Hi!
I opened the bug 3816: http://bugs.squid-cache.org/show_bug.cgi?id=3816
Em 20/03/2013 20:24, Alex Rousskov escreveu:
> On 03/20/2013 12:46 PM, Delton wrote:
>
>> I rearranged the steps as I understand that happen:
>>
>> 1. Client connects and sends plain CONNECT to Squid;
>> 2. Squid sends 200 OK to the client;
>> 3. Client sends 'Client Hello' to Squid by the TLSv1;
>> 4. Squid sends 'Server Hello to the client by the TLSv1;
>> 5. Squid and client exchange data. I think that the connection is
>> encrypted, can not see what Squid sent to the client. I think right now
>> the message 'Access denied' is displayed on the client.
>> 6. Squid sends FIN, ACK to the client;
>> 7. Passing a maximum of 2 seconds.
>> 8. I press F5.
>> 9. Client connects and sends plain CONNECT to Squid;
>> 10. Squid sends 200 OK to the client;
>> 11. Client sends 'Client Hello' to Squid by the SSL;
>> 12. Squid sends RST, ACK to the client.
>> 13. Client show "Proxy refused the connection".
> Agreed. There are several potential bugs here:
>
> 1) Based on your earlier emails, Squid did not log CONNECT request and
> response after step #10. Please confirm that.
>
> 2) Squid reset the connection instead of serving a deny message. It is
> strange that the client used an SSL message instead of TLS like it did
> before F5, but it is not clear why that resulted in a connection reset
> (even if some unsupported SSL version was used).
>
> Please set debug_options to "ALL,9", repeat the above steps, and post
> the resulting cache.log (compressed if needed). You may want to file a
> Squid bug report for that as the mailing list may not allow large
> attachments.
>
>
> After you do the above, please see if the behavior changes if you add
> this rule before "http_access deny all":
>
> http_access allow CONNECT
>
>
>
>>>> If I press F5 to refresh the browser, the established connection is
>>>> closed and the browser show 'Proxy refused the connection'.
>>> Questions:
>>>
>>> a) Which side initiated browser-Squid connection closure in #8?
>> I think squid.
> Agreed.
>
>
>>> b) When did the Squid-origin server connection close?
>> In fact at no time I saw the squid connection to an external server
> I think this is expected for your configuration -- Squid is not going to
> connect to the origin server if the CONNECT request itself is denied.
>
>
> Thank you,
>
> Alex.
>
>
Received on Thu Mar 21 2013 - 15:57:52 MDT
This archive was generated by hypermail 2.2.0 : Thu Mar 21 2013 - 12:00:04 MDT