Page 1 of 2 12 LastLast
Results 1 to 10 of 11
  1. #1
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,186

    Default can't display block page for SSL sites without SSL Inspector "Inspect All"

    Do I understand correctly that the only way to display (without an SSL error) a Web Filter block page for an https: site is to have SSL Inspector configured and set to "Inspect All traffic"?

    But "Inspect All" causes problems and is not recommended?

    Is there no way to have SSL Inspector jump in and generate a certificate for the purpose of displaying the Web Filter block page?

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,680

    Default

    The generated certificate is only used when the SSL inspector activates on a session. So if the session isn't inspected, it's just run through Web Filter via it's tools and a block page is generated. But yes, because SSL, you get an error.

    The only way around that error would be to configure Untangle's default web certificate to be authoritative for every single website in the world, which opens far more holes than it closes. Which is why I don't use SSL inspector ever... and yes everyone deals with SSL errors. My users are largely trained to think if they see an SSL error, they shouldn't be there. Which is imperfect, but preferable to the alternatives I've found thus far.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,186

    Default

    ok, just wanted to make sure there wasn't something I was missing. this stuff all worked better before everything went SSL

  4. #4
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,186

    Default

    this does seem to be a place where Untangle could improve fairly easily - have Web Filter and Captive Portal call SSL Inspector to generate a valid certificate when an SSL session needs to be re-directed to a block or capture page.

    then as long as you've imported the untangle root cert on the workstations, everything works great... and if you haven't, you probably don't have SSL Inspector turned on anyway (and in any case would be no worse than the current situation).
    Last edited by johnsonx42; 11-28-2018 at 11:39 AM.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,680

    Default

    That would complicate the concept of inspected traffic...

    There are two modules in play here, Web Filter, and SSL Inspector. To use the root certificate, SSL Inspector must be engaged. Webfilter has nothing to do with anything.

    So what you're proposing is Webfilter being able to arbitrarily override your SSL Inspector settings to not inspect. That could lead to some ugly unexpected behavior.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,186

    Default

    Quote Originally Posted by sky-knight View Post
    So what you're proposing is Webfilter being able to arbitrarily override your SSL Inspector settings to not inspect. That could lead to some ugly unexpected behavior.
    But it's only going to generate a certificate and inspect a session that Web Filter has already decided to block. It doesn't even really have to inspect anything... I'm just talking about leveraging SSL Inspector's ability to generate certificates on the fly.

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,680

    Default

    Quote Originally Posted by johnsonx42 View Post
    But it's only going to generate a certificate and inspect a session that Web Filter has already decided to block. It doesn't even really have to inspect anything... I'm just talking about leveraging SSL Inspector's ability to generate certificates on the fly.
    Honestly I'm still trying to figure out how all that works, because in my mind the root certificate on an SSL Inspector enabled station should just be the certificate used by the SSL engine in Apache all the time. But certificates also make my head hurt, there's probably some ugly reason why that's not the case currently.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,186

    Default

    Quote Originally Posted by sky-knight View Post
    Honestly I'm still trying to figure out how all that works, because in my mind the root certificate on an SSL Inspector enabled station should just be the certificate used by the SSL engine in Apache all the time. But certificates also make my head hurt, there's probably some ugly reason why that's not the case currently.
    it's the re-direct that trips things up - you call for https://www.internetdomain.com and Untangle wants to jump in and display it's block page from firewall.mydomain.com - currently it gives a perfectly valid certificate for https://firewall.mydomain.com and the browser says "no way - I'm talking to www.internetdomain.com so I'm displaying an error".

    So to accomplish the initial re-direct, Untangle has to feed it a valid SSL certificate for www.internetdomain.com, which it can do because it's a CA with a root certificate installed on the computer, then do the re-direct masquerading as the real site. This is what SSL Inspector does already for sites it's inspecting, in order to decrpyt and re-encrypt the data, and this is why block pages (and captive portal pages) work when SSL Inspector is inspecting everything.

    I'm saying then, let's have SSL Inspector do the same thing on behalf of Web Filter and Captive Portal - make SSL Certs so they can do their re-directs without generating SSL errors.
    Last edited by johnsonx42; 11-30-2018 at 11:15 AM.

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,680

    Default

    I'm pretty sure that if SSL Inspector could pull that off, we'd not have to configure it to do anything. You'd just install it and let it go.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,186

    Default

    Quote Originally Posted by sky-knight View Post
    I'm pretty sure that if SSL Inspector could pull that off, we'd not have to configure it to do anything. You'd just install it and let it go.
    well Untangle's programmers would have to make it do it. it's half-way there - it works for sites SSL Inspector is already intercepting... they just need to add hooks to let Web Filter call SSL Inspector when it's going to block an SSL site.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2