Just playing around with some of the Astaro settings.....If I select scan https traffic I get some sites that return an invalid certificate errors yet on some other sites that are also using a SSL connection don't return the error. If I turn off the https scanning then the sites work as per normal. I use https for Gmail and it is one of the sites that returns the invalid certificate error if someone else wants to check it.
Just playing around with some of the Astaro settings.....If I select scan https traffic I get some sites that return an invalid certificate errors yet on some other sites that are also using a SSL connection don't return the error. If I turn off the https scanning then the sites work as per normal. I use https for Gmail and it is one of the sites that returns the invalid certificate error if someone else wants to check it.
that's because when you turn on https scanning you insert hte firwall into the encryption stream.
What happens is the astaro sees the ssl connect attempt..it intercepts that and terminates it at the firewall using it's own internal certificate. The firewall then establishes an ssl connection to your gmail account. Now everything you send is decrypted by the firewall..scanned in plaintext, re-encrypted and sent to gmail. The same process is done in return form gmail to you. Because there's another certificate involved you'll usually get the certificate errors.
I am in the slim minority that sees this as a huge issue..[:)]
Which logfile contains the invalid certificate error? All my https failures in the content proxy log looks like this unless I add my clients to the skiplist:
2009:01:04-21:00:32 another httpproxy[7244]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.158.33" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" time="62323 ms" request="0x8108768" url="www.astaro.org/login.php
My concern is that Astaro is giving different results for ssl connections. I would expect that Astaro would make the web browser return a certificate error for every secure site you visit. When I visit my personal banking site which uses an ssl connection I do not get a certificate error and the page displays normally. As for adding a certificate excemption....this seems like a bad idea as I want the protection that the certificate provides (think of all the hacking DNS issues lately).
