Re: [SQU] SSL problems from Dr. Michael Weller on 2000-10-24 (squid-users)

From: Dr. Michael Weller <eowmob@dont-contact.us>
Date: Tue, 24 Oct 2000 14:55:22 +0200 (MESZ)

On Tue, 24 Oct 2000, Glen Blundell wrote:

> Our network is setup as following:
>
> Browsers->Squid Proxy->Netscape Proxy->Internet
>
> The squid proxy and netscape proxy lie in different organisations and I have
> no control over the Netscape proxy and we cannot change our link setup.
>
> Anyway, using the configration above I have SSL problems using IE5. Before
> you blame IE5 let me tell you some stuff (IE5 may still be to blame)

Sorry, no solution but as another data point, that IE5 does special thinks
here. We had a setup like:

Browsers(typically IE5)->MS Proxy->VirusWall->Internet.

We had massive problems with https connections here (I think you mean that
by SSL). Removing one of the proxies worked but not stacking them. In
addition Trendmicro(Viruswall) reported this is a problem specific to IE5
and MS Proxy. They now fixed VirusWall to cope with that (version 3.5),
however, this version is not out of beta for all supported architectures.

We now use a setup like:

Browsers(typically IE5)->Squid->VirusWall->Internet.

which (apart from glitches of NTLM authentication) works fine. In addition
squid bypasses VirusWall for https/SSL to the few allowed destinations.
This is not because we can't stack the proxies (we checked it works) but
just as the VirusWall cannot scan the https/SSL links anyway so it would
just be an unnecessary instance slowing down the link.

Claim: IE5 uses a special protocol variant/interpretation for 'CONNECT'
through proxies, esp. stacked proxies. This is not supported by that
Viruswall proxy version 3.01a and might be a problem in Squid or Netscape
Proxy too.

> So to me (and Im happy to be wrong), IE 5 is doing something different in
> the User-Agent header that either is really crap, or squid cant handle
> (netscape proxy handles it fine)

I would rather assume that netscape proxy does something special when
using a IE5 browser which unfortunately fails when it runs after squid and
not directly behind the browser.

--
Michael Weller: eowmob@exp-math.uni-essen.de, eowmob@ms.exp-math.uni-essen.de,
or even mat42b@spi.power.uni-essen.de. If you encounter an eowmob account on
any machine in the net, it's very likely it's me.
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html

Received on Tue Oct 24 2000 - 06:59:09 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:54 MST