Re: [squid-users] Problem with IE6 SP1 proxy authentication from Marc Elsen on 2003-04-10 (squid-users)

From: Marc Elsen <marc.elsen@dont-contact.us>
Date: Thu, 10 Apr 2003 13:03:43 +0200

Wim Ceulemans wrote:
>
> Hi
>
> FYI I am using squid-2.4.STABLE7.
>
> I read all the archives about the IE6 SP1 problem not being able to
> authenticate through squid. There definitely is a bug in IE6 SP1 that is
> not present in IE5 and plain IE6. For a number of workstations I could
> solve the problem by:
>
> 1. Installing the MS critical updates Q810847 and Q813951
> 2. And by disabling the "Show friendly http error messages" in Tool -
> Internet options - Advanced tab of IE6
>
> However on some windows XP clients the problem is not solved???
>
> Another thing I saw was that when I tried to authenticate with an XP
> client not being able to authenticate with squid-2.4.STABLE7, it works
> ok with squid-2.2.STABLE4. I recorded the authentication session of that
> winXP client with the two different squids and this is the result
> (captured with tcpdump and displayed with ethereal):
>
> A. Session with squid-2.4.STABLE7 (simplified a bit)
>
> Source Destination Protocol
> Info
> wc-winxp.able.be wc-test.able.be TCP 1066 >
> 3128 [SYN]
> wc-test.able.be wc-winxp.able.be TCP 3128 >
> 1066 [SYN, ACK]
> wc-winxp.able.be wc-test.able.be TCP 1066 >
> 3128 [ACK]
> wc-winxp.able.be wc-test.able.be HTTP GET
> http://www.google.be/ HTTP/1.0
> wc-test.able.be wc-winxp.able.be TCP 3128 >
> 1066 [ACK]
> wc-test.able.be wc-winxp.able.be HTTP HTTP/1.0
> 407 Proxy Authentication Required
> wc-test.able.be wc-winxp.able.be TCP 3128 >
> 1066 [FIN, ACK]
> wc-winxp.able.be wc-test.able.be TCP 1066 >
> 3128 [ACK]
> wc-winxp.able.be wc-test.able.be HTTP GET
> http://www.google.be/ HTTP/1.0
> wc-test.able.be wc-winxp.able.be TCP 3128 >
> 1066 [RST]
> wc-winxp.able.be wc-test.able.be TCP 1066 >
> 3128 [FIN, ACK]
> wc-test.able.be wc-winxp.able.be TCP 3128 >
> 1066 [RST]
>
> B. Session with squid-2.2.STABLE4
>
> Source Destination Protocol
> Info
> wc-winxp.able.be wc-test.able.be TCP 1066 >
> 3128 [SYN]
> wc-test.able.be wc-winxp.able.be TCP 3128 >
> 1066 [SYN, ACK]
> wc-winxp.able.be wc-test.able.be TCP 1066 >
> 3128 [ACK]
> wc-winxp.able.be wc-test.able.be HTTP GET
> http://www.google.be/ HTTP/1.0
> wc-test.able.be wc-winxp.able.be TCP 3128 >
> 1066 [ACK]
> wc-test.able.be wc-winxp.able.be HTTP HTTP/1.0
> 407 Proxy Authentication Required
> wc-test.able.be wc-winxp.able.be TCP 3128 >
> 1066 [FIN, ACK]
> wc-winxp.able.be wc-test.able.be TCP 1066 >
> 3128 [ACK]
> wc-winxp.able.be wc-test.able.be TCP 1066 >
> 3128 [FIN, ACK]
> wc-test.able.be wc-winxp.able.be TCP 3128 >
> 1066 [ACK]
> wc-winxp.able.be wc-test.able.be HTTP GET
> http://www.google.be/ HTTP/1.0
> wc-test.able.be wc-winxp.able.be TCP 3128 >
> 1066 [RST]
> wc-winxp.able.be wc-test.able.be TCP 1066 >
> 3128 [FIN, ACK]
> wc-test.able.be wc-winxp.able.be TCP 3128 >
> 1066 [RST]
> wc-winxp.able.be wc-test.able.be TCP 1066 >
> 3128 [SYN]
> wc-test.able.be wc-winxp.able.be TCP 3128 >
> 1066 [SYN, ACK]
> wc-winxp.able.be wc-test.able.be TCP 1066 >
> 3128 [ACK]
> wc-winxp.able.be wc-test.able.be HTTP GET
> http://www.google.be/ HTTP/1.0
> wc-test.able.be wc-winxp.able.be TCP 3128 >
> 1066 [ACK]
> wc-test.able.be wc-winxp.able.be HTTP HTTP/1.0
> 200 OK
>
> See the difference? By analyzing the headers of the swuid answer (what a
> great tool ethereal is), is see only one difference:
>
> 1. squid-2.4.STABLE7 gives a:
> Proxy-Connection: Keep-Alive
> 2. squid-2.2.STABLE4 gives a:
> Proxy-Connection: close
>
> That's why this IE bug does not happen with older versions of squid.
> Does anyone know how to force squid-2.4.STABLE7 to close the connection
> in stead of keeping it alive?

Check

client_persistent_connections

in squid.conf (perhaps setting to 'off')

This may help you, not sure though.
>
> Also is this correct reasoning: after a proxy authentication the
> connection should always be finished by the browser even if keep-alive
> header is present? Or is this to be considered a bug in squid?

I believe this is the reverse reasoning of attempting to consider
issues and relating them to squid while they aren't.
For improved tcp performance I would consider it normal to
keep the conn. open also in this case.

Considere the IE SP1 problems,also check :

http://www.squid-cache.org/Doc/FAQ/FAQ-5.html#ss5.12

which you probably done already.

You may also want to verify all of this issues
against 2.5S2 which is the advised version of squid
to run these days.

Best Regards,

>
> Thanks and regards
>
> --
> Wim Ceulemans
> R&D Engineer
>
> Secure Internet Communication with aXs Guard
>
> Able NV
> Leuvensesteenweg 282 - B-3190 Boortmeerbeek - Belgium
> Phone: + 32 15 50.44.00 - Fax: + 32 15 50.44.09
> E-mail: wim.ceulemans@able.be
>
> --
> Security check done by aXs GUARD (http://www.axsguard.com)

-- 
 'Love is truth without any future.
 (M.E. 1997)

Received on Thu Apr 10 2003 - 05:04:20 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:54 MST