core icon indicating copy to clipboard operation
core copied to clipboard
verified publisher icon opnsense

Proxy doesn't provide any certificate with Log SNI information only activated

Open virus2500 opened this issue 3 years ago • 0 comments

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

  • [X] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
  • [X] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

https://opnsense.home.lan/ui/proxy#subtab_proxy-forward-general

I activated

  • Enable SSL inspection
  • Log SNI information only
  • CA to use (my private CA)

Port forwarding is in place. I also use an "Remote Access Control List"

Now i understand that my CA isn't going to be used for all https certificates since i activated "Log SNI information only" However if a page gets denied due to it being on the "Remote Access Control List" this is what openssl s_client --connect <URL>:443 shows

CONNECTED(00000003)
139935929198400:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:331:
---
no peer certificate available
---
No client certificate CA n
![Bildschirmfoto_2022-08-21_02-46-08](https://user-images.githubusercontent.com/6269951/185770795-f404916a-c22d-4395-8990-0d6a14657bbf.png)
ames sent
---
SSL handshake has read 5 bytes and written 312 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

So it can't even show the error message, in the browser, why it has been denied. It will only show an general SSL Error message in the browser.

Expected behavior

In case "Log SNI information only" is activated (and an CA is configured), at least use the configured CA for the Proxy Error messages page. If i disable "Log SNI information only", and try to reach the page, i get the proper error message in the browser. "Access control configuration prevents your request from being allowed at this time". Now i know this only works if the Client trusts the CA but i think thats better than just getting an general SSL Error because no certificate at all has been provided.

Environment

OPNsense 22.7.1 (amd64, OpenSSL).

virus2500 avatar Aug 21 '22 00:08 virus2500