[pfSense] Squid transparent with SSL interception - CA certificate problem

2018-02-06 Thread Roberto Carna 
People, I've setup a transparent Squid proxy for WiFi clients. I'm
using SSL interception so I had to generate a CA private certificate
(generated from pfSense certificate manager tab).

But when I add this CA private certificate to several Android an
Iphone devices in order to proxify and filter SSL applications, some
of the Android devices don't work correctly: Facebook an Instagram
don't load the profiles and Mercadolibre doesn't open the menu. In the
other Android and Iphone devices, everything works OK.

Can this problem be related to the CA certificate (maybe I have to use
a given digest algorithm and key lenght) or is this an Android
intrinsec problem depending of OS version???

Thanks a lot.

ROBERT
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Bug found: Remote Logging Options and IPv6

2018-02-06 Thread Christoph Haas 
Dear list,

I dare say that I have found a bug in version 2.4.2-RELEASE (amd64).

When setting up syslog forwarding in the "Remote Logging Options" I can
choose IPv6 as "IP Protocol" but when I save the field switches back to
IPv4 and logging fails to the given IPv6 address.

Should I report that somewhere?

Kind regards
 Christoph


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Squid transparent with SSL interception - CA certificate problem

2018-02-06 Thread Alex Threlfall 
They may be hard coded to look at only their own CA to prevent MiM attacks,
or use their own certificate store (for a similar behaviour).

Alex.

> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Roberto
> Carna
> Sent: 06 February 2018 13:32
> To: pfSense Support and Discussion Mailing List 
> Subject: [pfSense] Squid transparent with SSL interception - CA
certificate
> problem
> 
> People, I've setup a transparent Squid proxy for WiFi clients. I'm using
SSL
> interception so I had to generate a CA private certificate (generated from
> pfSense certificate manager tab).
> 
> But when I add this CA private certificate to several Android an Iphone
> devices in order to proxify and filter SSL applications, some of the
Android
> devices don't work correctly: Facebook an Instagram don't load the
profiles
> and Mercadolibre doesn't open the menu. In the other Android and Iphone
> devices, everything works OK.
> 
> Can this problem be related to the CA certificate (maybe I have to use a
given
> digest algorithm and key lenght) or is this an Android intrinsec problem
> depending of OS version???
> 
> Thanks a lot.
> 
> ROBERT
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Squid transparent with SSL interception - CA certificate problem

2018-02-06 Thread Roberto Carna 
Dear Alex, so there is no solution to the given problem ???

I refer to install a CA private certificate in mobile devices and let
them navigate and use applications through a transparent proxy without
SSL errors...

Regards,

2018-02-06 11:35 GMT-03:00 Alex Threlfall :
> They may be hard coded to look at only their own CA to prevent MiM attacks,
> or use their own certificate store (for a similar behaviour).
>
> Alex.
>
>> -Original Message-
>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Roberto
>> Carna
>> Sent: 06 February 2018 13:32
>> To: pfSense Support and Discussion Mailing List 
>> Subject: [pfSense] Squid transparent with SSL interception - CA
> certificate
>> problem
>>
>> People, I've setup a transparent Squid proxy for WiFi clients. I'm using
> SSL
>> interception so I had to generate a CA private certificate (generated from
>> pfSense certificate manager tab).
>>
>> But when I add this CA private certificate to several Android an Iphone
>> devices in order to proxify and filter SSL applications, some of the
> Android
>> devices don't work correctly: Facebook an Instagram don't load the
> profiles
>> and Mercadolibre doesn't open the menu. In the other Android and Iphone
>> devices, everything works OK.
>>
>> Can this problem be related to the CA certificate (maybe I have to use a
> given
>> digest algorithm and key lenght) or is this an Android intrinsec problem
>> depending of OS version???
>>
>> Thanks a lot.
>>
>> ROBERT
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Squid transparent with SSL interception - CA certificate problem

2018-02-06 Thread Paul Mather 
On Feb 6, 2018, at 10:03 AM, Roberto Carna  wrote:

> Dear Alex, so there is no solution to the given problem ???
> 
> I refer to install a CA private certificate in mobile devices and let
> them navigate and use applications through a transparent proxy without
> SSL errors...


It could be that the applications and devices you consider "don't work 
correctly" are employing certificate and public key pinning (see, e.g., 
https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning 
 and 
https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning 
).  It is a technique 
intended to defend against the very kind of certificate misuse in which you 
appear to be engaged.

Cheers,

Paul.


> 
> Regards,
> 
> 2018-02-06 11:35 GMT-03:00 Alex Threlfall :
>> They may be hard coded to look at only their own CA to prevent MiM attacks,
>> or use their own certificate store (for a similar behaviour).
>> 
>> Alex.
>> 
>>> -Original Message-
>>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Roberto
>>> Carna
>>> Sent: 06 February 2018 13:32
>>> To: pfSense Support and Discussion Mailing List 
>>> Subject: [pfSense] Squid transparent with SSL interception - CA
>> certificate
>>> problem
>>> 
>>> People, I've setup a transparent Squid proxy for WiFi clients. I'm using
>> SSL
>>> interception so I had to generate a CA private certificate (generated from
>>> pfSense certificate manager tab).
>>> 
>>> But when I add this CA private certificate to several Android an Iphone
>>> devices in order to proxify and filter SSL applications, some of the
>> Android
>>> devices don't work correctly: Facebook an Instagram don't load the
>> profiles
>>> and Mercadolibre doesn't open the menu. In the other Android and Iphone
>>> devices, everything works OK.
>>> 
>>> Can this problem be related to the CA certificate (maybe I have to use a
>> given
>>> digest algorithm and key lenght) or is this an Android intrinsec problem
>>> depending of OS version???
>>> 
>>> Thanks a lot.
>>> 
>>> ROBERT
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>> 
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Bug found: Remote Logging Options and IPv6

2018-02-06 Thread Steve Yates 
There is a bug tracker at https://redmine.pfsense.org/projects/pfsense

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Christoph Haas
Sent: Tuesday, February 6, 2018 8:11 AM
To: pfSense Support and Discussion Mailing List 
Subject: [pfSense] Bug found: Remote Logging Options and IPv6

Dear list,

I dare say that I have found a bug in version 2.4.2-RELEASE (amd64).

When setting up syslog forwarding in the "Remote Logging Options" I can
choose IPv6 as "IP Protocol" but when I save the field switches back to
IPv4 and logging fails to the given IPv6 address.

Should I report that somewhere?

Kind regards
 Christoph


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Squid transparent with SSL interception - CA certificate problem

2018-02-06 Thread WebDawg 
You may just want to switch to inspection.

On Tue, Feb 6, 2018 at 10:44 AM, Paul Mather  wrote:
> On Feb 6, 2018, at 10:03 AM, Roberto Carna  wrote:
>
>> Dear Alex, so there is no solution to the given problem ???
>>
>> I refer to install a CA private certificate in mobile devices and let
>> them navigate and use applications through a transparent proxy without
>> SSL errors...
>
>
> It could be that the applications and devices you consider "don't work 
> correctly" are employing certificate and public key pinning (see, e.g., 
> https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning 
>  and 
> https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning 
> ).  It is a technique 
> intended to defend against the very kind of certificate misuse in which you 
> appear to be engaged.
>
> Cheers,
>
> Paul.
>
>
>>
>> Regards,
>>
>> 2018-02-06 11:35 GMT-03:00 Alex Threlfall :
>>> They may be hard coded to look at only their own CA to prevent MiM attacks,
>>> or use their own certificate store (for a similar behaviour).
>>>
>>> Alex.
>>>
 -Original Message-
 From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Roberto
 Carna
 Sent: 06 February 2018 13:32
 To: pfSense Support and Discussion Mailing List 
 Subject: [pfSense] Squid transparent with SSL interception - CA
>>> certificate
 problem

 People, I've setup a transparent Squid proxy for WiFi clients. I'm using
>>> SSL
 interception so I had to generate a CA private certificate (generated from
 pfSense certificate manager tab).

 But when I add this CA private certificate to several Android an Iphone
 devices in order to proxify and filter SSL applications, some of the
>>> Android
 devices don't work correctly: Facebook an Instagram don't load the
>>> profiles
 and Mercadolibre doesn't open the menu. In the other Android and Iphone
 devices, everything works OK.

 Can this problem be related to the CA certificate (maybe I have to use a
>>> given
 digest algorithm and key lenght) or is this an Android intrinsec problem
 depending of OS version???

 Thanks a lot.

 ROBERT
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
>>>
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold