RE: [squid-users] https problem with squid 2.5.STABLE6

From: Brad Larden <[email protected]>
Date: Wed, 10 Nov 2004 07:35:50 +1100

-----Original Message-----
From: Tim Neto [mailto:tneto@komatsu.ca]
Sent: Wednesday, 10 November 2004 3:02 AM
To: Henrik Nordstrom
Cc: Brad Larden; Elsen Marc; squid-users@squid-cache.org
Subject: Re: [squid-users] https problem with squid 2.5.STABLE6

This issue has been discussed many times in the Squid mailing list. The
problem is not with Squid, but with IE's use of a broken WININET.DLL
library. The library first sends a HTTPS request, then switches to
HTTP. Many secure web sites require a continued stream of HTTPS. The
WININET.DLL of Windows 2003 Enterprise Edition is not broken, but
Windows 2000, and Windows XP (non-SP2) is not. I have yet to confirm
whether Windows XP SP2 is broken or not.

Note, any other Microsoft based application (Visual Studio type of
application) that uses the broken WININET.DLL will have the same problem.

If the HTTPS site being access is required for by your organization,
allow the site direct access through your Squid with appropriate ACL and
Access rules. This diminishes the problem.

Tim

-----------------------------------------------------------
Timothy E. Neto
 Computer Systems Engineer Komatsu Canada Limited
 Ph#: 905-625-6292 x265 1725B Sismet Road
 Fax: 905-625-6348 Mississauga, Canada
 E-Mail: tneto@komatsu.ca L4W 1P9
-----------------------------------------------------------

G'Day Tim,

I understand what you're saying but my problem only occurred some time yesterday on 2 proxy servers in the same location. Using alternate proxy servers with the same client machines works correctly. So, as far as I can tell, this does not point to an issue with the broken Microsoft browser, rather, it points to something broken on these two proxy servers.

Even after grabbing the latest 2.5.STABLE release and compiling fresh it still does not work, so it appears to me that the problem is perhaps not squid per-se but an associated library or some hack has been applied to my servers which only affects https requests.

Regards,
Brad.

Henrik Nordstrom wrote:

> On Tue, 9 Nov 2004, Brad Larden wrote:
>
>> I understand what you're saying but I can 'see' the request hit the
>> proxy server from the client.
>
>
> In your trace I can only see a new TCP connection, but no request sent
> by the browser on this connection.
>
> Regards
> Henrik
>
Received on Tue Nov 09 2004 - 13:35:56 MST

This archive was generated by hypermail pre-2.1.9 : Wed Dec 01 2004 - 12:00:01 MST