[squid-users] Re: MSIE 6.0 basic auth on HTTPS-Connections

On Fri, 10 Jun 2005, Tiggemann, Bernd wrote:

>> we have problems with Basic Authentication with MS IE 6.0 after upgrading
>> to squid 2.5.STABLE9 on SSL-connections.
>> In the log it looks like this:
>> 1118212696.937 14 x.x.x.x TCP_DENIED/407 1432 CONNECT
>> dekanet.izbsoft.de:443 - NONE/- text/html
>> 1118212703.723 80 x.x.x.x TCP_DENIED/400 1177 GET / - NONE/- text/html
>>
>> Browsing the internet I found
>> http://www.squid-cache.org/mail-archive/squid-users/200307/1111.html
>> <http://www.squid-cache.org/mail-archive/squid-users/200307/1111.html>
>> describing this problem 2 years ago.
>>
>> I opened a support ticket with Microsoft but they stated:
>> The GET / after the Connect-Command is a valid request and the proxy
>> should handle it.

No it should not.

For a start it is not a valid proxy request, only a valid web server
request. Proxy requests should always use an full URL
http://servername/path

Secondly, the original request was an https:// request and should always
be SSL encrypted for security. In the above the browser sent the request
unencrypted to the proxy.

Please return to your microsoft support contact than sending the web
server request UNENCRYPTED to the proxy as if it was the web server minus
SSL encryption after a negative response to CONNECT is not valid. This is
both a annoying bug and a security issue allowing the proxy as a
man-in-the-middle (or anyone else in the path between the proxy and
browser) to receive the supposedly securely encrypted https request in
plain text.

>> I'm not of this opinion - I think it's a browser-bug.

You are correct. It is a browser bug, and a rather serious one as it
endangers leakage of users personal secrets such as credit card info etc.

>> I looked the RFCs to find something about valid proxy-request until now
>> without success. Can you give me some help on argumentation with microsoft
>> - otherwise the BUG will always remain in MSIE.

Hopefully it will eventually get solved. You are not the first to run into
this problem as your search in the archives showed.

Since MSIE 6 came out authentication has been very fragile in MSIE.
Depending on the patch level you have of MSIE one or more of the NTLM,
Basic or Digest authentication schemes is broken. They have had a lot of
trouble to get the persistent connection management correct (which your
problem is a good sign of), and also lots of troubles to manage error
messages in response to CONNECT (only the first KB or so of the error
message is ever shown to the user, the rest silently discarded)

This kind of problems in the browsers connection management can usually be
worked around by setting

   client_persistent off

in squid.conf. (well, not the CONNECT error message problem, but your
problem and similar problems along the same lines)

Regards
Henrik
Received on Fri Jun 10 2005 - 08:57:40 MDT