Re: [PATCH] Support bump-ssl-server-first and mimic SSL server certificates from Alex Rousskov on 2012-07-12 (squid-dev)

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Thu, 12 Jul 2012 09:27:25 -0600

On 07/11/2012 09:33 AM, Alex Rousskov wrote:
> On 07/11/2012 06:38 AM, Amos Jeffries wrote:
>
>> * why is is FATAL: error to have old ssl_bump allow/deny values in the
>> config?
>> can we auto-convert the "allow" to client-first and deny to bump-none
>> with very loud ERROR: messages instead? we can calculate what the
>> implicit negate would have been and add it explicitly with another loud
>> warning.
>
> I have struggled with this decision. Yes, we could auto-convert old
> configs (using client-first for the implicit allow rule, if any), but
> then some folks will start using a mixture of old and new keywords or
> would expect a simple 's/allow/server-first/;s/deny/none/' to work. I
> think it is safer to force a manual intervention here, especially since
> SslBump config should not be taken lightly, and client-first is really
> not the best default.
>
> If the above arguments did not convince you, or others insist on
> auto-conversion, we will add it. We would still reject a mixture of old
> and new keywords though.
>
> Do you still think auto-conversion is the best approach here?
>
>
>> * Why are error pages delayed until after bumping?
>
> Because many browsers do not display error responses to CONNECT requests
> (browser developers do not want to implement a special "proxy" context
> that securely handling such responses requires).
>
>
>> have you investigated
>> how this interacts with deny_info redirection to 4xx and 5xx pages?
>> (particularly 403 and 511 "web login required" splash pages)
>
> I do not think we have, but perhaps those who requested this feature
> have. I will ask around, and we will "investigate" if nobody did.

Confirmed: Chromium will not follow a redirect sent in response to
CONNECT. Delayed redirect is followed. Same with 403 responses: They are
not displayed by Chromium unless delayed. In other words, deny_info does
not work with CONNECT requests unless you bump the connection (using
SslBump) and delay the error (using the proposed patch), working around
browser's distrust of CONNECT response content.

HTH,

Alex.
Received on Thu Jul 12 2012 - 15:27:39 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 12 2012 - 12:00:03 MDT