NethServer Version: 7
Module: webproxy web fillter
for blocked HTTPs the error page is Cert invalid error is this any way to change it blocked message as the blocked HTTP traffic
The certificate is valid but the browser can display it as invalid because it is redirected from another site.
Example:
- browser tries to access https://www.facebook.com
- www.facebook.com is blocked, and the browser is redirect to https://blocked.nethserver.org
- the browser expects a certificate for Facebook domain but sees a certificates from NethServer
There is no solution for it.
1 Like
What is about creating a dynamic (fake) certificate of the site which should be redirected? This method is done at the “old” transparent squid with ssl bump.
You will still have the same issue if the client doesn’t have the fake CA certificate installed.
Thus, the actual implementation has this issue only for certain sites (IIRC is something related with HSTS).
2 Likes
Hi Giacomo,
thanks for your answer
I think the client expects a certificate from the side you want to open, for example GMX. GMX certificate is at an online certificate server, so your browser knows this certificate. Does the browser get the difference between the fake and the original?
Why does it work with full decryption with ssl-bump?
i’m planning to make some tesst withtransparent proxy and https (and wccp2)… is this problem still present, right?
what if i use as redirect page an internal server with a valid cert (i need it to customize the error page)? if i understand correctly i wil always have the cert error right?
tnx
I can answer yes to both question, but I never encountered such problem after months of transparent ssl proxy with blocking filter 
an enigmatic answer 
i have tried to setup the proxy and yes i’ve the cert error on HSTS sites (like facebook) but also on other https like ryanair.com (i must accept the cert and continue to see the block page) or others sites inserted in blacklist.
all is working as expected with http, so i don’t think it’s a problem with wccp2 which seems to work (at least at l2 then i will test with gre config)
from what I understand this problem should always be present,so the question is: why you don’t have such problem? 
Probably because we have very little blocked sites, like advertising and maybe p2p.
Sometime I see the red page inside some sites where advertising banner are blocked.
Does NethServer use “Dynamic SSL Certificate Generation”?
In other distributions (using a squid), I saw that there are no certificate errors on the blocked pages.
For example, Sofos UTM Home.
Also another user of squid got the same error on block page.
Squid version 3.5.27 update helped.
continue post…
This error is reported here, resolved in squid versions 4.0.20, 3.5.26.
The NethServer uses an older version - 3.5.10.
No, current configuration doesn’t use it.
Yes, we stick with upstream releases.
I tried updating:
[root@proxy ~]# yum --enablerepo=nethserver-testing update squidLoaded plugins: changelog, fastestmirror, nethserver_events
Loading mirror speeds from cached hostfile
- ce-base: mirror.vorboss.net
[…]- nethforge: server.liftingtrade.hu
- nethserver-base: server.liftingtrade.hu
- nethserver-updates: server.liftingtrade.hu
nethserver-testing/7/x86_64/signature | 836 B 00:00:00
nethserver-testing/7/x86_64/signature | 2.9 kB 00:00:00 !!!
No packages marked for update
But there are no other versions of squid in the test repository.
You write:
Does this mean that I can’t solve the problem (with certificate errors on the lock page), even if I update squid from other repositories?
You probably need to rebuild a newer version of squid or apply the patch to Red Hat package.
Maybe Red Hat will fix the squid packes, try to notify them opening a bug (https://bugzilla.redhat.com/).
Ask me if you need help (I could be slow to answer during the holidays).
1 Like