Re: Security warning: Netscape 4.0x https & Squid 1.2beta proxy

From: Jason Haar <Jason.Haar@dont-contact.us>
Date: Fri, 24 Jul 1998 13:09:04 +1200

On Wed, Jul 22, 1998 at 11:20:26PM +0200, Henrik Nordstrom wrote:
> Jason Haar wrote:
> >
> > Can someone explain what's changed in 1.2beta that causes this
> > that 1.1 doesn't do?
>
> The bug is in Netscape, and is only seen on persistent proxy
> connections.

Ah - so it's due to 1.2beta supporting persistent connections whereas 1.1
doesn't.

>
> > I currently have a problem with a CERN proxy acting one way for
> > a particular site, and Squid acting another - I can't understand
> > why any proxy server would be fiddling with the data they receive
> > that could cause variations in responses...
>
> Can't help you there unless you provide some more details.

Several IIS sites running ASP pages are not interacting with Internet
Explorer 4 the same way they do via the CERN proxy server. On some ASP pages
(e.g http://www.dell.com/premier/), when the user submits info via a POST,
no connection is made to Squid, and instead IE reports:

Internet Explorer cannot open the Internet site
http://wwwapp1.us.dell.com/premier/auth.asp

The download file is not available. This could be due to your Security
or Language settings or because the server was unable to retrieve the
requested file.

Looking at Squid logs shows me that the POST doesn't occur - the above error
is an IE popup. These browsers are configured to forward all requests
through proxy (firewall) - so that error should never be seen (i.e. all such
errors should be squid error pages). If the browser is pointed to a CERN
server instead (i.e. just the HTTP proxy setting is changed), then the page
works 100%.

So somehow the information CERN returns to browsers differs from that Squid
returns. I do know that ASP pages make huge use of redirect pages - does
Squid optimize such requests out so that the browser never sees them? I used
telnet and tried to manually type in a transaction - which showed CERN and
Squid were identical - but I couldn't do too good a job at that - with
cookies/etc it all got ugly pretty quickly...

This is a bug with IE4 (Netscape unaffected), however this breaks something
that worked before. This bug has been seen on other asp sites (like
Microsoft.com) too...

This is under Squid-1.1.22 under Solaris 2.6

-- 
Cheers
Jason Haar
Unix/Network Specialist, Trimble NZ
Phone: +64 3 3391 377 Fax: +64 3 3391 417
Received on Thu Jul 23 1998 - 18:10:28 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:41:15 MST