On 14/11/2015 8:55 a.m., Amos Jeffries wrote: > On 14/11/2015 8:40 a.m., Yuri Voinov wrote: >> >> Netcat plaintext is not HTTPS :) Also via 443 port :) >> > > Thanks Yuri. Can't believe I missed that bit :-0 > > Amos > >> 14.11.15 1:26, Amos Jeffries пишет: >>> On 13/11/2015 10:00 p.m., Tarik Demirci wrote: >>>> Hi, >>>> Did anyone try on_unsupported_protocol for bumped https connections? I >>>> made a simple test with netcat but test failed. Same test is >>>> successful for port 80 (also intercepted by squid). >> >>> HTTPS is a supported protocol. >> >>> Amos > Hi again, I did more detailed tests for this case. Constructing a tcp-in-https connection results with error ERR_PROTOCOL_UNKNOWN in spite of "on_unsupported_protocol tunnel all" conf directive. Is this a Squid bug? Doc for on_unsupported_protocol says it works for bumped tunnels but I can't confirm this in any way. I debugged the code and it fails in a check in clientTunnelOnError function. By the time Squid understands it's not http inside https, conn->nrequests value is 2. So conn->nrequests <= 1 check fails. Here how I did the test: - Install stunnel to both 'Netcat Server' and 'Client'. - Add Issuer CA of the stunnel certificate to trusted authorities of 'Squid Box'. - Open a tcp connection with netcat through stunnel. This results with familiar ERR_PROTOCOL_UNKNOWN. Note: I'm confident that https setup is correct because redirecting traffic to nginx instead of netcat results with a successfull connection. Thanks, -- Tarık Demirci _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
