Re: [squid-users] ssl-bump, server-first

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Wed, 20 Mar 2013 17:24:52 -0600

On 03/20/2013 12:46 PM, Delton wrote:

> I rearranged the steps as I understand that happen:
>
> 1. Client connects and sends plain CONNECT to Squid;
> 2. Squid sends 200 OK to the client;
> 3. Client sends 'Client Hello' to Squid by the TLSv1;
> 4. Squid sends 'Server Hello to the client by the TLSv1;
> 5. Squid and client exchange data. I think that the connection is
> encrypted, can not see what Squid sent to the client. I think right now
> the message 'Access denied' is displayed on the client.
> 6. Squid sends FIN, ACK to the client;
> 7. Passing a maximum of 2 seconds.
> 8. I press F5.
> 9. Client connects and sends plain CONNECT to Squid;
> 10. Squid sends 200 OK to the client;
> 11. Client sends 'Client Hello' to Squid by the SSL;
> 12. Squid sends RST, ACK to the client.
> 13. Client show "Proxy refused the connection".

Agreed. There are several potential bugs here:

1) Based on your earlier emails, Squid did not log CONNECT request and
response after step #10. Please confirm that.

2) Squid reset the connection instead of serving a deny message. It is
strange that the client used an SSL message instead of TLS like it did
before F5, but it is not clear why that resulted in a connection reset
(even if some unsupported SSL version was used).

Please set debug_options to "ALL,9", repeat the above steps, and post
the resulting cache.log (compressed if needed). You may want to file a
Squid bug report for that as the mailing list may not allow large
attachments.

After you do the above, please see if the behavior changes if you add
this rule before "http_access deny all":

  http_access allow CONNECT

>>> If I press F5 to refresh the browser, the established connection is
>>> closed and the browser show 'Proxy refused the connection'.
>> Questions:
>>
>> a) Which side initiated browser-Squid connection closure in #8?
> I think squid.

Agreed.

>> b) When did the Squid-origin server connection close?
> In fact at no time I saw the squid connection to an external server

I think this is expected for your configuration -- Squid is not going to
connect to the origin server if the CONNECT request itself is denied.

Thank you,

Alex.
Received on Wed Mar 20 2013 - 23:24:55 MDT

This archive was generated by hypermail 2.2.0 : Thu Mar 21 2013 - 12:00:04 MDT