On 19.09.2009, at 04:40, Henrik Nordstrom wrote:
> fre 2009-09-18 klockan 17:23 +0200 skrev Benjamin Indermühle:
>
>>>> 2009/09/18 09:05:38| fwdNegotiateSSL: Error negotiating SSL
>
>> I doubt that.
>> ntlm breaks during the handshake and not when starting the
>> connection.
>> the ssl connection is established.
>
> The errormessage says otherwise. fwdNegotiateSSL is when Squid
> negotiates the SSL over a new connection to the requested server.
>
> Regards
> Henrik
>
I think that is the where problem lays.
Why does squid try to negotiate SSL over a connection which is not new
but already established ?
Looking at the tcpdump shows me this.
[squid] open tcp connection
[squid] Client Hello ( open ssl tunnel )
[Exchange] Server Hello, Certificate, Server Hello Done
[Squid] Client Key Exchange
[Exchange] Change Cipher Spec, Finished
[Squid] HTTPS GET NTLM Negotiate
[Exchange] HTTPS NTLM Challenge
[Squid] sends another Client Hello
[Exchange] terminates the TCP Connection
In my eyes the problem is that Squid resends a Client Hello into an
already negotiated SSL Tunnel.
I am guessing that somehow it must invalidate the persisting tunnel.
Maybe there is something wrong with the certifcate, I dont know.
The fact is that this problem only appears during the NTLM handshake.
Basic Auth or owa over the same setup does not cause any of this
behavior.
I can just guess what the problem is.
Maybe there is some additional validation on the tunnel when Squid
wants to send the password.
Regards
Benjamin
Received on Sat Sep 19 2009 - 09:00:16 MDT
This archive was generated by hypermail 2.2.0 : Sat Sep 19 2009 - 12:00:03 MDT