On 19/12/2015 6:51 a.m., Kinkie wrote: > Hi, > Do you see anything denied in the squid logs? From what you say it could > be related to a failing attempt to validate a certificate. > On Dec 18, 2015 17:25, "Patrick Flaherty" wrote: > >> Hello, >> >> >> >> We have an app configured to use Squid Proxy (3.5.11). The client machine >> does not have access to the internet except for the whitelisted domains in >> Squid. The app launches painfully slow. It seems to be SSL Certificate >> related. I found a way to fix it but don’t know why it fixes it. Let me >> explain. >> >> >> >> If I go into IE and configure it to use the Squid Proxy and I go to our >> website (SSL Based), the page comes up fine with a nice lock symbol >> signifying SSL. I then turn off the proxy config in IE to stop using the >> Squid Proxy. I relaunch our app and it launches fast forever more!!! I >> thought that it might be downloading a certificate but I look at all the >> Windows certificates either through IE or CertMgr.msc and it appears that >> no new certificates are in there after this exercise. Something in the >> Windows config changed and I don’t know what it is. I would love to know >> because I would like to see if there is an easier method to fix this as >> opposed to the one I just outlined. >> >> Several other things could have happened: * HSTS headers from the server are received by the browser, * Alternative-Protocol headers received by the browser, * CRL and OSCP browser lookups without the proxy, * or any combo of the above. Alternative-Protocol is particularly bad since it can cause the browser to move away from HTTP entirely and use some other protocol. Chrome has a thing for moving traffic from HTTP to Google custom protocols. MSIE should be pretty good though it might move to HTTP/2. HSTS requires the browser to start directly with a secure protocol rather than HTTP (ie through the proxy). When combined with Alternative-Protocol the two could potentially force HTTP and the proxy to cease being even considered as a traffic route (if browser thinks the other protocol is more secure). Since these happen inside the CONNECT tunnel use to go through an explicit-proxy Squid does not have a chance to prevent the Alternative-Protocol taking effect. OSCP and CRL are annoying but friendly enough to proxy. Just find out what the needed URI are and ensure they are permitted through the proxy. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
