OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Web Proxy Filtering and Caching (Moderator: fabian) »
  • problem https transparent proxy when open facebook
« previous next »
  • Print
Pages: [1]

Author Topic: problem https transparent proxy when open facebook  (Read 2316 times)

rokoman

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
    • View Profile
problem https transparent proxy when open facebook
« on: May 15, 2018, 09:38:22 pm »
See attach error
Logged

kevin192291

  • Newbie
  • *
  • Posts: 6
  • Karma: 0
    • View Profile
Re: problem https transparent proxy when open facebook
« Reply #1 on: July 23, 2018, 05:22:27 pm »
Hey Rokoman, I am trying to get an ssl proxy working too. I am not 100% sure, but I have come to believe that this is due to SSL Pinning https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning The reason I want an ssl proxy is so I can scan viruses, and I would say that Facebook is safe. you can exclude it and it should work just fine. It is also recommended that you exclude any banking/known secure sites from ssl interception too
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 10084
  • Karma: 762
    • View Profile
Re: problem https transparent proxy when open facebook
« Reply #2 on: July 24, 2018, 08:13:10 am »
It looks like there is already a MITM going on on a Cisco device in front of the OPNsense. This shouldn't be facebook's CA chain.


Cheers,
Franco
Logged

proofy

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
Re: problem https transparent proxy when open facebook
« Reply #3 on: December 03, 2018, 11:47:29 am »
It's because of the new TLS 1.3. Facebook already uses this on the servers. Even if you don't change the encrypted content, the logging of the SNI information will probably change the header so that a TSL 1.3 capable browser (correctly) displays an error.  Adding now all domains that use TLS 1.3 as an exception is not a practical way.
But I can't think of a simple solution either.
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 5069
  • Karma: 350
    • View Profile
Re: problem https transparent proxy when open facebook
« Reply #4 on: December 03, 2018, 12:34:41 pm »
Force downgrade to 1.2 when possible ...
Logged
IRC: mimugmail
Twitter: mimu_muc
WWW: www.routerperformance.net

proofy

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
Re: problem https transparent proxy when open facebook
« Reply #5 on: December 04, 2018, 03:11:10 pm »
How to force TLS 1.2 in squid 3.X ?
Logged

fabian

  • Moderator
  • Hero Member
  • *****
  • Posts: 2436
  • Karma: 171
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: problem https transparent proxy when open facebook
« Reply #6 on: December 04, 2018, 05:44:12 pm »
Not needed, on OPNsense an older version of OpenSSL/LibreSSL is used, which has no TLS 1.3 support. Frank and I are already waiting for it because we need a newer version for our plugins (HAProxy and nginx).

In your case you should try to find out who is responsible for the man in the middle in your network as it is the only issue.
TLS 1.3 is backward compatible to TLS 1.2 because some middle boxes would break otherwise btw.
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Web Proxy Filtering and Caching (Moderator: fabian) »
  • problem https transparent proxy when open facebook
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2021 All rights reserved
  • SMF 2.0.17 | SMF © 2019, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2