Re: Unable to proxy SSL with -DAUTH enabled

Hi

> I'm having problems with https requests when more than one proxy level is
> used. Our proxy with direct Internet access has authentificacion enabled.
> I used the ssl_proxy option (thanks Ian) with the two second-level proxies
> but people trying to make an ssl connections receive an "authentification
> failed" message. Normal connections authentificate fine.
>
> Can anybody help?

I am forwarding a message we got today that MAY help. If the
attachment doesn't work, give me a shout and I will uudecode it on
our side. You may have to do a similar thing to the ssl.c file...

From: Rolf Poser <Rolf.Poser@sasol.com>
> The easiest way I can see to get around the problem is not to use
> the proxy with https requests... if you set the 'security proxy'
> option to point directly to the firewall, does it work? (sorry to
> mangle things like this :)

Thanks for your reply. I ought to have sent this out earlier, but I
actually went to the trouble of running dumps for the connections
between the browser and the cache, the cache and the firewall, and
the browser and the firewall.

The traces showed indeed that the cache does not forward the
"Proy-Auth.." header, but the firewall will send a 407 back to the
cache which gets sent back to the browser. This has the effect that
you retry the authenticates ad infinitum with the correct user
and passwd combinations.

Anyway - after all of this, last Sunday evening I delved into the
source code. The fix is actually very simple, since the main client
handling routine passes on all headers to the ssl routines.

Please see the diff below (in the attachment, because this email
client likes to parse things in a very odd fashion). There are
probably more effective ways of coding this, but this one will work.
Of course you guys are free to include this in future releases of
squid (which will save me time to patch it myself every time ;-) ).

Kind Regards,
Rolf.

--Message-Boundary-7759

The following section of this message contains a file attachment
prepared for transmission using the Internet MIME message format.
If you are using Pegasus Mail, or any another MIME-compliant system,
you should be able to save it or view it from within your mailer.
If you cannot, please ask your system administrator for assistance.

   ---- File information -----------
     File: ssldiff
     Date: 8 Sep 1997, 1:29
     Size: 662 bytes.
     Type: Text

--Message-Boundary-7759
Content-disposition: attachment; filename="ssldiff"
Content-Type: Application/Octet-stream; name="ssldiff"; type=Text
Content-Transfer-Encoding: X-UUencode

--Message-Boundary-7759
Content-Type: application/octet-stream; name=ssldiff
Content-Transfer-Encoding: base64

DQpkaWZmIC1yIHNxdWlkLTEuTk9WTS4xNS9zcmMvc3NsLmMgc3F1aWQtMS5OT1ZNLjE1LVNTTEZX
L3NyYy9zc2wuYw0KNDcwYTQ3MSw0NzMNCj4gLyogdGVtcCBzdHJpbmcgdmFyaWFibGUgZm9yIGF1
dGhlbnRpY2F0aW9uIGluZm8gKi8NCj4gY2hhciAqcyA9IE5VTEw7DQo+IA0KNDczYzQ3Niw0ODUN
Cjwgc3ByaW50Zihzc2xTdGF0ZS0+Y2xpZW50LmJ1ZiwgIkNPTk5FQ1QgJXMgSFRUUC8xLjBcclxu
XHJcbiIsIHNzbFN0YXRlLT51cmwpOw0KLS0tDQo+IA0KPiAgLyogQ29kZSBhZGRlZCBieSBSSFdQ
IHRvIGFsbG93IGZvciBTU0wgdGhyb3VnaCBHYXVudGxldCBmaXJld2FsbC4NCj4gICAgIDcgU2Vw
dCAxOTk3IC0gUHJhaXNlIEdvZCAhICovICAgDQo+IA0KPiBpZiAocyA9IG1pbWVfZ2V0X2hlYWRl
cihzc2xTdGF0ZS0+bWltZV9oZHIsICJQcm94eS1hdXRob3JpemF0aW9uOiIpKSB7DQo+ICBzcHJp
bnRmKHNzbFN0YXRlLT5jbGllbnQuYnVmLCAiQ09OTkVDVCAlcyBIVFRQLzEuMCBcclxuUHJveHkt
YXV0aG9yaXphdGlvbjogJXNcclxuXHJcbiIsIHNzbFN0YXRlLT51cmwscyk7DQo+IH0gZWxzZSB7
DQo+ICBzcHJpbnRmKHNzbFN0YXRlLT5jbGllbnQuYnVmLCAiQ09OTkVDVCAlcyBIVFRQLzEuMFxy
XG5cclxuIiwgc3NsU3RhdGUtPnVybCk7DQo+IH0NCj4gDQo=

--Message-Boundary-7759--
Received on Mon Sep 15 1997 - 07:42:43 MDT