Smart speakers blocked by SSL filtering

19 views
Skip to first unread message

Josh

unread,
Jan 11, 2021, 8:51:30 PM1/11/21
to e2guardian
e2guardian 5.3.4

I have SSL filtering enabled with transparent proxy and direct connect.
I have seen https sites filtered and occasionally Content Lists will be filtered as well.
I have both sslmitm and automitm enabled in my group (I only have one for now) and no other group options enabled.
Group type is set to normal. 
So I assume that I have SSL filtering setup properly.

But smart speakers are blocked from internet access. If I turn off SSL filtering, then
they have internet.

When I have real time logging working (for some reason it stopped working) and SSL
filtering turned on, I don't see any websites blocked when I try to get the smart speakers to connect to their servers.
I have also looked at the log files and nothing that the smart speakers use appear to be
blocked.

So I assume it has something to do with the CA certificate.

I have cleared the CA cache, I have created new certificates, I have tried to add the
servers to the allowed list and also to the proxy bypass list, but nothing seems to work.

Any ideas on how to fix this, or at least diagnose this issue?

Josh


Klaus Gundermann

unread,
Jan 12, 2021, 6:09:16 AM1/12/21
to e2guardian
Hi Josh,

Yes, you are on the right track. For SSL Filter (MITM) you create a CA certificate in e2guardian for encrypting the network traffic.
You have to add this CA certificate in the smart speaker, so that the smart speaker trust e2guardian.
If you can't add the certificate -> you can not have SSL filter for the speaker, 

You may either add the servers DNS names to  nomitmsitelist / IPs to nomitmsiteiplist
or add a second group for the speaker(s) where MITM is not enabled (sslmitm = off)


@Philip: is there any function to exclude CLIENTS from MITM ?

Greetings
Klaus

Philip Pearce

unread,
Jan 12, 2021, 7:26:27 AM1/12/21
to Klaus Gundermann, e2guardian
@Philip: is there any function to exclude CLIENTS from MITM ?
@Klaus, Not at the moment. - it could be done fairly easily (via storyboard changes)

The other thing would be to try using the exceptioniplist to allow all access from the speakers.  This would not then need another group.

Philip


--
E2guardian:
https://groups.google.com/d/forum/e2guardian
Github:
https://github.com/e2guardian/e2guardian
Follow us on twitter:
https://twitter.com/e2guardian
---
You received this message because you are subscribed to the Google Groups "e2guardian" group.
To unsubscribe from this group and stop receiving emails from it, send an email to e2guardian+...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/e2guardian/e39d21bf-1b47-4250-984d-5c565a7ffe60n%40googlegroups.com.

Reply all
Reply to author
Forward
0 new messages