Squid blocking self-signed webinterface certificate ?

Started by netranger, March 09, 2018, 02:18:01 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 09, 2018, 02:18:01 PM Last Edit: March 18, 2018, 06:02:22 PM by netranger
Hello,

I don't know since when this started but my webproxy setup somehow blocks access to the firewall webinterface:

Code Select
Failed to establish a secure connection to 192.168....

The system returned:

(92) Protocol error (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
Self-signed SSL Certificate in chain: /C=CH/ST=Zuri/L=Zuri/O=Fulltier Gmbh/emailAddress=fulltier@localhost.local/CN=FulltierInternalCA

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

Your cache administrator is fulltier@localhost.local.


So yes, the certificate of the webinterface is self-signed by the internal CA of course. But this used to be no problem.
When I access the webinterface directly (without proxy) I have no issues, so I assume this has to do something with squid.

Setup:
- 18.1.3/18.1.4
- Webproxy local cache is disabled.
- Webinterface IP is in Proxy "SSL no bump sites"

Steps taken:
- Upgrade to 18.1.4
- Restart webproxy
- disable and re-enable SSL-Inspection

I even deleted the mentioned server certificate and created a new one under the same CA. Now when I try to access, I still see the old certificate which was deleted. Is this old certificate cached somewhere in squid?
Public HTTPS sites work fine.

PS: when I access with the proxy disabled, I see the new certificate...

Regards and good weekend
March 18, 2018, 01:10:54 AM #1
Could you please move my thread to the "Web Proxy Filtering" chapter if it is placed wrong here.

Shouldn't an entry in the "SSL no bump site" be enough in order to not get any warnings about self-signed certificates? :o
March 18, 2018, 08:10:36 AM #2
Squid blocks the connection because it does not trust the certificate. This is a problem with the server certificate or the local trust store (can be fixed at both places).
March 18, 2018, 12:41:34 PM #3
Okay so this means I can either place a valid server certificate for all admin-webinterfaces in my LAN (which I don't really want as there are quite a few) or I can make squid trust these certificates. How can I do the latter?
March 18, 2018, 02:04:06 PM #4
You must add the signing CA to the local trust store.
March 18, 2018, 05:58:46 PM #5
you mean "local" to the client? yes that's already the case, public HTTPS sites are intercepted just fine.

I only have this problem with admin-webpages in the LAN (also for the router interface as I just found out).
March 18, 2018, 07:53:31 PM #6
with local I mean the OpenSSL trust store on OPNsense which is used by squid.
March 20, 2018, 10:43:14 PM #7
Code Select
openssl s_client -connect routerIP:443

output:
Code Select
....
Verify return code: 18 (self signed certificate)
....

According to this source I tried the following: https://www.madboa.com/geek/openssl/#verify-system

Code Select
mkdir /etc/ssl/certs
cd /usr/local/share/certs/
openssl s_client -showcerts -connect routerIP:443 < /dev/null | openssl x509 -outform PEM > router.pem
openssl x509 -noout -hash -in router.pem

output:
12345678 (8-digit hash of the cert)

Code Select
ln -s /usr/local/share/certs/router.pem /etc/ssl/certs/12345678.0
openssl s_client -connect routerIP:443

output:
Code Select
...
Verify return code: 0 (ok)
...

So my understanding is that now openssl trusts my router-certificate but when I try via proxy, I still cannot connect and get the same original error in the browser. Any hints? ::)
March 21, 2018, 09:58:27 PM #8
afaik programs don't use certdir.
Print
Go Up Pages1
User actions