OpnSense 8.1.4. - TransparentProxy and SELF-SIGNED certs on Internet web pages

[kojo1984]

Hi to all!

I have OpnSense 8.1.4. installed and working as TransparentProxy.

Everything works fine, except some web sites that are using self signed certificates.

I've put CA certs of those sites into "System: Trust: Authorities" on OpnSense and PC clients. Also added URLs of those web sites into " SSL no bump sites", but no good.

The error I get is:

[kojo1984]

I have upgraded to OPNsense 18.1.5-amd64 from OPNsense 18.1.4-amd64.

Maybe it has nothing to do with it, but I'm getting new error.

Is there a way to stop checking remote peer certificates? This is really causing me problems ...

See picture attached.

P.S. I added entry ".electrovoice.com" in NO SSL BUMP sites.

[kojo1984]

The web site I'm trying to access from the last error is missing an intermediate CA certificate ...

Is there any way to overcome this Squid checking and to avoid it?

[fabian]

Not via the GUI and I don't recommend doing that anywhere else.

[kojo1984]

Hi Fabian,

thank you for replying.

This is a show-stopper for me, there's a lot of web sites that have various types of problems, like this one and there's no way to overcome it ...

Tried to do it manually, but the slightest change overwrites manual entries.

I really hope that there will be GUI option that can be checked, so this kind of sites can be accessed.

[fabian]

as a temporary workaround, you can add it to a template - this will get lost at the next software update but you can at least change some settings in the GUI. Please note that this is only a workaround for broken servers. It is the job ob the sysadmins to fix it.

Maybe you can contact the admin and tell him/her to fix the server.

[kojo1984]

Thank you for the template heads-up, haven't thought of that.

I did notified 2 web admins, let's wait and see what happens.

[kojo1984]

Just want to post how I fixed it manually, because there's no settings in GUI panel.
I have changed Squid template file, so changes are kept, at least until next upgrade.(tnx fabian on the template idea  )

Backup before changing anything.

Edit

Code: [Select]

/usr/local/opnsense/service/templates/OPNsense/Proxy/squid.conf
Find a line

Code: [Select]

sslproxy_cert_error deny all, reconfigure it with

Code: [Select]

sslproxy_cert_error allow all
After this, restart the appliance, users should get only certificate warning.

Repeat after upgrade.

[fabian]

Edit

Code: [Select]

/usr/local/opnsense/service/templates/OPNsense/Proxy/squid.conf
Find a line

Code: [Select]

sslproxy_cert_error deny all, reconfigure it with

Code: [Select]

sslproxy_cert_error allow all
After this, restart the appliance, users should get only certificate warning.

Repeat after upgrade.

And you will get a fully broken TLS implementation (easy to MITM invisibly to the user).

[kojo1984]

And you will get a fully broken TLS implementation (easy to MITM invisibly to the user).

Unfortunately, true, but I can't force security over business demands, because it stops business in this case.

I can't fix "legit" servers all over the Internet that are misconfigured, where some of them have only certificates issued by their own CAs that are not trusted by OpnSense (or Squid).

I have other layers of security that are in force, this is serving me only for web trafic filtering, so it is acceptable for me.

[Alphakilo]

Unfortunately, true, but I can't force security over business demands, because it stops business in this case.
[...]
I have other layers of security that are in force, this is serving me only for web trafic filtering, so it is acceptable for me.

What's the business demand here? Getting pwned?
I suspect you're the sysadmin. So here's a word of unsolicited advise:

If your boss comes to you and asks you to implement shit like this, you tell her / him (in writing, i.e. email) what's it going to cause.
In this case: whatever security that may come from PKI being nullified. The TLS / SSL clients (browsers, email clients, updates, ...) will now happily accept anything *any* adversary will throw at them. There is no reliable "layer of security" that covers this. This is why TLS / SSL faults hurt that much.

Only after the boss fully acknowledges that and asks you continue (in writing) you do that.
Print the full conversation (including headers) and take it somewhere safe (i.e. home).

This is known in the industry as "cover your ass". For the setting you implemented you *need* to do that.
Godspeed.

Oh and if your intent is to only do filtering (no caching, no ICAP) please check if the forward proxy setting "Log SNI information only" without any other modification isn't exactly what you need.

[Mks]

Hi,

not directly topic related, but I fully agree with Alphakilo.

The whole security community puts a lot of effort in hardening the TLS stacks on server as well as on client side (Browser), and you deactivate all this (in your environment) with one line.

As Alphakilo said, "Cover your as", everything else is grossly negligent.

br

[fabian]

"grossly negligent" will probably also the answer of your insurance company in case something bad will happen to your company.

[kojo1984]

I agree with all of you, in all aspects, in every way.

Let me fill you with few details on this, for better understanding.

It's not my company, I'm working as a freelancer on a project.

This "issue" occurred one month ago and I went as far as creating them a presentations where all was explained in detail.

Despite having full support from theirs CTO and CISO, management decided to do this in a way it's done, me risking that someone else is going to finish the job. (also rejected a CTO's proposal to deploy separate VLAN and isolated, kiosk like, PC in every department, so it can serve this purpose of an unfiltered access).

As a freelancer, I found myself in a deadlock where client wants me to do something that's against best practice or I should end up with bad score and not getting paid ...

I have it in written form, they explicitly accepted the risk, so I won't fight the windmills.

At the end, I'm delivering my report, that will definitely include everything relevant



I really appreciate all your advices and efforts.



P.S. I got a response from one web admin, they have told me they won't chage this, since they have their own PKI infrastructure. It is mandatory that employees of the company can access that web site.

[fabian]

Sure but you can also only whitelist broken servers to the rest is correctly validated.