Search squid archive

[squid-users] Re: MSIE 6.0 basic auth on HTTPS-Connections

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 10 Jun 2005, Tiggemann, Bernd wrote:

we have problems with Basic Authentication with MS IE 6.0 after upgrading
to squid 2.5.STABLE9 on SSL-connections.
In the log it looks like this:
1118212696.937     14 x.x.x.x TCP_DENIED/407 1432 CONNECT
dekanet.izbsoft.de:443 - NONE/- text/html
1118212703.723     80 x.x.x.x TCP_DENIED/400 1177 GET / - NONE/- text/html

Browsing the internet I found
http://www.squid-cache.org/mail-archive/squid-users/200307/1111.html
<http://www.squid-cache.org/mail-archive/squid-users/200307/1111.html>
describing this problem 2 years ago.

I opened a support ticket with Microsoft but they stated:
The GET / after the Connect-Command is a valid request and the proxy
should handle it.

No it should not.

For a start it is not a valid proxy request, only a valid web server request. Proxy requests should always use an full URL http://servername/path

Secondly, the original request was an https:// request and should always be SSL encrypted for security. In the above the browser sent the request unencrypted to the proxy.

Please return to your microsoft support contact than sending the web server request UNENCRYPTED to the proxy as if it was the web server minus SSL encryption after a negative response to CONNECT is not valid. This is both a annoying bug and a security issue allowing the proxy as a man-in-the-middle (or anyone else in the path between the proxy and browser) to receive the supposedly securely encrypted https request in plain text.

I'm not of this opinion - I think it's a browser-bug.

You are correct. It is a browser bug, and a rather serious one as it endangers leakage of users personal secrets such as credit card info etc.

I looked the RFCs to find something about valid proxy-request until now
without success. Can you give me some help on argumentation with microsoft
- otherwise the BUG will always remain in MSIE.

Hopefully it will eventually get solved. You are not the first to run into this problem as your search in the archives showed.

Since MSIE 6 came out authentication has been very fragile in MSIE. Depending on the patch level you have of MSIE one or more of the NTLM, Basic or Digest authentication schemes is broken. They have had a lot of trouble to get the persistent connection management correct (which your problem is a good sign of), and also lots of troubles to manage error messages in response to CONNECT (only the first KB or so of the error message is ever shown to the user, the rest silently discarded)

This kind of problems in the browsers connection management can usually be worked around by setting

  client_persistent off

in squid.conf. (well, not the CONNECT error message problem, but your problem and similar problems along the same lines)

Regards
Henrik

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux