1

I have an issue with setting up a transparent Squid proxy on a pfsense firewall. I created a CA for HTTPS MITM, installed it in my browser and it works with most websites.

However sites like ubuntuusers.de use a let's encrypt certificate seem to cause problems. The strange thing is that it seems to be correct: Its CN is the domain and their CA is correctly Let's Encrypt Authority X3.

However as soon as the Squid proxy intercepts the certificate and MITM's it to it's own ca the CN of the certificate becomes the IP number of ubuntuusers.de and thus the browsers, both Chrome and Firefox reject it since cn and domain don't fit (net::ERR_CERT_COMMON_NAME_INVALID)

This only happens on this site so it has to do something with this certificate. I am not experienced enough with certificates to understand why this is happening.

...

Common Name (CN)    213.95.41.4

Organization (O)    <Not Part Of Certificate>

Organizational Unit (OU)    <Not Part Of Certificate>

Serial Number   7C...

Issued By

Common Name (CN)    myown-ca
...

Maybe someone can explain this behaviour to me?

stambata
  • 1,668
  • 3
  • 14
  • 18
user6329530
  • 237
  • 2
  • 13

1 Answers1

3

It looks like you might be using server-first SSL bumping, which according to the docs cannot handle SNI on the server and will use the server's IP as the certificate (since the server will no longer have a single hostname). Starting with Squid 3.5 there are new mechanisms called peek and stare that allow squid to observe the SNI negotiation to figure out the requested hostname, each subject to different limitations.

DerfK
  • 19,493
  • 2
  • 38
  • 54