SSL Inspection causing issues

Hi all,

We’re having issues with connectivity on FreePBX as a result of our firewall doing SSL inspection. I have the certificate installed into /etc/pki/ca-trust/source/anchors/ but curl is ignoring it and as a result nothing within FreePBX is connecting.

I can get around it by setting curl to NOVERIFY within the freepbx curl function, but then FreePBX complains that it’s been updated and is a potential security issue (which of course it is).

Is there any other way of resolving this problem?


Can your firewall be configured to not do the SSL inspection for the FreePBX box?

It can, but for security reasons we don’t (we need high security for the business type)

which traffic is it curl from dialplan or whats the usage?

It’s curl that’s the issue, so updates fail as it’s ignoring the ca-trust certificate. Everything that’s done via SSH on the server works (so the certificate itself isn’t the issue - it’s that curl is ignoring it)

in curl you can specify the certificate usage, ie ```
curl --cacert my-ca.crt https://[my domain or IP address]

I know about that - unfortunately it doesn’t help the curl operations being performed by FreePBX itself - they error out.

you might want to look at the curlopts. It seem that they can turn off the validation check on the cert. I don’t see a specify cert option however.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.