Disabling MITM Check Cert is not working

183 views
Skip to first unread message

Renato C. Pacheco

unread,
Oct 1, 2020, 3:14:27 PM10/1/20
to e2guardian
Hi! I've just started my tests with the last stable version (5.3.4) in a small LAN at my work. It works fine, MITM enabled etc., but e2g was blocking websites with self-signed certificates. Ok, I put one of them for testing at nocheckcertsitelist (fazenda.gov.br) and my mitmcheckcert is on. After restart, e2g is still blocking websites from fazenda.gov.br domain. What am I missing here? The behavior doesn't change when I put mitmcheckcert off either.
--
Renato Carneiro Pacheco
Security Analyst
http://www.facebook.com/renatocarneirop

"Não acredite no que eu digo, pois é a minha experiência e não a sua. Experimente, indague e busque." - Osho Rajneesh

Renato C. Pacheco

unread,
Oct 5, 2020, 1:11:29 PM10/5/20
to e2guardian
Hello?
--
Renato Carneiro Pacheco
Security Analyst
http://www.facebook.com/renatocarneirop

"Não acredite no que eu digo, pois é a minha experiência e não a sua. Experimente, indague e busque." - Osho Rajneesh

Renato C. Pacheco

unread,
Oct 6, 2020, 10:55:36 AM10/6/20
to e2guardian
One more information: error connections (I guess) are related to Proxy Authentication Error. Is that right? If somebody could help me...
--
Renato Carneiro Pacheco
Security Analyst
http://www.facebook.com/renatocarneirop

"Não acredite no que eu digo, pois é a minha experiência e não a sua. Experimente, indague e busque." - Osho Rajneesh

Philip Pearce

unread,
Oct 13, 2020, 4:21:41 AM10/13/20
to Renato C. Pacheco, e2guardian
What mode are you using e2g?   with back-end squid?  without?  Explicit proxy?   Transparent proxy?  ICAP?

You mention Proxy Authentication Error - what auth plugins do you have enabled?

Are you using the distributed common.story, preauth.story?

Regards
Philip

--
E2guardian:
https://groups.google.com/d/forum/e2guardian
Github:
https://github.com/e2guardian/e2guardian
Follow us on twitter:
https://twitter.com/e2guardian
---
You received this message because you are subscribed to the Google Groups "e2guardian" group.
To unsubscribe from this group and stop receiving emails from it, send an email to e2guardian+...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/e2guardian/CAOsH0iQgxnTWBK5dAdCAbacVxsM1KJ9p8Zfs%3DjWTmRTEe4jScQ%40mail.gmail.com.

Renato C. Pacheco

unread,
Oct 13, 2020, 7:42:57 AM10/13/20
to e2guardian
Hey Philip!

>What mode are you using e2g?
Authenticated mode
>with back-end squid?
Yes!
>Explicit proxy?
Yes. I'm delivering confs with wpad
>Transparent proxy?  ICAP?
None of them are enabled.
>You mention Proxy Authentication Error - what auth plugins do you have enabled?
I'm using NTLM auth
>Are you using the distributed common.story, preauth.story?
Yes, without modification.
--
Renato Carneiro Pacheco
Security Analyst
http://www.facebook.com/renatocarneirop

"Não acredite no que eu digo, pois é a minha experiência e não a sua. Experimente, indague e busque." - Osho Rajneesh

Philip Pearce

unread,
Oct 13, 2020, 9:41:46 AM10/13/20
to Renato C. Pacheco, e2guardian
Can you post the line in access.log when this happens?

Renato C. Pacheco

unread,
Oct 20, 2020, 7:03:18 AM10/20/20
to e2guardian
Any thoughts?
--
Renato Carneiro Pacheco
Security Analyst
http://www.facebook.com/renatocarneirop

"Não acredite no que eu digo, pois é a minha experiência e não a sua. Experimente, indague e busque." - Osho Rajneesh


On Tue, Oct 13, 2020 at 1:17 PM Renato C. Pacheco <renato....@gmail.com> wrote:
For sure!

Oct 13 13:08:50 machine e2guardian[625]: 1602605330.002     47 10.10.20.36 TCP_DENIED/403 0 GET http://teams.microsoft.com - DEFAULT_PARENT/127.0.0.1 -
Oct 13 13:08:50 machine squid[612]: 1602605330.003     47 10.10.20.36 TCP_MISS/301 417 GET http://teams.microsoft.com/ - HIER_DIRECT/52.113.195.132 -

My e2guardian log has squid format. I put both of them available.
--
Renato Carneiro Pacheco
Security Analyst
http://www.facebook.com/renatocarneirop

"Não acredite no que eu digo, pois é a minha experiência e não a sua. Experimente, indague e busque." - Osho Rajneesh

Philip Pearce

unread,
Oct 20, 2020, 9:26:11 AM10/20/20
to Renato C. Pacheco, e2guardian
Hi,

The pure squid format log does not seem to provide any e2g general block info (just 403).   Can you try on a test system using log format 6 or 8?  The log should then give the information you need to diagnose this issue.



Regards

Philip

Renato C. Pacheco

unread,
Oct 23, 2020, 3:48:21 PM10/23/20
to e2guardian
Philip,

Dansguardian (1) Log Format:

Oct 20 11:37:00 machine e2guardian[6621]: 2020.10.20 11:37:00 - 10.1.20.36 https://teams.microsoft.com:443 *DENIED* Proxy authentication error CONNECT 0 0 - 1 403 - 10.1.20.36 Todos - - - - -
Oct 20 11:37:00 machinne squid[612]: 1603204620.256     46 10.1.20.36 TCP_TUNNEL/200 39 CONNECT teams.microsoft.com:443 - HIER_DIRECT/52.113.195.132 -

Protex (6) Log Format:

Oct 20 11:34:19 machine e2guardian[6085]: 1603204459.263#011#011-#01110.1.20.36#01110.1.20.36#011http://teams.microsoft.com#011GET#011403#0110#011-#011-#011-#01146#011-#011110#011*DENIED* Proxy authentication error#0110#011-#011Todos#0111
Oct 20 11:34:19 machine squid[612]: 1603204459.266     48 10.1.20.36 TCP_MISS/301 417 GET http://teams.microsoft.com/ - HIER_DIRECT/52.113.195.132 -
Oct 20 11:34:19 machine e2guardian[6085]: 1603204459.394#011#011-#01110.1.20.36#01110.1.20.36#011http://teams.microsoft.com/template_files/roboto-v15-latin_latin-ext-regular.woff2#011GET#011403#0110#011-#011-#011-#01128#011-#011110#011*DENIED* Proxy authentication error#0110#011-#011Todos#0111

In the version that I'm testing (last stable - 5.3.4), there's no number 8 log format...
--
Renato Carneiro Pacheco
Security Analyst
http://www.facebook.com/renatocarneirop

"Não acredite no que eu digo, pois é a minha experiência e não a sua. Experimente, indague e busque." - Osho Rajneesh

Philip Pearce

unread,
Oct 26, 2020, 5:26:56 AM10/26/20
to Renato C. Pacheco, e2guardian
Renato,

This issue here is with authentication and not with the certificate checking.  (If not authenticating with squid then connection is not made to the target server, so does not even get to checking cert.)

Regards
Philip


Renato C. Pacheco

unread,
Nov 9, 2020, 9:36:28 AM11/9/20
to e2guardian
Philip,

Sorry for the delay. I decided to disable e2guardian and enabled only squid to test auth_param. For my surprise, I have no problem with NTLM authentication and I could access any HTTPS site. So I can exclude squid from problems, do you agree? What's the next step? How to enable debug mode in e2guardian to mitigate this issue?

Thanks,
--
Renato Carneiro Pacheco
Security Analyst
http://www.facebook.com/renatocarneirop

"Não acredite no que eu digo, pois é a minha experiência e não a sua. Experimente, indague e busque." - Osho Rajneesh

Renato C. Pacheco

unread,
Nov 9, 2020, 10:24:34 AM11/9/20
to e2guardian
Ok, I got it. Here are the logs:

https://pastebin.com/AcaLiNyW

Thanks,
--
Renato Carneiro Pacheco
Security Analyst
http://www.facebook.com/renatocarneirop

"Não acredite no que eu digo, pois é a minha experiência e não a sua. Experimente, indague e busque." - Osho Rajneesh

Renato C. Pacheco

unread,
Nov 16, 2020, 3:23:09 PM11/16/20
to e2guardian
By digging further, I could workaround this issue by putting squid in front of e2guardian. It authenticates users first and then forwards to e2guardian with parameter cache_peer. I would like to thank Fabricio Guzzy to share your squid file configuration (https://groups.google.com/g/e2guardian/c/wjUELl5Dql0) and Bruno Guimaraes to help me out with the tests.
--
Renato Carneiro Pacheco
Security Analyst
http://www.facebook.com/renatocarneirop

"Não acredite no que eu digo, pois é a minha experiência e não a sua. Experimente, indague e busque." - Osho Rajneesh

Reply all
Reply to author
Forward
0 new messages