On 2/22/07, Adrian Chadd <adrian@xxxxxxxxxxxxxxx> wrote:
On Thu, Feb 22, 2007, Krzysztof Pawlak wrote: > I have a problem with caching the following:
HTTPS content is inherently uncacheable.
> https://student.qantmcollege.edu.au:2096/ > > If Firefox doesn't use proxy for the mentioned url, everything is > fine. But if I activate proxy I have the following:
Unless you need to pass all traffic through a proxy (e.g. for policy reasons), there really isn't much reason to activate proxy for HTTPS, it may be better to set Firefox to not use a proxy for HTTPS content.
Its because there's an ACL which limits which destination ports you can speak HTTP to. THere's another ACL for HTTPS. Check out the acl's to do with Safe_ports and the http_access lines which use an ACL that references "method CONNECT" for the SSL safe ports.
The risk of enabling additional destination ports in the Safe_ports ACL is that if you are forcing all the traffic through a proxy for policy enforcement reasons, allowing additional destination ports makes it much easier to use CONNECT tunneling for unapproved and dangerous protocols. There are other (commercial only, TMK) proxies which will inspect the conversation after the connect to ensure it looks like real SSL/TLS, and a handful which will actually do MITM decryption and re-encryption so they can inspect the protocol inside TLS. Kevin