Next 5.0 Build (SSL Server Test)

The https://www.diladele.com/download_next_version.html has new build of Web Safety 5.0.
We have added the SSL Server Test tool that allows admin to see the certificates that remote web site did not present upon HTTPS connections.

It is now easier to fix the X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY errors in Squid.

The FreeBSD 10 (pfSense) build is also working. Please test if you have time and interest.

Posted in Linux | Leave a comment

How to fix X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY Squid error

HTTPS filtering is a must for any network admin these days and if you implement HTTPS filtering using SSL Bumped Squid you have surely seen the famous (and not especially clear formulated) X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error.

The main reason for this error is very simple – one (or some) certificates presented by the remote HTTPS site you are browsing are not present in the certificate store on the host your Squid proxy runs on. And because of that Squid cannot generate mimicked SSL certificate required to perform HTTPS filtering.

Continue reading at https://docs.diladele.com/faq/squid/fix_unable_to_get_issuer_cert_locally.html

Posted in Linux | Leave a comment

Using Subordinate CA for HTTPS Decryption in Active Directory Integrated Squid

In order to use Subordinate CA for HTTPS filtering on Squid proxy (SSL Bump) you need to migrate your PKI infrastructure to SHA256 algorithm. This must be done because of SHA1 sunsetting in all major browsers as explained in https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html. Failure to do so will result into Your connection is not secure message after you enable HTTPS decryption. The following articles may prove to be helpful:

Step 1. Generate CSR on Squid

Login to your proxy box (using ssh or console) and run the following commands. These are needed to generate the CSR request that will later be signed by your Enterprise CA. Adjust the subj fields as needed.

openssl genrsa -out subca.key 4096 
openssl req -new -key subca.key -out subca.csr -subj "/C=NL/ST=Noord-Holland/O=Example Ltd./OU=IT/CN=proxy.example.lan/emailAddress=support@example.lan"

Step 2. Sign CSR by Enterprise CA

Copy the subca.csr to some folder on the server that has Active Directory Certification Services role installed (your Enterprise CA), open command prompt, change to that folder and run the following commands.

certreq.exe -submit -attrib "CertificateTemplate:SubCA" subca.csr

This command will show a series of windows that you need to click through according to the following screenshots.

eca_step1eca_step2eca_step3eca_step4

Step 3. Install Subordinate CA on Squid

Now copy the subca.cer certificate to your proxy box. Run the following commands to cat the subca.key and subca.cer together to make subca.pem file.

cat subca.key subca.cer > subca.pem

Upload the subca.pem to Web Safety / Squid Proxy / HTTPS / Upload New Certificate as shown on the following screenshots.

upload_1upload_2

Click Save and Restart and navigate to some HTTPS site, for example https://www.google.com on Active Directory joined machine where NO PROXY ROOT CA CERTIFICATES were installed previously. The following screenshots show that HTTPS decryption now works correctly in Internet Explorer and Chrome.

chrome_secure2ie_secure1

NOTE: This will not work for Firefox as it uses its own certificate storage. You need to manually install Enterprise Root CA into that storage too.

Posted in Linux | Leave a comment