Re: A selection of SSL bugs...

Henrik,

Thanks for your speedy response. I think I'm being a bit dense here, so can
you clarify some points for me.

If I try browsing to https://www.wibble.com, Squid does a proper CONNECT
www.wibble.com:443 and I get a username/password dialogue box. This is fine
and correct.

If I try browsing to https://c123456:98765@www.wibble.com, Squid does a
CONNECT c123456.ourcomp.co.uk:98 which is clearly duff. ("ourcomp.co.uk" is
the local_domain as defined in squid.conf; "98" is the first two digits of
the password!) This looks like a parsing problem to me. I don't believe
it's a client problem as the erroneous string is made up of bits from the
squid.conf file on the proxy and also, when we point the client straight at
the SSL server, the same URL works fine. If it's simply a case of Squid not
supporting SSL URLs with passwords then that's clear enough.

If I'm making a basic misunderstanding, please do put me right; I have to
be clear about this, as I have clients who want to know what's going on :-)

Many thanks for your time, Henrik.

Regards

Richard Stagg

Henrik Nordstrom <hno@hem.passagen.se>
22/10/98 09:20

To: Richard Stagg/TMU/CSC
cc: squid-users@ircache.net, Andrew G Winfer/UK/CSC
Subject: Re: A selection of SSL bugs...

Squid does NOT support SSL, it supports SSL tunneling using the CONNECT
method.
If you get erronous CONNECT requests then this is a client problem, not
a Squid problem. A proper CONNECT request for
"https://c123456:98765@www.wibble.com" is "CONNECT www.wibble.com:443"
You can't use a redirector to redirect requests to https, unless you
redirect them using a HTTP redirect (telling the client to use https
instead).
Squid 1.X has quite limited forwarding capabilities for SSL. I'd
recommend you to look into Squid 2 to solve your firewall + local domain
problem.

---
Henrik Nordstrom
Spare time Squid hacker