cancel
Showing results for 
Search instead for 
Did you mean: 

Diladele web security transparent ssl

krad
Newbie
Posts: 8
Registered: 03-09-2014

Diladele web security transparent ssl

Hi I'.m trying to setup Diladele web security with ssl bump at home to give me control over what the kids watch. I have got http working fine, however I cant get https intercept working. I get lots of errors like below

2014/12/13 17:09:44 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 33: error:14090086:SSL

Has anyone managed to get this working on plusnet? I ask as one of the things that can break it is a transparent cache at the isp. So before I bang my head against the wall to hard, it would be nice to know if I stand a chance of getting it working or not.
Undecided
7 REPLIES
Community Gaffer
Community Gaffer
Posts: 13,224
Thanks: 966
Fixes: 81
Registered: 04-04-2007

Re: Diladele web security transparent ssl

I can't vouch for whether it will or won't work and I'm not really in a position to test it myself at the moment. What I do know though, is that we have a squid proxy on our network that's part of our IWF implementation .

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Community Veteran
Posts: 5,472
Thanks: 292
Fixes: 4
Registered: 11-08-2007

Re: Diladele web security transparent ssl

I'm looking to implement the Diladele solution early next year, I'm just waiting for the immanent release of pfSense 2.2 - which will use a version of Squid that is compatible with the SSL bump feature needed by the Diladele software.  Yes I could use the development version of Squid in pfSense 2.1.5, but I can wait for the proper release.
Have you configured your computer's network settings to offload SSL handling to the proxy, and installed the root certificates ?.
Having vaguely read the instructions, I'm not convinced that https will work the same as http through a transparent proxy without telling each computer that SSL is handled by the proxy instead of by the applications.
I've just noticed that there is a recently updated tutorial (I haven't read the updates yet), which you might find helpful - Filtering HTTPS Traffic with Squid on pfSense 2.1.5
I am not anticipating there being any problems over the Plusnet network, because https/SSL already works, and all this does is intercept the SSL endpoint so that the encrypted content can be analyzed and filtered accordingly by the Diladele software.
krad
Newbie
Posts: 8
Registered: 03-09-2014

Re: Diladele web security transparent ssl

thanks for the replies, im pretty sure i have done the ssl bump correctly, but then it doesnt work so maybe I havent. Looking at the iwf stuff i shouldnt be getting proxied unless its a bad ip. I assume most arent so i think i need to play some more
krad
Newbie
Posts: 8
Registered: 03-09-2014

Re: Diladele web security transparent ssl

Quote from: purleigh
I'm looking to implement the Diladele solution early next year, I'm just waiting for the immanent release of pfSense 2.2 - which will use a version of Squid that is compatible with the SSL bump feature needed by the Diladele software.  Yes I could use the development version of Squid in pfSense 2.1.5, but I can wait for the proper release.
Have you configured your computer's network settings to offload SSL handling to the proxy, and installed the root certificates ?.
Having vaguely read the instructions, I'm not convinced that https will work the same as http through a transparent proxy without telling each computer that SSL is handled by the proxy instead of by the applications.
I've just noticed that there is a recently updated tutorial (I haven't read the updates yet), which you might find helpful - Filtering HTTPS Traffic with Squid on pfSense 2.1.5
I am not anticipating there being any problems over the Plusnet network, because https/SSL already works, and all this does is intercept the SSL endpoint so that the encrypted content can be analyzed and filtered accordingly by the Diladele software.


cracked it and it works. It turns out openssl wasnt configured with any root ssl certs even though I had package ca_root_nss-3.17.3_1 installed it seems. Basically that just installs a couple of files ripped from Mozilla but doesn't actually integrate them into openssl.
I rather dirty hack fixed it but should still work going forward in that I just rsynced the following paths from an upto date ubuntu box
/usr/share/ca-certificates/ to  /usr/share/ca-certificates/
/etc/ssl/certs/ to /etc/ssl/certs/
hopefully the added features of pf will handle this for you, but it may not

Community Veteran
Posts: 5,472
Thanks: 292
Fixes: 4
Registered: 11-08-2007

Re: Diladele web security transparent ssl

I'm glad you got it working !  Cool
Thanks for the update.   Wink
krad
Newbie
Posts: 8
Registered: 03-09-2014

Re: Diladele web security transparent ssl

a tidier way to get the certs installed correctly
#!/usr/local/bin/bash
mkdir /tmp/.sslcrts
cd /tmp/.sslcrts
awk ' /BEGIN CERTIFICATE/,/END CERTIFICATE/ { print $0  }'  /usr/local/share/certs/ca-root-nss.crt |
split -p "BEGIN CERTIFICATE" - tmp.
for file in tmp.*
do
  mv -vf $file /etc/ssl/certs/`openssl x509 -hash -noout -in $file`.0
done
cd /
rm -fr /tmp/.sslcrts
Community Veteran
Posts: 5,472
Thanks: 292
Fixes: 4
Registered: 11-08-2007

Re: Diladele web security transparent ssl

What are your initial impressions of "Diladele" software ?,  is it worth the effort of installing ?