Squid 4.5 Transparent Proxy, StrongSwan VPN - Working in Browser but not in any android apps

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid 4.5 Transparent Proxy, StrongSwan VPN - Working in Browser but not in any android apps

XploD
Squid 4.5 Transparent Proxy, StrongSwan VPN - Working in Browser but not in any android apps

Hi.


I've got a strange problem, and I don't know if you can help me:

To secure my mobile phone, I have set up a VPN using Strongswan which is used anytime I use an open WiFi hotspot. This works fine.


But to get rid of all the trackers applied to websites and android apps, I want to use a proxy to filter any unwanted communication:

So I have set up squid to intercept both port 80 and 443, with SSL_BUMP, Self-Signed Certificates, ...


In firefox mobile, I had to download the CA-certificate in PEM format, so that firefox asked if I wanted to install the certificate. After doing so, the proxy works just fine, and any website shows the Squid Authority as CA. 


For Chrome, I had to download the CA-Certificate as .crt file. I installed that in Android, so that it is displayed in the user section of the Trusted-CA page. Afte that, Chrome accessed any website without complains, stating that every site was signed by the Squid Authority.


But now my problem:

Any android app I try wants to open an SSL connection to some servers, but none of them does work. Every app either says it has no connection, or shows a certifate mismatch...

Can anybody tell me what I have to do so that every android app accepts the intercepted connection?


Best regards,

Dirk


BTW: If any squid developer is reading this: Squid is awesome work! Thank you very much for such beauty!



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4.5 Transparent Proxy, StrongSwan VPN - Working in Browser but not in any android apps

Amos Jeffries
Administrator
On 22/01/19 9:19 pm, XploD wrote:
>
> Can anybody tell me what I have to do so that every android app accepts
> the intercepted connection?
>

IIRC there is also a phone CA certificate store where it can be added.
Though I do not recall exactly where it is right now.

Even with that setup some apps (from eg Youtube and Facebook) use
certificate pinning. They bundle the domains CA cert hard-coded into the
app it self and only trusts that exact CA. Or use a client certificate
similarly bundled with each app to authenticate against the server.

When either of those TLS features are used SSL-Bump cannot do the 'bump'
action - only the peek, splice or terminate work. That is still enough
to identify the destination domain, but no deep inspection.


>
> BTW: If any squid developer is reading this: Squid is awesome work!
> Thank you very much for such beauty!
>

On behalf of the team: thank you.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users