[squid-users] HTTPS/SSL CONNECT Problem

From: Sebastian Spitzner <[email protected]>
Date: Wed, 21 Aug 2002 16:13:39 -0500

Hi people
 
Clients on my network cannot access HTTPS/SSL sites at all via squid. An example site is http://www.absadirect.co.za. This site contains 3 frames, the middle one goes over HTTPS. IE 6.0/Windows clients return an "The page cannot be displayed" error, and Mozilla 1.0/Linux clients just hang and time out.

I solved the problem for Mozilla 1.0/Linux clients by turning off HTTP/1.1 support in the browser. By default, Mozilla 1.0 makes HTTP/1.1 requests to HTTPS sites. Such a connection appears like this in access.log:

"...cut... CONNECT ww2.absadirect.co.za:443 HTTP/1.1" 200 95 TCP_MISS:DIRECT"

After turning off HTTP/1.1, Mozilla 1.0 uses HTTP/1.0, and successfully retrieves the page via Squid. The relevant log in access.log looks like this:

"...cut... CONNECT ww2.absadirect.co.za:443 HTTP/1.0" 200 95 TCP_MISS:DIRECT"

This is bothersome, because now i have to change many Mozilla clients, and i lose the features of HTTP/1.1 completely.

Now, IE 6.0 has two interesting settings: whether to "Use HTTP 1.1" and whether to "Use HTTP/1.1 through proxy connections" specifically. I wish Mozilla had ability too, to be able to configure requests with and without a proxy for HTTP/1.0 and HTTP/1.1 separately.

Now the crunch of the matter is that for SSL connections, IE 6.0 forces HTTP/1.0 regardless of what is set in the browser. All combinations of the previously-mentioned IE 6.0 settings yield these results in access.log:

"...cut... CONNECT ww2.absadirect.co.za:443 HTTP/1.0" 200 95 TCP_MISS:DIRECT"

The IE 6.0 settings mentioned only affect GET (and possibly other) requests; not CONNECT requests.

So, why does IE 6.0 not work, if it by default behaves just like Mozilla 1.0 using HTTP/1.0?

How can i get IE and Mozilla to work? I have tried all combinations of turning on/off SSL 2.0, SSL 3.0 and TLS 1.0 support in IE, still to no avail.

I am using SuSE Linux 8.0 with Squid 2.4.STABLE3, but i have tried Red Hat Linux 7.2 with Squid 2.4.STABLE1 too, with no better results. Bugfix announcements for newer Squid builds to not indicate that this problem is fixed in newer releases.

Clients are configured manually to use the proxy; i am not using the proxy transparently.

I'm very certain that this is not and ACL misconfiguration; i have tried several SSL-related combinations and also removed all ACLs to give full access to clients.

I have been working at this problem for 2 weeks without luck. There have been a couple of posts about the same symptoms as my problem, but without any solution that works for me. Any help would be much appreciated.

If you need any more detail, let me know and please relpy to my e-mail address as well as to the list.

Thanks

Sebastian Spitzner

-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

Received on Wed Aug 21 2002 - 15:13:50 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:46 MST