Search squid archive

Re: Chrome auto-HTTPS-upgrade - not falling to http

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2024-04-05 08:16, Loučanský Lukáš wrote:

Build Info: GIT V6.8 commit 4bee0c8

Could you please somehow elaborate how this seems to be working?

acl SquidSecureConnectFail squid_error ERR_SECURE_CONNECT_FAIL
acl SquidTLSErrorConnect ssl_error SQUID_TLS_ERR_CONNECT

#tunnel all for connection errors
on_unsupported_protocol tunnel SquidTLSErrorConnect
on_unsupported_protocol tunnel SquidSecureConnectFail

Assuming the above rules have the desired effect, I speculate that, in your particular test cases (where these rules have the desired effect), the tested non-https origin servers result in those two Squid TLS errors, those errors happen where on_unsupported_protocol still applies, and the selected "tunnel" action tickles the right Chrome behavior. I also speculate that not all non-https origin servers exhibit similar behavior because other errors were alleged to (also) matter during PR #1668 work (e.g., ERR_ZERO_SIZE_OBJECT).

Sorry, I currently do not have enough free time to verify any of the above assumptions and speculations. Some of them do surprise me, but that does not mean they have to be wrong/false.


Is it a good or bad attempt? As I put redir.netcentrum.cz as an example in my first post - now it seems to just request TCP_MISS/200 815 GET http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158 text/html -.

If there is no corresponding TLS connection attempt (through Squid) before that, then Chrome has changed its behavior in your tests (or your network has stopped delivering that attempt to Squid if your Squid is intercepting Chrome TLS connections rather than receiving plain CONNECT requests from Chrome). Without such an attempt, you are not really testing what this thread calls "Chrome auto-HTTPS-upgrade"...


I do not think my chrome just decided this site is http only and call it like this forever. I just did not see more SSL errors till yesterday . I do not say I haven't seen any (during some fairly short period) - such as SSL version errors, TLS inappropiate fallbacks, broken certs, no common ciphers etc. - but now I could not find a site that does not work (for me) - I have to ask my users.

Same "If there is no..." comment applies.


Anyway - squid seemed to have slight problems downloading intermediate certificates - to work properly - so I had to create a collection of several ones for myself (and some root certificates too - for example from MS WU site etc.) - but this could be just trouble with my Debian underlaying distro. (BTW I've alerady implemented transaction_initiator certificate-fetching acl and have http_access line for it)

This sounds like a completely separate issue. If you are suspecting that Squid should get certain intermediate certificates but does not, check Bugzilla, and, if there is no corresponding bug report, file a new one.


HTH,

Alex.


Dne 03.04.2024 v 17:05 Alex Rousskov napsal(a):
On 2024-04-03 02:14, Loučanský Lukáš wrote:

this has recently started me up more then let it go. For a while
chrome is upgrading in-page links to https.
Just to add two more pieces of related information to this thread:

Some Squid admins report that their v6-based code does not suffer from this issue while their v5-based code does. I have not verified those reports, but there may be more to the story here. What Squid version are _you_ using?

One way to track progress with this annoying and complex issue is to follow the following pull request. The current code cannot be officially merged as is, and I would not recommend using it in production (because of low-level bugs that will probably crash Squid in some cases), but testing it in the lab and providing feedback to authors may be useful:

https://github.com/squid-cache/squid/pull/1668

HTH,

Alex.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux