Unable to get sslmitm working with e2guardian 3.4.0.1

[ted...@comcast.net]

Hello

I have been trying unsuccessfully to get e2guardian running with sslmitm.

I download the source and have successfully installed V 3.4.0.1 on OpenBSD current (5.9 - about 3-4 weeks old).

I am not going to post extensive configuration files, because I don't know exactly what would be most helpful. But I will try to give (what seems to me) relevant details.

I already have squid 3.5 running will ssl-bump; and am using c-icap from within squid for AV scanning (with clamav) and simple banned site url scanning.

I have installed e2guardian between the client and squid, and e2guardian is using squid as its parent proxy.

After install and config, e2guardian does start as expected. From a browser explicitly directed to e2guardian, I see:

http://internal.test.e2guardian.org --> "e2guardian internal test OK"

Also, it seems to be working filtering/content scanning with http connections.

For example, if I use a non-ssl http connection to "google.com" (that is, a non-encrypted connection from the client to the proxy), and try a "naughty" search (e.g. "xxx porn sex"); e2guardian intercepts the search and returns the default block page ("reporting level = 3" set in e2guardianf3.conf).

I also see the DENIED attempt logged in access.log as (log entry has been "sanitized" a bit):

date time user ip http://www.google.com/search?ie=ISO-8859-1&hl=en&source=hp&biw=&bih=&q=xxx+porn+sex&gbv=2&oq=xxx+porn+sex&gs_l=heirloom-hp.3...3449.6067.0.6324.14.4.1.9.10.0.107.384.3j1.4.0....0...1ac.1.34.heirloom-hp..10.4.383.mNeHZdACVvk *DENIED* Banned pattern matched URL: (PATTERNS)+.*(PATTERNS)s? GET 0 0 Banned Regular Expression URLs 3 403 - FilterGroup - -

But, if I change the request to https (now, its an ssl connection from the client browser to the proxy), the request goes through and I get the google search result page.

In this case, there is nothing logged in the e2guardian access.log file. In addition, the ssl certificate being presented to the client is NOT the certificate from e2guardian, but a certificate signed by squid ssl-bump.

Finally, there is no indication that e2guardian is trying to produce a sslmitm certificate, as the 'generatedcertpath' remains completely empty.

I followed the information at e2guardian/notes/ssl_mitm to set up ssl_mitm.

Specifically:
openssl genrsa 4096 > /etc/e2guardian/ssl_cert/test_root_key.pem
openssl req -new -x509 -days 3650 -key /etc/e2guardian/ssl_cert/test_root_key.pem -out /etc/e2guardian/ssl_cert/test_root_CA.crt
openssl genrsa 4096 > /etc/e2guardian/ssl_cert/test_private_cert.pem

For testing, i have made the permissions wide open on these files:
# ls -lah /etc/e2guardian/ssl_cert
-rwxrwxrwx 1 _e2guardian _e2guardian 3.2K Feb 25 09:21 test_private_cert.pem
-rwxrwxrwx 1 _e2guardian _e2guardian 1.9K Feb 25 09:19 test_root_CA.crt
-rwxrwxrwx 1 _e2guardian _e2guardian 3.2K Feb 25 09:18 test_root_key.pem

Similarly, the premssions for 'generatedcertpath' is wide open:
# ls -lah /var/e2guardian/generated_certs/
drwxrwxrwx 2 _e2guardian _e2guardian 512B Feb 16 13:22 .
drwxrwxrwx 3 _e2guardian _e2guardian 512B Feb 16 13:22 ..

I setup e2guardian.conf with:

# cat e2guardian.conf | grep ssl | grep -v ^# | grep -v ^$
reverseaddresslookups = off
logsslerrors = off
cacertificatepath = '/etc/e2guardian/ssl_cert/test_root_CA.crt'
caprivatekeypath = '/etc/e2guardian/ssl_cert/test_root_key.pem'
certprivatekeypath = '/etc/e2guardian/ssl_cert/test_private_cert.pem'

and:
generatedcertpath = '/var/e2guardian/generated_certs'

And e2guardianf3.conf with:

# cat e2guardianf3.conf | grep ssl | grep -v ^# | grep -v ^$
ssllegacylogic = off
bannedsslsitelist = '/etc/e2guardian/lists/bannedsslsitelist'
greysslsitelist = '/etc/e2guardian/lists/greysslsitelist'
naughtynesslimit = 50
sslsiteregexplist = '/etc/e2guardian/lists/sslsiteregexplist'
sslcertcheck = off
sslmitm = on
onlymitmsslgrey = off

It appears the e2guardian is just passing the https connection through to squid without decrypting/re-encrypting, despite "sslmitm = on" being set.

I have been trying to figure this out for several days without success. Am I missing something obvious?

Thanks in advance for any advice.

Ted

[cool...@gmail.com]

Hi,

I'm also trying to make SSL MITM work with no luck...
I've followed the guide in notes/sslmitm on GitHub:
- compiled with e2guardian with '--enable-sslmitm=yes' (confirmed by e2guardian -v)

- Generated certs and keys:
openssl genrsa 4096 > /etc/e2guardian/certs/private_root.pem
openssl req -new -x509 -days 3650 -key /etc/e2guardian/certs/private_root.pem -out /etc/e2guardian/certs/my_rootCA.crt
openssl x509 -in /etc/e2guardian/certs/my_rootCA.crt -outform DER -out /etc/e2guardian/certs/my_rootCA.der
openssl genrsa 4096 > /etc/e2guardian/certs/private_cert.pem

- Created a directory for generated certs :
mkdir -p /etc/e2guardian/generatedcerts
chown e2guardian:e2guardian /etc/e2guardian/generatedcerts

- Made these changes in e2guardian.conf :
sslcertificatepath = '/etc/ssl/certs/'
cacertificatepath = '/etc/e2guardian/certs/my_rootCA.crt'
caprivatekeypath = '/etc/e2guardian/certs/private_root.pem'
certprivatekeypath = '/etc/e2guardian/certs/private_cert.pem'
generatedcertpath = '/etc/e2guardian/generatedcerts/'

- Made these changes in e2guardianf1.conf :
ssllegacylogic = off
sslmitm = on

So frustrating!

[Philip Pearce]

Hi cool34000,

Can you provide more information?  What platform are you using BSD or Linux?  What distribution and version?  What version of openssl?

Regards

Philip

---

--
You received this message because you are subscribed to the Google Groups "e2guardian" group.
To unsubscribe from this group and stop receiving emails from it, send an email to e2guardian+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[FredB]

Maybe are you trying SSLMITM with transparent proxy and not implicit ?

[cool...@gmail.com]

Hi,

I've fixed my problem...
I just forgot to redirect traffic to port 443 to 8080 in my NAT PREROUTING table just like I was doing for port 80!

Sorry for bothering... I just hope this can help someone.

[cool...@gmail.com]

Oops!
It's not working... But I just understand, why:SSLMITM does not work in transparent mode!
I guess I have to take a look at WPAD.

[FredB]

Yes SSLMITM is only functional with implicit mode, sorry

Sent from my ASUS

-------- Message d'origine --------
De :cool...@gmail.com
Envoyé :Tue, 08 Mar 2016 18:36:57 +0100
À :e2guardian
Sujet :Re: Unable to get sslmitm working with e2guardian 3.4.0.1

Oops!
It's not working... But I just understand, why:SSLMITM does not work in transparent mode!
I guess I have to take a look at WPAD.

[D Lu]

Hi i have the same problem as them, firefox returns this error whenever I go to https sites or search the web 

 Error code: SSL_ERROR_RX_RECORD_TOO_LONG

I have the same configuration as cool34000

[Spike]

Dear D Lu,

is there any reason why you cannot upgrade to a more recent version? *a lot* of work has been put in to fix many bugs and there may be no way to work around this in 3.4.0.1 .

best,

Spike

[D Lu]

Hi Spike,

I already have the latest version. I am using tinyproxy.

e2guardian 4.1.3

Built with:  '--prefix=/usr' '--enable-clamd=yes' '--with-proxyuser=e2guardian' '--with-proxygroup=e2guardian' '--sysconfdir=/etc' '--localstatedir=/var' '--enable-icap=yes' '--enable-commandline=yes' '--enable-email=yes' '--enable-ntlm=yes' '--enable-trickledm=yes' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--enable-pcre=yes' '--enable-sslmitm=yes' 'CFLAGS=-g -O2 -g -Wall -O2' 'LDFLAGS=' 'CPPFLAGS=' 'CXXFLAGS=-g -O2 -g -Wall -O2'

I have followed the instructions here
https://github.com/e2guardian/e2guardian/wiki/MITM---Filtering-HTTPS

these files are in /etc/e2guardian/certs
-rw-rw-rw- 1 e2guardian e2guardian 1907 Nov 17 09:51 my_rootCA.crt

-rw-rw-rw- 1 e2guardian e2guardian 1367 Nov 17 09:52 my_rootCA.der

-rw-rw-rw- 1 e2guardian e2guardian 3243 Nov 17 09:52 private_cert.pem

-rw-rw-rw- 1 e2guardian e2guardian 3243 Nov 17 09:51 private_root.pem

I also copied my_rootCA.crt on my home directory with e2guardian as owner for installation on browsers.

I also have already tried transparent proxy (using WPAD on Ubuntu) and explicit proxy.

But from e2guardian logs I still get this error,
"Nov 17 11:04:41 diana-All-Series user.info e2guardian[25163]: 2017.11.17 11:04:41 - 192.168.5.200 https://clients1.google.com:443 *DENIED* Failed to negotiate ssl connection to client CONNECT 0 0 SSL SITE 1 200 - - no_mame_group - -"

Is there any step I am missing?

Regards,

D

On Fri, Nov 17, 2017 at 12:28 AM, Spike <sp...@drba.org> wrote:

Dear D Lu,

is there any reason why you cannot upgrade to a more recent version? *a lot* of work has been put in to fix many bugs and there may be no way to work around this in 3.4.0.1 .

best,

Spike

On Wed, Nov 15, 2017 at 9:56 PM D Lu <dnludovice@bluewave-innovations.com> wrote:

Hi i have the same problem as them, firefox returns this error whenever I go to https sites or search the web 

 Error code: SSL_ERROR_RX_RECORD_TOO_LONG

I have the same configuration as cool34000

--
You received this message because you are subscribed to the Google Groups "e2guardian" group.

To unsubscribe from this group and stop receiving emails from it, send an email to e2guardian+unsubscribe@googlegroups.com.

[FredB]

>
> I also copied my_rootCA.crt on my home directory with e2guardian as
> owner for installation on browsers.

And you can see the CA in your certificate manager ? Nothing expired ?
Do you have some files in "generatedcertpath =" ?

[D Lu]

Already fixed it by cleaning the contents of generatedcertpath, can you please explain why this was the cause?

[FredB]

>
> Already fixed it by cleaning the contents of generatedcertpath, can
> you please explain why this was the cause?
>

Date changing (PC or server), change to certificats (renew) ...