Re: Unable to proxy SSL with -DAUTH enabled

From: Oskar Pearson <>
Date: Mon, 15 Sep 1997 16:33:34 +0200


> I'm having problems with https requests when more than one proxy level is
> used. Our proxy with direct Internet access has authentificacion enabled.
> I used the ssl_proxy option (thanks Ian) with the two second-level proxies
> but people trying to make an ssl connections receive an "authentification
> failed" message. Normal connections authentificate fine.
> Can anybody help?

I am forwarding a message we got today that MAY help. If the
attachment doesn't work, give me a shout and I will uudecode it on
our side. You may have to do a similar thing to the ssl.c file...

From: Rolf Poser <>
> The easiest way I can see to get around the problem is not to use
> the proxy with https requests... if you set the 'security proxy'
> option to point directly to the firewall, does it work? (sorry to
> mangle things like this :)

Thanks for your reply. I ought to have sent this out earlier, but I
actually went to the trouble of running dumps for the connections
between the browser and the cache, the cache and the firewall, and
the browser and the firewall.

The traces showed indeed that the cache does not forward the
"Proy-Auth.." header, but the firewall will send a 407 back to the
cache which gets sent back to the browser. This has the effect that
you retry the authenticates ad infinitum with the correct user
and passwd combinations.

Anyway - after all of this, last Sunday evening I delved into the
source code. The fix is actually very simple, since the main client
handling routine passes on all headers to the ssl routines.

Please see the diff below (in the attachment, because this email
client likes to parse things in a very odd fashion). There are
probably more effective ways of coding this, but this one will work.
Of course you guys are free to include this in future releases of
squid (which will save me time to patch it myself every time ;-) ).

Kind Regards,


The following section of this message contains a file attachment
prepared for transmission using the Internet MIME message format.
If you are using Pegasus Mail, or any another MIME-compliant system,
you should be able to save it or view it from within your mailer.
If you cannot, please ask your system administrator for assistance.

   ---- File information -----------
     File: ssldiff
     Date: 8 Sep 1997, 1:29
     Size: 662 bytes.
     Type: Text

Content-disposition: attachment; filename="ssldiff"
Content-Type: Application/Octet-stream; name="ssldiff"; type=Text
Content-Transfer-Encoding: X-UUencode

Content-Type: application/octet-stream; name=ssldiff
Content-Transfer-Encoding: base64


Received on Mon Sep 15 1997 - 07:42:43 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:05 MST