Re: handling 1xx responses from Robert Collins on 2002-09-04 (squid-dev)

From: Robert Collins <robertc@dont-contact.us>
Date: 04 Sep 2002 22:57:11 +1000

On Wed, 2002-09-04 at 22:38, Henrik Nordstrom wrote:
> Robert Collins wrote:
>
> > Which is no different to today.

I wasn't clear. I meant that whether squid implements Upgrade: TLS/1.0
or not, the MITM window is the same.

> The most similar option in RFC2817 (but not equivalent) is mandatory use of
> TLS, i.e. the use of a no-op request to negotiate the use of TLS before
> proceeding

NOTE: this only applies to one hop, it's still very different to port
443 SSL/TLS.

> The RFC is pretty clear from what I can tell.
>
> Upgrade: TLS/1.0
>
> is hop-by-hop, negotiating TLS for this hop, not end-to-end.

Yes.

> As the application of TLS is almost end-to-end the CONNECT method is needed
> when using proxies.

The CONNECT method is needed if the proxy does not support TLS itself,
or if the client does not trust the proxy.

> How do you know that the information you have entered in a form will be sent
> TLS encrypted to the server?

Good point.

> > IFF the intermediate proxies don't support the Upgrade: TLS/1.0 token.
> > But yes, I agree wholeheartedly that this will slow adoption.
>
> From what I understand you cannot request a tunnel by sending Upgrade: TLS/1.0
> to a proxy. This will make the protocol between the client and the proxy
> TLS/1.0, but says nothing about the protocol between the proxy and the next
> hop.

That is my understanding as well.

> If the proxy chooses to implement this by switching to tunnel mode then it is
> the choice of the proxy, not an aspect of the protocol. (proxies are always
> allowed to switch to tunnel mode when seeing protocol features they cannot
> handle, or pretty much any other reason)

Sure.

> The only exception in terms of Squid is when Squid is used as a transparent
> proxy. It should then detect the precense of Upgrade: TLS/1.0 in the request
> and switch to tunnel mode (and use CONNECT to any peer proxies when
> forwarding, internally swallowing the 200 reply).

I think that squid should do this regardless. I.e. treat transparent and
non-transparent the same for Upgrade: TLS/1.0

Rob

application/pgp-signature attachment: This is a digitally signed message part

Received on Wed Sep 04 2002 - 06:57:01 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:16:26 MST