SSL Inspection causing issues

ljepson · July 25, 2023, 8:26am

Hi all,

We’re having issues with connectivity on FreePBX as a result of our firewall doing SSL inspection. I have the certificate installed into /etc/pki/ca-trust/source/anchors/ but curl is ignoring it and as a result nothing within FreePBX is connecting.

I can get around it by setting curl to NOVERIFY within the freepbx curl function, but then FreePBX complains that it’s been updated and is a potential security issue (which of course it is).

Is there any other way of resolving this problem?

Thanks,
Leigh

dobrosavljevic · July 25, 2023, 4:56pm

Can your firewall be configured to not do the SSL inspection for the FreePBX box?

ljepson · July 26, 2023, 12:23pm

It can, but for security reasons we don’t (we need high security for the business type)

dwsiemens · July 26, 2023, 1:54pm

which traffic is it curl from dialplan or whats the usage?

ljepson · July 26, 2023, 2:54pm

It’s curl that’s the issue, so updates fail as it’s ignoring the ca-trust certificate. Everything that’s done via SSH on the server works (so the certificate itself isn’t the issue - it’s that curl is ignoring it)

dwsiemens · August 1, 2023, 2:37pm

in curl you can specify the certificate usage, ie ```
curl --cacert my-ca.crt https://[my domain or IP address]

ljepson · August 3, 2023, 12:10pm

I know about that - unfortunately it doesn’t help the curl operations being performed by FreePBX itself - they error out.

dwsiemens · August 3, 2023, 12:27pm

you might want to look at the curlopts. It seem that they can turn off the validation check on the cert. I don’t see a specify cert option however.

https://wiki.asterisk.org/wiki/display/AST/Asterisk+16+Function_CURLOPT

system · September 3, 2023, 12:28pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.