Bug #6740
closed
https filtering with squid + squidguard error (ssl bump)
0%
Description
When configuring the https filtering some (possibly all) https sites error out. (Man in the middle certificate authority is used). See error below.
Here is a detailed thread discussing the issue (without any real acknowledgement of the bug): [[http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-and-url-rewrite-program-like-squidguard-td4674336.html#a4674575]]
I have communicated with the original poster on that thread and he continues to have the issue and he put me in touch with another person using pfsense having the same issue. However, that person rolled back to 2.2.6 and the issue went away.
Hopefully this is enough information to warrant a bug entry here.
---
The following error was encountered while trying to retrieve the URL: https://http/*
Unable to determine IP address from host name http
The DNS server returned:
Name Error: The domain name does not exist.
This means that the cache was not able to resolve the hostname presented in the URL. Check if the address is correct.
Updated by C Wood over 7 years ago
C Wood wrote:
When configuring the https filtering some (possibly all) https sites error out. (Man in the middle certificate authority is used). See error below.
Here is a detailed thread discussing the issue (without any real acknowledgement of the bug): [[http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-and-url-rewrite-program-like-squidguard-td4674336.html#a4674575]]
I have communicated with the original poster on that thread and he continues to have the issue and he put me in touch with another person using pfsense having the same issue. However, that person rolled back to 2.2.6 and the issue went away.
Hopefully this is enough information to warrant a bug entry here.
---
The following error was encountered while trying to retrieve the URL: https://http/*Unable to determine IP address from host name http
The DNS server returned:
Name Error: The domain name does not exist.
This means that the cache was not able to resolve the hostname presented in the URL. Check if the address is correct.
Update: The fellow (Jorge) that rolled back to pfsense 2.2 to get around the error also manually then updated squid to 3.5.3 and the error came back. It may be this is a bug in the squid software and not a pfsense bug directly, though it effects all trying to use it.
Updated by Jim Pingle over 7 years ago
- Status changed from New to Not a Bug
This needs to stay on the forum until a specific bug can be identified. We don't encourage or support the use of HTTPS interception, so a community member will have to investigate and submit a fix once the underlying problem is identified. Assuming it's a widespread issue.
Updated by C Wood over 7 years ago
Jim Pingle wrote:
This needs to stay on the forum until a specific bug can be identified. We don't encourage or support the use of HTTPS interception, so a community member will have to investigate and submit a fix once the underlying problem is identified. Assuming it's a widespread issue.
So this database is only for bugs that official pfsense people work on and not for bugs in features developed by community contributors (even if those features are mainstream in pfsense and documented)?
Updated by Jim Pingle over 7 years ago
It is for both but there is no specific bug on this ticket yet, only symptoms.
Updated by C Wood over 7 years ago
Jim Pingle wrote:
It is for both but there is no specific bug on this ticket yet, only symptoms.
I guess your definition of a bug is different than mine. :) You want to know what exactly is broken (half way to a fix) before acknowledging the bug.
Updated by C Wood over 7 years ago
C Wood wrote:
Jim Pingle wrote:
It is for both but there is no specific bug on this ticket yet, only symptoms.
I guess your definition of a bug is different than mine. :) You want to know what exactly is broken (half way to a fix) before acknowledging the bug.
I should note that I bought the dedicate pfsense appliance (sold by pfsense) specifically with the goal of filtering https for elementary school kids.
Updated by C Wood over 7 years ago
Looks like Diladele filter also has a problem with pfsense/squid combo.
[[https://groups.google.com/forum/#!topic/quintolabs-content-security-for-squid-proxy/K01rfyvnq8k]]