Project

General

Profile

Bug #6777

squid cant redirect ssl website correctly to squidguard error page in a denied category

Added by Albert Albert over 4 years ago. Updated over 4 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Squid
Target version:
-
Start date:
09/07/2016
Due date:
% Done:

0%

Estimated time:
Affected Version:
Affected Architecture:
amd64

Description

When you use "squid" with "squidguard" set in "NO" transparent mode, any category denied previously (squidguard) the browser shows an invalid cert for the domain "http", this happens always, if you ignore the warning, squid show an error


ERROR

The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL: https://http/*

Unable to determine IP address from host name http

The DNS server returned:

Name Error: The domain name does not exist.
This means that the cache was not able to resolve the hostname presented in the URL. Check if the address is correct.

But never shows the error page from squidguard, I tested many pages with the same result, the certificate issue only appears when the website is denied by a rule from squidguard when you inspect ssl.

I attached screenshots with the tests.

Package version:
pfsense 2.3.2-RELEASE (amd64)
squid 3.5.19_1
squidguard 1.4_15 

e1.png (160 KB) e1.png in a permitted category, squid shows the certificate correctly Albert Albert, 09/07/2016 06:58 PM
e3.png (79.4 KB) e3.png in a https website previously blocked by the squidguard rules, squid insert an invalid certificate for "http" website Albert Albert, 09/07/2016 06:58 PM
e4.png (50.6 KB) e4.png squid shows the issue with the certificate and the wrong url Albert Albert, 09/07/2016 06:58 PM
e2.png (88 KB) e2.png in a http website squid blocked correctly by the squidguard rules Albert Albert, 09/07/2016 06:58 PM
e5.png (445 KB) e5.png if you want to enter to any site that is permitted, the wrong certificate isn't shown Albert Albert, 09/07/2016 06:58 PM

History

#1 Updated by Albert Albert over 4 years ago

here is the same error reported in pfsense forum without a solution

https://forum.pfsense.org/index.php?topic=109358.0

#2 Updated by Luiz Fernando Cavalcanti over 4 years ago

NOT A BUG.

This is caused by a behavior on Browsers, check this link for more information about it: https://bugzilla.mozilla.org/show_bug.cgi?id=479880

Also explained on the Squid Wiki[[http://wiki.squid-cache.org/Features/CustomErrors?highlight=%28faqlisted.yes%29]]

Reading subsequent discussion on this standard doesn't seem that Browsers will change this because it open the attack vectors, allowing exploits for Phishing.

So, any page accessed using HTTPS that is blocked by Squid/SquidGuard will display the Browser's standard error message about Tunnel connection error.

#3 Updated by Jim Pingle over 4 years ago

  • Project changed from pfSense to pfSense Packages
  • Category changed from Package System to Squid
  • Status changed from New to Not a Bug
  • Affected Version deleted (2.3.2)

Also available in: Atom PDF