WebProxy with Signed Certificates

[lomax0990]

Is there any documentation on running the Webproxy with signed certificates?  I don't want to install a certificate on every machine. 

It's not clear to me since my only option is to use a CA.  I would have assumed I could just install a certificate that's signed and is already in the client trust chain.  But i'm not a certificate expert.

So I was just wondering if there were any videos or documentation on how to do it?  The only thing I could seem to find was doing an internal CA.

[Maurice]

If this would be possible, you could inspect and modify encrypted traffic coming from any machine without ever touching that machine. That's exactly what TLS is supposed to prevent.

The proxy needs valid certificates for every website your machines visit. So it needs its own CA certificate to issue these certificates. All of your machines have to trust this CA. You could use the certificate of a trusted public CA, but they won't give you the matching private key. Even if you ask very nicely.

Cheers
Maurice

[Patrick M. Hausen]

@Maurice have you tried asking Honest Ahmed? 

[Maurice]

@Patrick Yes, he actually offered me a free private key to his root CA if I buy a used car from him. But I don't need a car right now, so... meh.  ¯\_(ツ)_/¯

[cookiemonster]

I wish I understood this one and knew who he is or is the reference. Funny none the less though.

[Maurice]

https://bugzilla.mozilla.org/show_bug.cgi?id=647959

[cookiemonster]

thanks @Maurice. Sorry OP for polluting. Over now.

[lomax0990]

If this would be possible, you could inspect and modify encrypted traffic coming from any machine without ever touching that machine. That's exactly what TLS is supposed to prevent.

The proxy needs valid certificates for every website your machines visit. So it needs its own CA certificate to issue these certificates. All of your machines have to trust this CA. You could use the certificate of a trusted public CA, but they won't give you the matching private key. Even if you ask very nicely.

Yeah,exactly.  It's a proxy server.  So if you don't break and inspect SSL, how is it supposed to categorize websites or any other function of a proxy?  It's a fairly common practice these days since everything is TLS based.  But I don't want to install a certificate on every machine.  I want to install a certificate that would already be trusted by the clients are part of installed root CA's on the major browsers.  But it seems that Opnsense wants me to use it as it's own CA, which would still require me to install a certificate on every machine.

[Maurice]

Breaking and inspecting TLS is what the proxy is supposed to do, correct. But this requires every machine which uses the proxy to explicitly agree with this. You do this by installing a custom CA certificate on the proxy and on each machine. If breaking TLS would be possible without installing a custom certificate, TLS would be completely pointless. Everyone could just break TLS everwhere.

This is not specific to OPNsense, this is just how TLS proxies (and TLS in general) work.

[Patrick M. Hausen]

Yeah,exactly.  It's a proxy server.  So if you don't break and inspect SSL, how is it supposed to categorize websites or any other function of a proxy?  It's a fairly common practice these days since everything is TLS based.  But I don't want to install a certificate on every machine.  I want to install a certificate that would already be trusted by the clients are part of installed root CA's on the major browsers.

That's not possible. The "certificate that would already be trusted" would need to cover all host names on the Internet.

If you used a trusted certificate and client would want to call e.g. google.com - there would be a host name mismatch and the browser would complain.

So what happens is that you create a CA for your proxy and install that on each client as trustworthy. Client wants to go to google.com, OPNsense creates a certificate for google.com on the fly signed by that CA. Client wants to go to opnsense.org, OPNsense creates a certificate for opnsense.org on the fly. And so on ...

[lomax0990]

Breaking and inspecting TLS is what the proxy is supposed to do, correct. But this requires every machine which uses the proxy to explicitly agree with this. You do this by installing a custom CA certificate on the proxy and on each machine. If breaking TLS would be possible without installing a custom certificate, TLS would be completely pointless. Everyone could just break TLS everwhere.

This is not specific to OPNsense, this is just how TLS proxies (and TLS in general) work.

Yes I get all that.  But I would just think it would be possible for me to purchase an SSL certificate for my domain (ex. opnsenseproxy.testdomain.com) and install it on the proxy.  Then the clients would already have a chain of trust because I purchased it from a reputable CA.  For example, Entrust.  Which would prevent me from having to install/manage certificates on every machine.  Because the browser has root certs installed for Entrust and the proxy is using an Entrust certificate.

It just feels like there has to be a better way than installing certificates on every machine.

[Maurice]

Installing a custom CA certificate on every machine is the only way, really. This is the essence of how every TLS proxy works.

Of course you can buy a certificate for opnsenseproxy.testdomain.com, but that's only valid for this domain. If you only want to use the proxy for accessing your own website(s), that would work. But if you want to access any other site, let's say google.com, your proxy needs a certificate for google.com. Which no-one will sell you, so the proxy has to issue the certificate itself. Which is why it needs a CA certificate. And no-one will sell you a CA certificate which can be used for issuing random certificates. So you have to create your own CA certificate. Which your machines won't trust unless you tell them to do so (by installing it).

[Patrick M. Hausen]

Yes I get all that.  But I would just think it would be possible for me to purchase an SSL certificate for my domain (ex. opnsenseproxy.testdomain.com) and install it on the proxy.  Then the clients would already have a chain of trust because I purchased it from a reputable CA.

The client wants to connect to google.com and gets presented a certificate with CN=opnsenseproxy.testdomain.com - won't accept.

The client needs to be presented a trusted certificate matching each of the host names it wants to connect to. These are generated on the fly by your trusted CA.

EDIT ... unless of course ... you use explicit proxy configuration on each client. The general approach today is a transparent proxy, so we took that as a given. What's your approach?

[lomax0990]

The general approach today is a transparent proxy, so we took that as a given. What's your approach?

The approach is a transparent proxy.

The client needs to be presented a trusted certificate matching each of the host names it wants to connect to. These are generated on the fly by your trusted CA.

Ok thanks.  I guess I just didn't understand how it worked.  I thought as long as the browser trusted the certificate on the proxy that it would work.  Because with a self-signed CA cert the browser is presented the certificate for the self-signed cert, and not the certificate of the destination domain.  The concept of the CA generating the destination domain on the fly is new to me. 

[Maurice]

I thought as long as the browser trusted the certificate on the proxy that it would work.

You're not wrong. As long as the browser trusts the certificate on the proxy, it works.

But this can't be just any certificate, it needs to be a signing certificate, typically an intermediate certificate. And you can't purchase this type of certificate. If a CA would sell such certificates, they would get banned by all the browser vendors immediately.

So you have to create your own signing certificate. Which no browser will trust by default.