On 10/19/22 09:53, LEMRAZZEQ, Wadie wrote:
As you can see firefox sends a plain text CONNECT request, and I did
parameter https proxy in firefox settings
I do not know exactly what you mean by "https proxy" in this context,
but I suspect that you are using the wrong FireFox setting. The easily
accessible "HTTPS proxy" setting in the "Configure Proxy Access to the
Internet" dialog is _not_ what you need! That setting configures a plain
text HTTP proxy for handling HTTPS traffic. Very misleading, I know.
You need a PAC file that tells FireFox to use an HTTPS proxy.
See (again)
https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection
which refers to https://bugzilla.mozilla.org/show_bug.cgi?id=378637#c68
HTH,
Alex.
On 10/19/22 09:53, LEMRAZZEQ, Wadie wrote:
On 10/18/22 04:55, LEMRAZZEQ, Wadie wrote:
I have problem only web browsers (Firefox, chromium), and I do specify
to use https proxy in the browser proxy config But if I use curl, it
works
ERROR: failure while accepting a TLS connection on conn77
local=172.17.0.2:3129 remote=172.17.0.1:56608 FD 12 flags=1:
connection: conn77 local=172.17.0.2:3129 remote=172.17.0.1:56608 FD
12
flags=1
Error.cc(22) update: recent:
ERR_SECURE_ACCEPT_FAIL/SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=1408F09B+TLS
_I
O_ERR=1
According to "openssl errstr", that OpenSSL error is:
error:1408F09B:SSL routines:ssl3_get_record:https proxy request
Most likely, the client is sending a plain text CONNECT request
before encrypting the TLS connection to the HTTPS proxy. In other
words, the client thinks it is talking to an HTTP proxy while > you
want it to think that it is talking to an HTTPS proxy. For example,
* HTTP proxy: curl -x http://172.17.0.2:3128/ ...
https://example.com
* HTTPS proxy: curl -x https://172.17.0.2:3129/ ...
https://example.com
Yes indeed, requesting with curl works unless the web browsers
As far as I can tell based on the information you have provided, your browser is not doing what you want it to do. I can only speculate that the browser is misconfigured.
You can confirm what the browser is doing by looking at browser-Squid packets using wireshark or a similar tool. If you see an HTTP CONNECT requests sent to Squid over a plain text TCP
connection, then your browser is _not_ configured to use an HTTPS proxy (or is buggy). The browser should be opening a TCP connection and then initiating a TLS handshake.
Yes, that's what I did
Here is the capture of firefox: https://i.stack.imgur.com/NNnGx.png
And here the capture of curl: https://i.stack.imgur.com/OxJJ3.png
As you can see firefox sends a plain text CONNECT request, and I did parameter https proxy in firefox settings
If it is a browser bug, firefox team resolved this compatibility issue a while ago: https://bugzilla.mozilla.org/show_bug.cgi?id=378637#c68
But still the issue persists or I did miss something
Thank you
Regards,
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
