SSL MITM error "SSL Interception failed Certificate supplied by server was not valid"

[RaNd SuRealIsteZ]

I compiled the latest dev (3.3.0) and i get  "SSL Interception failed Certificate supplied by server was not valid"

Where should i focus to resolve this ? And who is the "server", the proxy or the website i try to visit ?

Generating serial no for youtube.com
Serial no is 14DD5266C70789BDC806364DF4586335
looking for cert /usr/local/etc/dansguardian/ssl/generatedcerts//14/DD/52/66C70789BDC806364DF4586335
Certificate not found. Creating one
certificate create 0x6a9e850
49494 -Going SSL on the peer connection
49494 -Going SSL on connection to proxy
49494 -Checking certificate
49494 -checking SSL certificate is valid
49494 -SSL Interception failed Certificate supplied by server was not valid
49494 -Not looking for log-only category; current cat string is: SSL Site (8)
49494 -Building raw log data string... 49494 -...built
uds connect:/tmp/.dguardianipc
49494 -reporting level is 3
49494 -Enabling filter bypass hash generation
ssl stopping
this is a client connection
calling ssl shutdown
received a log request
done

[FredB]

Just a comment: 3.3.0 is a dev version

[RaNd SuRealIsteZ]

In logs:
 https://youtube.com:443 *MISSING TRANSLATION KEY* Certificate supplied by server was not valid: unable to get local issuer certificate CONNECT 0 0 SSL Site 30 200

[num...@free.fr]

Did you read this ? https://github.com/e2guardian/e2guardian/blob/develop/notes/ssl_mitm

[RaNd SuRealIsteZ]

Yes, i have follow it to the letter, but still got the same issue.

[Philip]

On Friday, January 16, 2015 at 2:25:18 PM UTC, RaNd SuRealIsteZ wrote:

I compiled the latest dev (3.3.0) and i get  "SSL Interception failed Certificate supplied by server was not valid"

Where should i focus to resolve this ? And who is the "server", the proxy or the website i try to visit ?

The server is the website you are trying to visit.  Error can also occur in v3.1.1 when openssl certificate checking fails due to being unable to load certificate library.

You should not be getting this error with v3.1.2 as the server certificate checking has been disabled due to it not working on all platforms.

Next release will have this function re-instated. 

Can you confirm the version you are using is the latest development version v3.1.2?

Regards
Philip Pearce

[RaNd SuRealIsteZ]

Linux  2.6.32-431.5.1.el6.x86_64
Red Hat Enterprise Linux Server release 6.6

e2guardian 3.3.0
Built with:  '--with-filedescriptors=1024' '--with-proxygroup=dansguardian' '--with-proxyuser=dansguardian' '--enable-email' '--enable-sslmitm' '--enable-orig-ip'

(pulled earlier from git)

Also in the group i'm testing i have

sslcertcheck = 'off'
sslmitm = 'on'

[num...@free.fr]

Hi,

No Philip dev branch https://github.com/e2guardian/e2guardian/issues/50
Maybe there is a new bug ?

[num...@free.fr]

Can re-try with 3.1.2, with --enable-sslmitm and your latest conf files ?
The bug "Couldn't open ca certificate" concern 3.1.2 without sslmitm

[RaNd SuRealIsteZ]

3.1.2 worked with -enable-sslmitm , letest dev not.

Before 3.1.2 i used to add the options by hand in dgconfig.h and src/Makefile for mitm, so i didnt ready the 3.1.2 version's configure options.

BTW, I have created a script to use the DGBYPASS script, but it doesn't seem to work over SSL, any suggestions ?

[RaNd SuRealIsteZ]

A note: i also see a lot of  https://ssl.google-analytics.com:443 *MISSING TRANSLATION KEY* Exception site match. CONNECT

That is the missing translation key ??

[FredB]

So you confirm that there is a difference between 3.1.2 and dev version ? Can you try with "sslseparatelists = on" in your group file (with dev)
About "MISSING TRANSLATION KEY" what's your language value in e2guardian.conf ?

[FredB]

A note: i also see a lot of  https://ssl.google-analytics.com:443 *MISSING TRANSLATION KEY* Exception site match. CONNECT

That is the missing translation key ??

It doesn't matter (I mean to works) just an error code is missing in e2guardian/languages/yourlanguage/messages  

 

[FredB]

To fix it add languages/ukenglish/messages.alt (from source code)

[RaNd SuRealIsteZ]

Thhnx for that!

I found that while 3.1.2 works fine with MITM, 3.3.0 DEV produces errors

Build with the same options, and using the same set of config files
3.3.0
2015.1.19 11:38:25  https://safebrowsing.google.com:443 *MISSING TRANSLATION KEY* Certificate supplied by server was not valid: unable to get local issuer certificate CONNECT 0 0 SSL Site 30 200 -

3.1.2
2015.1.19 11:40:27 https://www.youtube.com *MISSING TRANSLATION KEY* Banned site: youtube.com GET 0 0 Groups-Blocked-Sites- 30 403 -

[RaNd SuRealIsteZ]

sslseparatelists = on 3.3.0, produces the same error (and it complaints when the files are not defined), as my latest post (cert error), on 3.1.2  it does nothing.

[num...@free.fr]

| sslseparatelists = on 3.3.0, produces the same error (and it complaints when the files are not defined), as my latest post (cert error), on 3.1.2 it does nothing.

The complaint is right.
But there is something wrong with 3.3.0 ...

Can you make this little test

sllmitm = yes in e2guardianfx.conf -> only sites in the greysslsitelist will be MITM

And put a website in greysslsitelist to test
Thank for your help.

[RaNd SuRealIsteZ]

Already have

greysslsitelist = '/usr/local/etc/dansguardian/lists/greysslsitelist'

ssldeniedrewrite = 'on'

sslcertcheck = 'off'
sslmitm = 'on'

sslseparatelists = 'on'

Should i replace sslmitm = 'on' with sllmitm = yes ??

[FredB]

sllmitm = yes in e2guardianfx.conf -> only sites in the greysslsitelist will be MITM

And put a website in greysslsitelist to test
Thank for your help.
 

Sorry, it's onlymitmsslgrey = 'on' (only sites in the greysslsitelist will be MITM)
There is a little mistake in documentation yes/on, I will fix it

[FredB]

Like this

greysslsitelist = '/usr/local/etc/dansguardian/lists/greysslsitelist' -> Put in your test website

ssldeniedrewrite = 'off'

[RaNd SuRealIsteZ]

Still getting  "Certificate supplied by server was not valid: unable to get local issuer certificate"

[FredB]

Still getting  "Certificate supplied by server was not valid: unable to get local issuer certificate"

Strange, It means the certificate path or chain is broken and you are missing certificate files
I have not yet tested SSLMITM, I will make a test soon

[RaNd SuRealIsteZ]

I have both binaries installed, 3.3.0 and 3.1.2, running them with -c <same config file>

[FredB]

Yes, I think that there is something wrong with 3.3.0

[RaNd SuRealIsteZ]

If you want to build with debug and/or pull the latest one  from git, let me know.

[Philip Pearce]

I have made a lot of changes to the MITM certificate generation code and the overall MITM logic in order to get it to work as both MITM and cert checking was broken in DG.

The certificate checking functions are still as DG and still need a lot of re-writing.

I was unable to get cert checking to work natively on either of the two platforms we use at Protex (CentOS 5 and CentOS 6).  I managed to get it working on CentOS 5 by copying the certificate bundle directories from Ubuntu 14.4 LTS and using these.  However, this did not work on CentOS 6.

The errors I got were the same as you are getting.

In order to solve the urgent issue for me, the google retirement of nosslsearch problem, I disabled cert checking in 3.1.2 and used the onlymitmsslgrey option to restrict MITM to Google sites. 

I will be looking at the cert checking code over the next few days, so if you find anything that helps on the RH6 (CentOS6) please let me know.  Also, if anyone has tested on other platforms, please let us know the results.

I intend to fix this in the v3.1.x, before we release this as the next stable version (3.2).  Code fixes will be also merged into 3.3.

Regards
Philip Pearce

---

--
You received this message because you are subscribed to the Google Groups "e2guardian" group.
To unsubscribe from this group and stop receiving emails from it, send an email to e2guardian+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[RaNd SuRealIsteZ]

Wouldn't be easier to let squid manage the MITM, and use DG as an ICAP engine ?

[FredB]

Hi Philip,

I will make a test with Debian Wheezy and dev branch soon, I also forgot to remove --enable-searchwords from compilation options 

Fred

[FredB]

Tested today ( some documentation fixes here https://github.com/e2guardian/e2guardian/blob/develop/notes/ssl_mitm )
Debian Wheezy 32 bits + e2guardian dev branch

e2guardian.conf

cacertificatepath = '/home/fred/my_rootCA.crt'
caprivatekeypath = '/home/fred/private_root.pem'
certprivatekeypath = '/home/fred/private_cert.pem'
sslcertificatepath = '/etc/ssl/certs/'
generatedcertpath = '/tmp'

e2guardianfx.conf

sslmitm = on
sslseparatelists = on

greysslsitelist = '/etc/e2guardian/lists/greysslsitelist' -> my SSL websites

In firefox 35 I have "Secure Connection failed" and if I try "add an exception" there is no reaction (nothing in wireshark)

CheckHeader: Adding our own Proxy-Connection: Close
54780 -persistPeer: 0
54780 -Getting ssl certificate for client connection
Generating serial no for www.google.fr
Serial no is 2953C0A6C6AD060D7204E365FAD0AD
looking for cert /tmp/29/53/C0/A6C6AD060D7204E365FAD0AD
Certificate found
54780 -Going SSL on the peer connection
54780 -Going SSL on connection to proxy
54780 -Checking certificate
54780 -checking SSL certificate is valid
54780 -checking SSL certificate hostname
checking certificatewww.google.fr
Checking hostname against subjectAltNames
checking against alt name google.com
checking against alt name *.2mdn.net
Wildcard certificate is in use
checking against alt name *.android.com
Wildcard certificate is in use
checking against alt name *.appengine.google.com
Wildcard certificate is in use
checking against alt name *.au.doubleclick.net
Wildcard certificate is in use
checking against alt name *.cc-dt.com
Wildcard certificate is in use
checking against alt name *.cloud.google.com
Wildcard certificate is in use
checking against alt name *.de.doubleclick.net
Wildcard certificate is in use
checking against alt name *.doubleclick.com
Wildcard certificate is in use
checking against alt name *.doubleclick.net
Wildcard certificate is in use
checking against alt name *.fls.doubleclick.net
Wildcard certificate is in use
checking against alt name *.fr.doubleclick.net
Wildcard certificate is in use
checking against alt name *.google-analytics.com
Wildcard certificate is in use
checking against alt name *.google.ac
Wildcard certificate is in use
checking against alt name *.google.ad
Wildcard certificate is in use
checking against alt name *.google.ae
Wildcard certificate is in use
checking against alt name *.google.af
Wildcard certificate is in use
checking against alt name *.google.ag
Wildcard certificate is in use
checking against alt name *.google.al
Wildcard certificate is in use
checking against alt name *.google.am
Wildcard certificate is in use
checking against alt name *.google.as
Wildcard certificate is in use
checking against alt name *.google.at
Wildcard certificate is in use
checking against alt name *.google.az
Wildcard certificate is in use
checking against alt name *.google.ba
Wildcard certificate is in use
checking against alt name *.google.be
Wildcard certificate is in use
checking against alt name *.google.bf
Wildcard certificate is in use
checking against alt name *.google.bg
Wildcard certificate is in use
checking against alt name *.google.bi
Wildcard certificate is in use
checking against alt name *.google.bj
Wildcard certificate is in use
checking against alt name *.google.bs
Wildcard certificate is in use
checking against alt name *.google.bt
Wildcard certificate is in use
checking against alt name *.google.by
Wildcard certificate is in use
checking against alt name *.google.ca
Wildcard certificate is in use
checking against alt name *.google.cat
Wildcard certificate is in use
checking against alt name *.google.cc
Wildcard certificate is in use
checking against alt name *.google.cd
Wildcard certificate is in use
checking against alt name *.google.cf
Wildcard certificate is in use
checking against alt name *.google.cg
Wildcard certificate is in use
checking against alt name *.google.ch
Wildcard certificate is in use
checking against alt name *.google.ci
Wildcard certificate is in use
checking against alt name *.google.cl
Wildcard certificate is in use
checking against alt name *.google.cm
Wildcard certificate is in use
checking against alt name *.google.cn
Wildcard certificate is in use
checking against alt name *.google.co.ao
Wildcard certificate is in use
checking against alt name *.google.co.bw
Wildcard certificate is in use
checking against alt name *.google.co.ck
Wildcard certificate is in use
checking against alt name *.google.co.cr
Wildcard certificate is in use
checking against alt name *.google.co.hu
Wildcard certificate is in use
checking against alt name *.google.co.id
Wildcard certificate is in use
checking against alt name *.google.co.il
Wildcard certificate is in use
checking against alt name *.google.co.im
Wildcard certificate is in use
checking against alt name *.google.co.in
Wildcard certificate is in use
checking against alt name *.google.co.je
Wildcard certificate is in use
checking against alt name *.google.co.jp
Wildcard certificate is in use
checking against alt name *.google.co.ke
Wildcard certificate is in use
checking against alt name *.google.co.kr
Wildcard certificate is in use
checking against alt name *.google.co.ls
Wildcard certificate is in use
checking against alt name *.google.co.ma
Wildcard certificate is in use
checking against alt name *.google.co.mz
Wildcard certificate is in use
checking against alt name *.google.co.nz
Wildcard certificate is in use
checking against alt name *.google.co.th
Wildcard certificate is in use
checking against alt name *.google.co.tz
Wildcard certificate is in use
checking against alt name *.google.co.ug
Wildcard certificate is in use
checking against alt name *.google.co.uk
Wildcard certificate is in use
checking against alt name *.google.co.uz
Wildcard certificate is in use
checking against alt name *.google.co.ve
Wildcard certificate is in use
checking against alt name *.google.co.vi
Wildcard certificate is in use
checking against alt name *.google.co.za
Wildcard certificate is in use
checking against alt name *.google.co.zm
Wildcard certificate is in use
checking against alt name *.google.co.zw
Wildcard certificate is in use
checking against alt name *.google.com
Wildcard certificate is in use
checking against alt name *.google.com.af
Wildcard certificate is in use
checking against alt name *.google.com.ag
Wildcard certificate is in use
checking against alt name *.google.com.ai
Wildcard certificate is in use
checking against alt name *.google.com.ar
Wildcard certificate is in use
checking against alt name *.google.com.au
Wildcard certificate is in use
checking against alt name *.google.com.bd
Wildcard certificate is in use
checking against alt name *.google.com.bh
Wildcard certificate is in use
checking against alt name *.google.com.bn
Wildcard certificate is in use
checking against alt name *.google.com.bo
Wildcard certificate is in use
checking against alt name *.google.com.br
Wildcard certificate is in use
checking against alt name *.google.com.by
Wildcard certificate is in use
checking against alt name *.google.com.bz
Wildcard certificate is in use
checking against alt name *.google.com.cn
Wildcard certificate is in use
checking against alt name *.google.com.co
Wildcard certificate is in use
checking against alt name *.google.com.cu
Wildcard certificate is in use
checking against alt name *.google.com.cy
Wildcard certificate is in use
checking against alt name *.google.com.do
Wildcard certificate is in use
checking against alt name *.google.com.ec
Wildcard certificate is in use
checking against alt name *.google.com.eg
Wildcard certificate is in use
checking against alt name *.google.com.et
Wildcard certificate is in use
checking against alt name *.google.com.fj
Wildcard certificate is in use
checking against alt name *.google.com.ge
Wildcard certificate is in use
checking against alt name *.google.com.gh
Wildcard certificate is in use
checking against alt name *.google.com.gi
Wildcard certificate is in use
checking against alt name *.google.com.gr
Wildcard certificate is in use
checking against alt name *.google.com.gt
Wildcard certificate is in use
checking against alt name *.google.com.hk
Wildcard certificate is in use
checking against alt name *.google.com.iq
Wildcard certificate is in use
checking against alt name *.google.com.jm
Wildcard certificate is in use
checking against alt name *.google.com.jo
Wildcard certificate is in use
checking against alt name *.google.com.kh
Wildcard certificate is in use
checking against alt name *.google.com.kw
Wildcard certificate is in use
checking against alt name *.google.com.lb
Wildcard certificate is in use
checking against alt name *.google.com.ly
Wildcard certificate is in use
checking against alt name *.google.com.mm
Wildcard certificate is in use
checking against alt name *.google.com.mt
Wildcard certificate is in use
checking against alt name *.google.com.mx
Wildcard certificate is in use
checking against alt name *.google.com.my
Wildcard certificate is in use
checking against alt name *.google.com.na
Wildcard certificate is in use
checking against alt name *.google.com.nf
Wildcard certificate is in use
checking against alt name *.google.com.ng
Wildcard certificate is in use
checking against alt name *.google.com.ni
Wildcard certificate is in use
checking against alt name *.google.com.np
Wildcard certificate is in use
checking against alt name *.google.com.nr
Wildcard certificate is in use
checking against alt name *.google.com.om
Wildcard certificate is in use
checking against alt name *.google.com.pa
Wildcard certificate is in use
checking against alt name *.google.com.pe
Wildcard certificate is in use
checking against alt name *.google.com.pg
Wildcard certificate is in use
checking against alt name *.google.com.ph
Wildcard certificate is in use
checking against alt name *.google.com.pk
Wildcard certificate is in use
checking against alt name *.google.com.pl
Wildcard certificate is in use
checking against alt name *.google.com.pr
Wildcard certificate is in use
checking against alt name *.google.com.py
Wildcard certificate is in use
checking against alt name *.google.com.qa
Wildcard certificate is in use
checking against alt name *.google.com.ru
Wildcard certificate is in use
checking against alt name *.google.com.sa
Wildcard certificate is in use
checking against alt name *.google.com.sb
Wildcard certificate is in use
checking against alt name *.google.com.sg
Wildcard certificate is in use
checking against alt name *.google.com.sl
Wildcard certificate is in use
checking against alt name *.google.com.sv
Wildcard certificate is in use
checking against alt name *.google.com.tj
Wildcard certificate is in use
checking against alt name *.google.com.tn
Wildcard certificate is in use
checking against alt name *.google.com.tr
Wildcard certificate is in use
checking against alt name *.google.com.tw
Wildcard certificate is in use
checking against alt name *.google.com.ua
Wildcard certificate is in use
checking against alt name *.google.com.uy
Wildcard certificate is in use
checking against alt name *.google.com.vc
Wildcard certificate is in use
checking against alt name *.google.com.ve
Wildcard certificate is in use
checking against alt name *.google.com.vn
Wildcard certificate is in use
checking against alt name *.google.cv
Wildcard certificate is in use
checking against alt name *.google.cz
Wildcard certificate is in use
checking against alt name *.google.de
Wildcard certificate is in use
checking against alt name *.google.dj
Wildcard certificate is in use
checking against alt name *.google.dk
Wildcard certificate is in use
checking against alt name *.google.dm
Wildcard certificate is in use
checking against alt name *.google.dz
Wildcard certificate is in use
checking against alt name *.google.ee
Wildcard certificate is in use
checking against alt name *.google.es
Wildcard certificate is in use
checking against alt name *.google.fi
Wildcard certificate is in use
checking against alt name *.google.fm
Wildcard certificate is in use
checking against alt name *.google.fr
Wildcard certificate is in use
54780 -Handling connections inside ssl tunnel
54780 -got peer connection
5478010.253.33.61
ssl stopping
this is a client connection
calling ssl shutdown
done
54780 -Handling connections inside ssl tunnel: done
54780 -Shutting down ssl to proxy
ssl stopping
54780 -Shutting down ssl to client
ssl stopping
this is a server connection
SSL_RECIEVED_SHUTDOWN IS SET
calling 1st ssl shutdown
54780 -Attempting graceful connection close
BaseSocket::checkForInput: starting for sck:7
BaseSocket::checkForInput: starting for sck:4
BaseSocket::checkForInput: starting for sck:4
read into buffer; bufflen: 2
numchildren:40
busychildren:0
freechildren:40
waitingfor:0

[FredB]

Exactly the same with nosslsearch branch

[FredB]

It's works perfectly, but only with IE and Chrome (tested with IE10 and Chrome 39) but not with FF

Also, maybe I missed something but bannedextensiolist seems don't works in SSLMITM

[FredB]

Certificate removed from FF and now I can surf (with SSL Warning of course) !
The problem seems with this browser, certificate can't be trusted.

FF is stuck with HSTS (HTTP Strict Transport Security) websites like google groups

Philip, I valid SSMITM on develop branch, with a configuration like above, perhaps some problems still present (like firefox and my certificate,bannedextensionlist, or perhaps some options on/off) but the engine works.