE-----
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Web Proxy Filtering and Caching (Moderator: fabian) »
  • Squid SSL Inspection and Windows Updates
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2