A selection of SSL bugs... from rstagg@dont-contact.us on 1998-10-22 (squid-users)

From: <rstagg@dont-contact.us>
Date: Thu, 22 Oct 1998 08:56:57 +0100

Greetings,

A colleague and myself have just spent a very interesting afternoon
attempting to achieve an SSL-kludge in Squid 1.1.22 on HP-UX 10.20. During
the process (which does not yet work) we uncovered a selection of
bugs/weirdness relating to SSL with Squid.

Any advice/patches/info/etc etc greatly appreciated.

We are trying to access https://c123456:98765@www.wibble.com; the embedded
passwords are a client requirement. The passwords/pagename given here,
obviously, are not authentic, but they're close enough for demonstration
purposes. Our SSL proxy, which is not the same machine as our http firewall
proxies; consistently returns an error. We tested directly, from the client
to the SSL server and it worked fine (ie without Squid in the loop).

So we started fiddling. This is what we found.

1) There is a parsing bug when username/password is used for SSL. We sent
the URL "https://c123456:98765@www.wibble.com". Something went wrong in the
parsing of the "local_domain" line, because the logs were showing attempts
to connect to "c123456.ourcompany.co.uk:98". Clearly, this is not what was
required :-)

2) You can't run SSL direct. We tried setting a firewall rule, and a static
route to bypass the SSL proxy. Our squid.conf file contains:
local_domain ourcompany.co.uk wibble.com
ssl_proxy firewalll.ourcompany.co.uk
If I try to access https://www.wibble.com, it still sends it to
firewall.ourcompany.co.uk, and makes no attempt to go locally. Similarly,
when we tried to kludge this, it became clear that there is no
"cache_domain_host" option for SSL, and all requests have to take the same
route.

3) So we tried another approach. We changed the request to "
http://local.wibble.com". In the redirector, we added code to change this
URL to "https://c123..etc etc" and tried that. It tried to find the page we
were asking, but as _http_, not https. So we tried rewriting it to an "
ftp://...." string and that worked. Why is https the exception to this
rewriting.

So, currently we are unable to access SSL pages with embedded passwords
using any method at all. Can someone recommend a) A method or b) a fix for
any of the above.

Many thanks

Richard Stagg
Andy Winfer
CSC Computer Sciences
Received on Thu Oct 22 1998 - 02:04:28 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:42:44 MST