OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • [SOLVED]SSL certificat and suricata rules
« previous next »
  • Print
Pages: [1]

Author Topic: [SOLVED]SSL certificat and suricata rules  (Read 2623 times)

bmail

  • Newbie
  • *
  • Posts: 37
  • Karma: 1
    • View Profile
[SOLVED]SSL certificat and suricata rules
« on: May 22, 2018, 01:29:59 pm »
Hello,

I think I need help to understand how Opnsense is processing...

I use squid with https inspection. So I created an self signed authority inside Opnsense (called internal-ca).
When a user visits an https web page, every site show a certificat provided by my organisation, with, of course, a unique SHA1 fingerprint. I think this is normal. But ...
I try to block some site using "user defined rules" with Suricata. I give the fingerprint of the website I want to block, but no success ... the website isn't block by suricata.

Suricata works on wan interface only. If it works on wan + lan interface, no more access to Opnsense GUI caused by a rule:

   SERVER-OTHER OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt
Alert sid   31484

Is there a way to use drop action based on ssl fingerprint if we want to use ssl inspection with Squid ?

Thank a lot for any advice.
Bertrand
« Last Edit: May 22, 2018, 07:12:52 pm by bmail »
Logged

bmail

  • Newbie
  • *
  • Posts: 37
  • Karma: 1
    • View Profile
Re: SSL certificat and suricata rules
« Reply #1 on: May 22, 2018, 07:12:16 pm »
Found !

Ok, how can I be so stupid ?
Just adding the web site in the "SSL no bump sites", so the real certificat is transmitted and can be drop by suricata.

Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • [SOLVED]SSL certificat and suricata rules
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2