Announcement

Collapse
No announcement yet.

SSLInspector Blocks Untangle Wiki

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • SSLInspector Blocks Untangle Wiki

    I'm a home user experimenting with SSL Inspector checking all traffic. I frequently click the wiki button top right when I want more info on a topic. if I uncheck "Inspect all Traffic" it works. Any advice besides whitelisting it?

    Click image for larger version

Name:	2022-07-06 00_07_03-Problem loading page — Mozilla Firefox.png
Views:	1
Size:	13.3 KB
ID:	387324

  • #2
    Did you install the certificate?

    Comment


    • #3
      Originally posted by donhwyo View Post
      Did you install the certificate?
      Yes I did.

      Comment


      • #4
        Originally posted by MP715 View Post
        Yes I did.
        "IN" windows or the browser ?

        Comment


        • #5
          I am all for using SSL inspection in the commercial world however, in may opinion its more trouble than its worth for home use.

          When the wife starts asking why such and such doesn't work or she can't get to such and such site... You know, happy wife happy life.

          At any rate, as dashpuppy stated, where did you install the cert?

          Reference: https://support.untangle.com/hc/en-u...L-certificates

          Let us know how you make out.

          Comment


          • #6
            Originally posted by mfwade View Post
            I am all for using SSL inspection in the commercial world however, in may opinion its more trouble than its worth for home use.

            When the wife starts asking why such and such doesn't work or she can't get to such and such site... You know, happy wife happy life.

            At any rate, as dashpuppy stated, where did you install the cert?

            Reference: https://support.untangle.com/hc/en-u...L-certificates

            Let us know how you make out.
            YOu know, i have that sign above my kitchen sink!

            BTW, there is a reason why i put Cellphones & IOT devices all the same IOT network, because SSL inspection on phones & tablets is a HUGE PITA, it will work, then it breaks and all hell breaks loose ! Trust me, you don't need to inspect SSL on mobile devices, it does a horrible job of it and just causes issues. NOW for computers its totally different.

            Comment


            • #7
              Originally posted by dashpuppy View Post
              "IN" windows or the browser ?
              Both

              Comment


              • #8
                Originally posted by dashpuppy View Post
                YOu know, i have that sign above my kitchen sink!

                BTW, there is a reason why i put Cellphones & IOT devices all the same IOT network, because SSL inspection on phones & tablets is a HUGE PITA, it will work, then it breaks and all hell breaks loose ! Trust me, you don't need to inspect SSL on mobile devices, it does a horrible job of it and just causes issues. NOW for computers its totally different.
                You guys are absolutely right. It's a right pita. I've since disabled it. I don't need to hear it from the wife! I have multiple vlans: IoT, Main wifi (for adults), a guest network (which isn't really working with captive portal I might add, still playing with it) and one for my kid which has all the web filters blocking nasty stuff. It's been working great. I was just experimenting.

                Comment


                • #9
                  Originally posted by MP715 View Post
                  Both
                  It only needs to be in "windows" not the browser. Just FYI..

                  On the phones, you will loose all your hair like i have !

                  Comment


                  • #10
                    Originally posted by dashpuppy View Post
                    It only needs to be in "windows" not the browser. Just FYI..

                    On the phones, you will loose all your hair like i have !
                    By default, Firefox does not look at the Windows set of certificates, only its own set of certificates. However, you can configure Firefox to also trust the System's list of trusted certificates.

                    Alternate way by modifying default user profile.

                    Raw wiki article that KB article is likely based upon. https://wiki.mozilla.org/CA/AddRootToFirefox

                    Comment


                    • #11
                      For what it's worth, my general rule on SSL inspection is 'if you have a legal requirement to use it, fine; otherwise, don't bother'. It's a lot of trouble to get set up properly; requires modification of devices outside the NG Firewall itself; and ultimately doesn't really provide much in the way of additional effect. For example, Web Filter is just fine without SSL Inspector. App Control does its own DPI without needing SSL Inspector at all. The only app that sees a significant benefit from SSL inspection is Virus Blocker, and you shouldn't be relying entirely on gateway-based virus protection in the first place.

                      There's another method of SSL decryption — deep packet inspection — that works in a completely different way, usually requires dedicated hardware, and is entirely outside the realm of NG Firewall's capabilities. In that case, sure: inspect away. The man-in-the-middle-style inspection NG Firewall performs has its share of limitations and often times, the only solution is 'don't inspect that site'.
                      Græme Ravenscroft • Technical Marketing Engineer
                      ('gram', like the unit of measurement)
                      he/him
                      Please don't reboot your NGFW.
                      How can we make Arista ETM products better?

                      Comment

                      Working...
                      X