-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 16.11.15 1:39, Alex Rousskov пишет: > On 11/15/2015 12:03 PM, Eugene M. Zheganin wrote: >> It's not even a HTTPS, its a tunneled HTTP CONNECT. But >> squid for some reason thinks there shoudl be a HTTPS inside. > > > Hello Eugene, > > Squid currently supports two kinds of CONNECT tunnels: > > 1. A regular opaque tunnel, as intended by HTTP specifications. > > 2. An inspected tunnel containing SSL/TLS-encrypted HTTP traffic. > > Opaque tunnels are the default. Optional SslBump-related features allow > the admin to designate admin-selected CONNECT tunnels for HTTPS > inspections (of various depth). This distinction explains why and when > Squid expects "HTTPS inside". > > There is currently no decent support for inspecting CONNECT tunnels > other than SSL/TLS-encrypted HTTP (i.e., HTTPS) tunnels. > > Splicing a tunnel at SslBump step1 converts a to-be-inspected tunnel > into an opaque tunnel before inspection starts. > > The recently added on_unsupported_protocol directive can automatically > convert being-inspected non-HTTPS tunnels into opaque ones in some > common cases, but it needs more work to cover more cases. > > > AFAICT, you assume that "splicing" turns off all tunnel inspection. This > is correct for step1 (as I mentioned above). This is not correct for > other steps because they happen after some inspection already took > place. Inspection errors that on_unsupported_protocol cannot yet handle, > may result in connection termination and other problems. > > > If Squid behavior contradicts some of the above rules, it is probably a > bug we should fix. Otherwise, it is likely to be a missing feature. > > > Finally, if Squid kills your ICQ (non-HTTPS) client tunnels, you need to > figure out whether those connections are inspected (i.e., go beyond > SslBump step1). If they are inspected, then this is not a Squid bug but > a misconfiguration (unless the ACL code itself is buggy!). If they are > not inspected, then it is probably a Squid bug. I do not have enough > information to distinguish between those cases, but I hope that others > on the mailing list can guide you towards a resolution given the above > information. I do not think it's killing them. It looks like an outgoing connection goes to the server, and then silence - of the reaction in the log is not there. Client hangs waiting for a response from server. > > > HTH, > > Alex. > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWSOR0AAoJENNXIZxhPexGeMYH/jWi9I1CtBwzSUbDiwp4kjvy wqvJ63lT/l11t4cgBPOjrSVvLbtt5OJY6C+4Z6xkFZX4PgUKnLu6zaIVH1Dg9LrN 2WjgAL/Tks/d4mLKDIM/0LzlIDaJprigjCcWWngRVJRVivkgI5Fz4VxqDThP+qCc n6oL1XUE9qjrpbat+N2/0FlOG4/w5koLObxY8vYVWjcEAiHMcChIgoDR/ijQ3qen ZDRmE7uw8aOi7Fa1+M0TJUOLo8fF3EzPQI9Q5Xvfq4orn2lhn3LVXJCFho3s1qpa 8AxeGqmYs4+te5L9gOvuF0Y5RPzo71TOIA9hHz0loHAGPye2D1Uygi7gJYp87zo= =FMhF -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
