Netgate m1n1wall

Author Topic: Dansguardian package for 2.0  (Read 109106 times)

0 Members and 1 Guest are viewing this topic.

Offline Cino

  • Hero Member
  • *****
  • Posts: 1051
    • View Profile
Re: Dansguardian package for 2.0
« Reply #105 on: February 23, 2012, 05:46:49 am »
Cino,

If you apply dansguardian config after reboot it fixes the permission?


It has not in the past.. I'll test again but I had to reboot my box yesterday... then i disabled the ssl man-in-middle(would be a apply to dansguardian) and had to manually set the permissions

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9962
    • View Profile
Re: Dansguardian package for 2.0
« Reply #106 on: February 23, 2012, 06:57:00 am »
Ok, I'll check it and socket file location

Offline dig1234

  • Jr. Member
  • **
  • Posts: 52
    • View Profile
Re: Dansguardian package for 2.0
« Reply #107 on: March 09, 2012, 12:54:02 pm »
still have a lot more testing with SSL man-in-middle but when I try to access https sites, i'm getting the danguardian denied page "Certificate supplied by server was not valid"

still have to check logs and read the docs from danguardian site on this feature.

I am at the same point with ssl mitm. I found in the dansguardianf1.conf file there are two options:
one for mitm (sslmitm = on) and one for cert checking (sslcertcheck = off), however even with cert checking off, I'm still getting that message:
"Certificate supplied by server was not valid"
So either that option is not sticking or I'm missing something. I had a thought of actually feeding the cert checking function with all the trusted root certs from a popular browser. According to dansguardian.conf they should be placed in '/etc/ssl/certs/' though I'm not sure what format or exactly how to batch export them all... Thoughts?

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9962
    • View Profile
Re: Dansguardian package for 2.0
« Reply #108 on: March 09, 2012, 12:56:34 pm »
I am at the same point with ssl mitm. I found in the dansguardianf1.conf file there are two options:
one for mitm (sslmitm = on) and one for cert checking (sslcertcheck = off), however even with cert checking off, I'm still getting that message:
"Certificate supplied by server was not valid"

Are you sure you deselected sslmint option(CTRL+CLICK)?
Every time I test dansguardian package, I can enable and disable this option via gui.

Offline dig1234

  • Jr. Member
  • **
  • Posts: 52
    • View Profile
Re: Dansguardian package for 2.0
« Reply #109 on: March 09, 2012, 01:24:43 pm »
I am at the same point with ssl mitm. I found in the dansguardianf1.conf file there are two options:
one for mitm (sslmitm = on) and one for cert checking (sslcertcheck = off), however even with cert checking off, I'm still getting that message:
"Certificate supplied by server was not valid"

Are you sure you deselected sslmint option(CTRL+CLICK)?
Every time I test dansguardian package, I can enable and disable this option via gui.
Yes toggling mitm works. Its the cert checking that won't disable. Even through the conf file.

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9962
    • View Profile
Re: Dansguardian package for 2.0
« Reply #110 on: March 09, 2012, 04:03:36 pm »
Can you check on dansguardianfx.conf if this option is set on on all groups you have?

At my setup it changes from on/off without issues.

Offline dig1234

  • Jr. Member
  • **
  • Posts: 52
    • View Profile
Re: Dansguardian package for 2.0
« Reply #111 on: March 09, 2012, 04:15:36 pm »
I should have been more clear, it toggles on and off in the conf file without issue. But once I enable mitm it apparently automatically enables cert checking Even though the conf file still says certcheck=off. I'm assuming this is the reason we are getting that invalid server cert error.
Maybe dansguardian has a built in dependency when you enable mitm you get cert checking. This makes sense because the user/browser can no longer check the authenticity of the original cert since we are only presenting him with a forged cert. The solution would be (as I see it) to fill the /etc/ssl/certs/ with a repository of the valid Root CAs on the internet and let the cert checking do its job.. That should clear the error.
Can you check on dansguardianfx.conf if this option is set on on all groups you have?

At my setup it changes from on/off without issues.

Offline dig1234

  • Jr. Member
  • **
  • Posts: 52
    • View Profile
Re: Dansguardian package for 2.0
« Reply #112 on: March 11, 2012, 08:28:11 pm »
Ok this appears to have worked. I no longer get the "Certificate supplied by server was not valid". However I now get a 404. It appears to be trying to use some sort of redirecting cgi that we don't have in the package yet?
Now when trying to go to https://mail.google.com it redirects to a url: http://PFSENSE_ip/modules/guardian/cgi-bin/mitm.cgi?https://mail.google.com/mail/?tab=wm which triggers a 404.
Bottom line I think I'm one step closer to working mitm...

Here's what I did (maybe someone can suggest a cleaner route, I'm pretty new to this..)
-Ran a live ubuntu iso in virtualbox
-Grabbed the folder /etc/ssl/certs (which is a bunch of symlinks to the mozilla folder)
-Grabbed the folder /usr/share/ca-certificates/mozilla
-dumped them in same locations on pfsense
-violla certs now pass dansguardian inspection

Next step find the missing cgi and drop in www path?




Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9962
    • View Profile
Re: Dansguardian package for 2.0
« Reply #113 on: March 11, 2012, 09:45:28 pm »
It steps on mitm cert verify and on ssl filter?

If so, this is really a GOOD news!  :D

Offline dig1234

  • Jr. Member
  • **
  • Posts: 52
    • View Profile
Re: Dansguardian package for 2.0
« Reply #114 on: March 11, 2012, 10:07:06 pm »
Yes with mitm ON and cert check ON! Try it you'll get a 404 now..
If there's a way to post the tar's of the cert folders, I would but I'm not sure if that's allowed?

It steps on mitm cert verify and on ssl filter?

If so, this is really a GOOD news!  :D

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9962
    • View Profile
Re: Dansguardian package for 2.0
« Reply #115 on: March 11, 2012, 10:11:58 pm »
Send a link to me on private Message.

If it is the same certs Every browser has to check sites, I think there is no problem.

EDIT

Are these the certs you did install?

http://www.FreeBSD.org/cgi/ports.cgi?query=Cert&stype=all&sektion=security

Port description for security/ca_root_nss

Root certificates from certificate authorities included in the Mozilla
NSS library and thus in Firefox and Thunderbird.

This port directly tracks the version of NSS in the security/nss port.


Can you try to install this package and see if you get the same result?

amd64
http://e-sac.siteseguro.ws/packages/amd64/8/All/ca_root_nss-3.13.2.tbz

i386
http://e-sac.siteseguro.ws/packages/8/All/ca_root_nss-3.13.2.tbz

This package install /usr/local/share/certs/ca-root-nss.crt and a symlink to /etc/ssl/cert.pem
« Last Edit: March 11, 2012, 11:44:31 pm by marcelloc »

Offline dig1234

  • Jr. Member
  • **
  • Posts: 52
    • View Profile
Re: Dansguardian package for 2.0
« Reply #116 on: March 11, 2012, 11:45:37 pm »
Sent. That looks cool, if that could be incorporated into the package along with the missing cgi we may be in business.

Send a link to me on private Message.

If it is the same certs Every browser has to check sites, I think there is no problem.

EDIT

Are these the certs you did install?

http://www.FreeBSD.org/cgi/ports.cgi?query=Cert&stype=all&sektion=security

Port description for security/ca_root_nss

Root certificates from certificate authorities included in the Mozilla
NSS library and thus in Firefox and Thunderbird.

This port directly tracks the version of NSS in the security/nss port.


Can you try to install this package and see if you get the same result?

amd64
http://e-sac.siteseguro.ws/packages/amd64/8/All/ca_root_nss-3.13.2.tbz

i386
http://e-sac.siteseguro.ws/packages/8/All/ca_root_nss-3.13.2.tbz

This package install /usr/local/share/certs/ca-root-nss.crt and a symlink to /etc/ssl/cert.pem

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9962
    • View Profile
Re: Dansguardian package for 2.0
« Reply #117 on: March 12, 2012, 12:22:27 am »
The certs looks the same on both.

On freebsd/pfsense the package installs a unique file with all certs with info and on your tar It's a file for each ca.

I'm getting the same result here. with or without cert check enabled I can see all ssl sites not in blacklist.

But when I enable ssl mitm log show all ssl as

*DENIED* Certificate supplied by server was not valid: unable to get local issuer certificate CONNECT 0 0 SSL Site 1 200 -  Default

Tried to copy pfsense created ca to /etc/ssl/certs/ with no success.

If you can test this, edit /usr/local/pkg/dansguardian.conf.template file to fix sslcertificatepath from pfsense ca-root package
#SSL certificate checking path
#Path to CA certificates used to validate the certificates of https sites.
sslcertificatepath = '/etc/ssl/certs/'


After this file edit, apply conf on dansguardian gui.

att,
Marcello Coutinho

Offline dig1234

  • Jr. Member
  • **
  • Posts: 52
    • View Profile
Re: Dansguardian package for 2.0
« Reply #118 on: March 12, 2012, 12:01:22 pm »
You also need to have symlinks to each of the pem files. The name of symlink will be the computed hash of the cert. Without the properly named symlinks, dansguardian will not see the pem files.
See this site for a script to create a correct symlink: http://wiki.openwrt.org/doc/howto/wget-ssl-certs

Or if you use the tars I sent they already have all the symlinks setup just do tar -xzf for both folders.



The certs looks the same on both.

On freebsd/pfsense the package installs a unique file with all certs with info and on your tar It's a file for each ca.

I'm getting the same result here. with or without cert check enabled I can see all ssl sites not in blacklist.

But when I enable ssl mitm log show all ssl as

*DENIED* Certificate supplied by server was not valid: unable to get local issuer certificate CONNECT 0 0 SSL Site 1 200 -  Default

Tried to copy pfsense created ca to /etc/ssl/certs/ with no success.

If you can test this, edit /usr/local/pkg/dansguardian.conf.template file to fix sslcertificatepath from pfsense ca-root package
#SSL certificate checking path
#Path to CA certificates used to validate the certificates of https sites.
sslcertificatepath = '/etc/ssl/certs/'


After this file edit, apply conf on dansguardian gui.

att,
Marcello Coutinho
« Last Edit: March 12, 2012, 12:05:07 pm by dig1234 »

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9962
    • View Profile
Re: Dansguardian package for 2.0
« Reply #119 on: March 12, 2012, 01:45:17 pm »
No luck.  :(

using tar or using ca-root package and linking pfsense ca created I always get the same error.

using only cert check, all https that is not on blacklists goes with no erros
using ssl mitm every https that is not on whitelist fails with

The only thing that changed is that the error now says:
*DENIED* Failed to negotiate ssl connection to client CONNECT 0 0 SSL Site 1 200

I did removed all certs, including ca-root package and folders.

I'll keep trying to identify how to reach each error.