On 2024-04-05 08:16, Loučanský Lukáš wrote:
Build Info: GIT V6.8 commit 4bee0c8
Could you please somehow elaborate how this seems to be working?
acl SquidSecureConnectFail squid_error ERR_SECURE_CONNECT_FAIL
acl SquidTLSErrorConnect ssl_error SQUID_TLS_ERR_CONNECT
#tunnel all for connection errors
on_unsupported_protocol tunnel SquidTLSErrorConnect
on_unsupported_protocol tunnel SquidSecureConnectFail
Assuming the above rules have the desired effect, I speculate that, in
your particular test cases (where these rules have the desired effect),
the tested non-https origin servers result in those two Squid TLS
errors, those errors happen where on_unsupported_protocol still applies,
and the selected "tunnel" action tickles the right Chrome behavior. I
also speculate that not all non-https origin servers exhibit similar
behavior because other errors were alleged to (also) matter during PR
#1668 work (e.g., ERR_ZERO_SIZE_OBJECT).
Sorry, I currently do not have enough free time to verify any of the
above assumptions and speculations. Some of them do surprise me, but
that does not mean they have to be wrong/false.
Is it a good or bad attempt? As I put redir.netcentrum.cz as an example
in my first post - now it seems to just request TCP_MISS/200 815 GET
http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158 text/html -.
If there is no corresponding TLS connection attempt (through Squid)
before that, then Chrome has changed its behavior in your tests (or your
network has stopped delivering that attempt to Squid if your Squid is
intercepting Chrome TLS connections rather than receiving plain CONNECT
requests from Chrome). Without such an attempt, you are not really
testing what this thread calls "Chrome auto-HTTPS-upgrade"...
I do not think my chrome just decided this site is http only and call it
like this forever. I just did not see more SSL errors till yesterday . I
do not say I haven't seen any (during some fairly short period) - such
as SSL version errors, TLS inappropiate fallbacks, broken certs, no
common ciphers etc. - but now I could not find a site that does not work
(for me) - I have to ask my users.
Same "If there is no..." comment applies.
Anyway - squid seemed to have slight
problems downloading intermediate certificates - to work properly - so I
had to create a collection of several ones for myself (and some root
certificates too - for example from MS WU site etc.) - but this could be
just trouble with my Debian underlaying distro. (BTW I've alerady
implemented transaction_initiator certificate-fetching acl and have
http_access line for it)
This sounds like a completely separate issue. If you are suspecting that
Squid should get certain intermediate certificates but does not, check
Bugzilla, and, if there is no corresponding bug report, file a new one.
HTH,
Alex.
Dne 03.04.2024 v 17:05 Alex Rousskov napsal(a):
On 2024-04-03 02:14, Loučanský Lukáš wrote:
this has recently started me up more then let it go. For a while
chrome is upgrading in-page links to https.
Just to add two more pieces of related information to this thread:
Some Squid admins report that their v6-based code does not suffer from
this issue while their v5-based code does. I have not verified those
reports, but there may be more to the story here. What Squid version
are _you_ using?
One way to track progress with this annoying and complex issue is to
follow the following pull request. The current code cannot be
officially merged as is, and I would not recommend using it in
production (because of low-level bugs that will probably crash Squid
in some cases), but testing it in the lab and providing feedback to
authors may be useful:
https://github.com/squid-cache/squid/pull/1668
HTH,
Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
