Community discussions

MikroTik App
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Topic Author
Posts: 1376
Joined: Mon Jan 05, 2009 6:23 pm
Location: bit.ly/the-qos
Contact:

HotSpot redirects https and the browser shows an SSL error

Wed Mar 30, 2011 12:18 pm

v5.0 28th March, x86

HotSpot

When user opens an https page first (from a bookmark or from history for example)

RouterOS redirects that and the browser displays an SSL error to the user.

Any ideas, thoughts, Solutions (workarounds) or should the redirection be somehow changed in RouterOS HotSpot ?

Thank you.
 
rainmaker
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Fri Jan 30, 2009 9:32 pm

Re: HotSpot redirects https and the browser shows an SSL err

Thu Mar 31, 2011 7:42 pm

l can confirm that since 3.X to 5.X..
you can't get the hotspot login page if the server has https enable login page and the client has a proxy configure in the browser.
it shows ssl error.
But works fine in 2.9.X.
Thanks
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Topic Author
Posts: 1376
Joined: Mon Jan 05, 2009 6:23 pm
Location: bit.ly/the-qos
Contact:

Re: HotSpot redirects https and the browser shows an SSL err

Fri Apr 01, 2011 6:43 pm

Maybe the SSL error is displayed because the browser is expecting SSL connection and what is given to it is a non-SSL plain-text connection, probably with the login page.

I wonder if my NAT rules have anything to do with this particular issue. I may check when I have the time.
 
User avatar
webasdf
Frequent Visitor
Frequent Visitor
Posts: 87
Joined: Mon Jan 26, 2009 6:37 pm

Re: HotSpot redirects https and the browser shows an SSL err

Wed Feb 13, 2013 6:50 pm

I know this topic has been on here for a while. I am running into the same issue with https redirect on hotspot. So, I did some research this morning.

I generated my own cert and installed it on the hotspot. It DID detect and redirect the un-authenticated hotspot user. HOWEVER, most browsers still displayed the warning that the domain name was incorrect (in addition to my self-signed cert warning). Afterall, how can I generate a cert for *? It's just impossible. The latest browsers are alot more intelligent about accepting certs. Also, there are more sites requiring https (google and facebook for sure). I highly doubt there is any easy solution to this.

I believe this is more of a browser/popular site thing than a mikrotik thing.
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Topic Author
Posts: 1376
Joined: Mon Jan 05, 2009 6:23 pm
Location: bit.ly/the-qos
Contact:

Re: HotSpot redirects https and the browser shows an SSL err

Wed Feb 13, 2013 7:28 pm

Yes.

I wonder if redirection technique exists that would not break https? and if it is accepted as standard in the browsers.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: HotSpot redirects https and the browser shows an SSL err

Fri Feb 15, 2013 2:58 pm

AFAIR, Sqiud can generate HTTPS certs 'on the fly' for necessary domains
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Topic Author
Posts: 1376
Joined: Mon Jan 05, 2009 6:23 pm
Location: bit.ly/the-qos
Contact:

Re: HotSpot redirects https and the browser shows an SSL err

Fri Feb 15, 2013 3:48 pm

Ah so MikroTik should have done the same/similar ? :)
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: HotSpot redirects https and the browser shows an SSL err

Fri Feb 15, 2013 4:04 pm

it would be nice =)
 
kuntash
just joined
Posts: 4
Joined: Thu Mar 28, 2013 1:56 pm

Re: HotSpot redirects https and the browser shows an SSL err

Thu Mar 28, 2013 2:13 pm

Hello Chupaka,

please I need your assistance, I just bought a mikrotik router 951-2n, I have been battling with it to set up hotspot.

I have updated to the latest software,

I have read some steps in the hotspot setup guide, but it keeps giving me Error 404: Not Found

please Help!!
 
Etza
newbie
Posts: 46
Joined: Tue May 31, 2011 10:33 pm

Re: HotSpot redirects https and the browser shows an SSL err

Wed Jun 04, 2014 8:34 pm

hi friends,
i have 2011 v6.13 and no redirect https page to login page,
formerly i had install the same router with the ssl alert but now no redirect
can any help ??, ssl alert never mine

many thx
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: HotSpot redirects https and the browser shows an SSL err

Thu Jun 05, 2014 2:49 am

Before post, make one search on fresh results, not on 2013:

http://forum.mikrotik.com/viewtopic.php ... 83#p409062
 
salvatron
just joined
Posts: 7
Joined: Mon Aug 11, 2014 1:32 pm

Re: HotSpot redirects https and the browser shows an SSL err

Fri Nov 21, 2014 11:13 am

There is no solution.

The only solution would be to install a ssl certificate for hotspot IP, not for DNS.

The problem is that it is not possible to buy a certificate for local IP.

You can create a certificate por your hotspot ip with Linux or Mikrotiks commands, but is not a trusted certificate and warning message appears.
 
hsystem
just joined
Posts: 1
Joined: Wed Jul 24, 2013 4:29 pm

Re: HotSpot redirects https and the browser shows an SSL error

Fri Feb 27, 2015 9:42 pm

Hello.

I got to work with the certificate GlobeSSL, begotten by the CRS / MK certificate and associated it with a valid domain type www.internet.dominio.com made it created an Alias in the valid domain pointing to the IP of my hotspot interface on Mikrotik , imported the certificates for mikrotik gave everything right, then activated the https in the hotspot and activated the www-ssl services linked to the certificate's OK.

when I connect the hotspot appears authenticating screen in safe mode with the lock, authenticates normally without any certificate error message, it is because a valid certificate, the problem is that if I try to access the site https: //www.facebook .com, he does not authenticate and get an error saying that someone is trying to access the site with a certificate invalid.

Has anyone managed to work with https SSL certificate? what can I be doing wrong?

I appreciate if someone can help.
 
Buster2
newbie
Posts: 46
Joined: Sun Jan 06, 2013 9:04 pm
Contact:

Re: HotSpot redirects https and the browser shows an SSL error

Mon Mar 02, 2015 6:41 pm

It can't be done by design. The certificate system is designed to not allow intercepting traffic that is planned to go to facebook.com without notice.

The only way to intercept that traffic without a browser warning would be to create a new certificate for facebook.com. This new certificate needs to be signed by a Certificate Authority installed in the users browser. So using your own CA won't help either, because the user doesn't have your CA's certificate in his browser/computer. Then you need to place the new facebook.com certificate in your hotspot and repeat these steps for every domain on the web!
And even then some browser might warn the user because of certificate pinning. You would need to do a man in the middle attack on your users and that is exactly what the certificate system tries to prevent.

All commercial systems I have seen that claim to intercept any SSL/TLS encrypted traffic work with a company owned CA where the company administrator can install the CA's certificate on every company's computer trust store. That is nothing any ISP can do for its users. And I would be the first guy to terminate my agreement when I catch my provider doing a MITM attack on https sites.

My advice: just block https for unauthenticated users. Use tcp reset so users will get a fast response from browsers. Then users will try another (http) site and see your hotspot pages.
People doesn't complain about their mail/rss/... client not functioning until they open a http site to login, so why should it be a problem with https sites?
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 551
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: HotSpot redirects https and the browser shows an SSL error

Sat Mar 07, 2015 12:45 pm

.. (CUT)..
People doesn't complain about their mail/rss/... client not functioning until they open a http site to login, so why should it be a problem with https sites?
I completely agree with you on technical stuff, the only problem is "users" ..sometimes they even don't know a address bar exists in the browser. So, even with detailed instructions (e.g. visit the URL ..), they are just able to plop something on google search. Default initial page Google.. Google require https .. damage is done.
 
gvango
just joined
Posts: 17
Joined: Fri Mar 16, 2012 11:21 pm

Re: HotSpot redirects https and the browser shows an SSL error

Fri Mar 20, 2015 1:37 pm

.. (CUT)..
People doesn't complain about their mail/rss/... client not functioning until they open a http site to login, so why should it be a problem with https sites?
I completely agree with you on technical stuff, the only problem is "users" ..sometimes they even don't know a address bar exists in the browser. So, even with detailed instructions (e.g. visit the URL ..), they are just able to plop something on google search. Default initial page Google.. Google require https .. damage is done.
Hello, have you resolved this problem? I am trying to find a solution, but nothing so far. You are absolutely right. It might sound funny but most users they really don't know what an address bar is.!! I would appreciate it if you let me know if you find a solution and I will do the same too.!
 
rcrowe
just joined
Posts: 7
Joined: Fri Sep 30, 2011 1:11 am

Re: HotSpot redirects https and the browser shows an SSL error

Thu Jul 09, 2015 9:12 pm

My advice: just block https for unauthenticated users. Use tcp reset so users will get a fast response from browsers. Then users will try another (http) site and see your hotspot pages.
How do I do that? I'm especially interested in how I configure it to use a TCP reset.
Has anyone looked at the HTTP headers that are sent to the client on the first response to an HTTPS request? I'm just wondering what it has for the HOST parameter. If it says google.com for example, and passes a certificate for a different domain, then the warning would make sense. If it says mydomain.com for example, and passes a certificate for mydomain.com, then there might be some hope that the browser would be happy with it. Also, is it a 200? Or a 301?
 
Buster2
newbie
Posts: 46
Joined: Sun Jan 06, 2013 9:04 pm
Contact:

Re: HotSpot redirects https and the browser shows an SSL error

Fri Jul 10, 2015 1:17 pm

How do I do that? I'm especially interested in how I configure it to use a TCP reset.
In firewall rules use action "reject" instead of "drop". "Drop" means silently discard the packet without sending any notice to the requests origin. "Reject" means actively telling the source that this packet is not allowed.
Has anyone looked at the HTTP headers that are sent to the client on the first response to an HTTPS request?
That is too late in the process. At this point (sending a response) the browser already compared the certificates name with the domain the user entered into the address bar in his browser, because the browser also has to make sure it sends to the correct server.
I'm just wondering what it has for the HOST parameter. If it says google.com for example, and passes a certificate for a different domain, then the warning would make sense. If it says mydomain.com for example, and passes a certificate for mydomain.com, then there might be some hope that the browser would be happy with it. Also, is it a 200? Or a 301?
Most hotspot systems do not use HTTP redirects but use its firewall capabilities to reject/drop all IP packets, and IP packets to TCP Port 80 gets redirected by the firewall to some internal server. At this point the requested domain is already saved for dns name comparison in the browser and will be compared with the certificate's name of the internal HTTP server. The hotspot system might know the requested dns name (if it monitors dns requests), but as i wrote on March 2nd, then the hotspot would need to generate certificates for every possible (requested) domain on-the-fly and get it signed by a Certificate Authority (CA) that is in the users computer trust store. I can't be done without the power to manipulate users computer.
 
rcrowe
just joined
Posts: 7
Joined: Fri Sep 30, 2011 1:11 am

Re: HotSpot redirects https and the browser shows an SSL error

Fri Jul 10, 2015 7:20 pm

How do I do that? I'm especially interested in how I configure it to use a TCP reset.
In firewall rules use action "reject" instead of "drop". "Drop" means silently discard the packet without sending any notice to the requests origin. "Reject" means actively telling the source that this packet is not allowed.
Thanks, that makes sense.
Has anyone looked at the HTTP headers that are sent to the client on the first response to an HTTPS request?
That is too late in the process. At this point (sending a response) the browser already compared the certificates name with the domain the user entered into the address bar in his browser, because the browser also has to make sure it sends to the correct server.
Here's a thought - how about doing self-signed wildcard certificates for all of the *.TLD? Can you even do a certificate for say *.com, or do they need to have a domain name?

Or, what happens if the browser makes an HTTP request and the server responds on 443 but has no certificate? It will fail, but what does the failure look like to a user? Is it any more friendly than sending the wrong certificate?
 
Buster2
newbie
Posts: 46
Joined: Sun Jan 06, 2013 9:04 pm
Contact:

Re: HotSpot redirects https and the browser shows an SSL error

Mon Jul 13, 2015 1:18 am

self-signed certificate -> browser warning
server without certificate is http, not https -> browser connect error because TLS expected - in most browsers this looks more like server unreachable.

Imho, any browser warning instead of showing the original page won't help you. It doesn't matter what the exact wording is then.
 
argoflo
just joined
Posts: 1
Joined: Tue Jun 28, 2016 9:48 pm

Re: HotSpot redirects https and the browser shows an SSL error

Tue Jun 28, 2016 9:51 pm

My advice: just block https for unauthenticated users. 
How can I do this???

Who is online

Users browsing this forum: Majestic-12 [Bot], pmcsill, stefhapx6 and 71 guests