Re: [squid-users] on_unsupported_protocol doesn't work for bumped https connecttions
On 11/18/2015 12:53 AM, Tarik Demirci wrote: > I did more detailed tests for this case. Constructing a tcp-in-https > connection results with error ERR_PROTOCOL_UNKNOWN in spite of > "on_unsupported_protocol tunnel all" conf directive. Is this a Squid > bug? Doc for on_unsupported_protocol says it works for bumped tunnels > but I can't confirm this in any way. > > I debugged the code and it fails in a check in clientTunnelOnError > function. By the time Squid understands it's not http inside https, > conn->nrequests value is 2. So conn->nrequests <= 1 check fails. This is a development topic. Consider moving this thread to squid-dev. AFAICT, the intended goal of the nrequests check is to prevent switching to tunnel mode after the tunnel has already been proven to carry a "supported" protocol (i.e., HTTPS or HTTP). I do not think that nrequests check is correct: The nrequests member is incremented on every request, so it may be very large if a browser switches to a tunnel after sending many regular requests: GET GET GET CONNECT I also suspect the check is difficult to get right because fake CONNECTs on intercepted connections and real CONNECTs on forwarded connections might be counted differently. I did not verify that, but it may explain why you are hitting this bug -- the code may have been tested with intercepted connections only and just "assumed" to work for CONNECT tunnels as well. I recommend replacing nrequests check with a check based on a new tooLateToTunnel boolean data member. That member can be initialized to false and set to true after receiving valid HTTP request headers inside an inspected connection (at least). Thank you, Alex. > Here how I did the test: > - Install stunnel to both 'Netcat Server' and 'Client'. > - Add Issuer CA of the stunnel certificate to trusted authorities of > 'Squid Box'. > - Open a tcp connection with netcat through stunnel. > > This results with familiar ERR_PROTOCOL_UNKNOWN. > > Note: I'm confident that https setup is correct because redirecting > traffic to nginx instead of netcat results with a successfull > connection. > > Thanks, > > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] on_unsupported_protocol doesn't work for bumped https connecttions
On 14/11/2015 8:55 a.m., Amos Jeffries wrote: > On 14/11/2015 8:40 a.m., Yuri Voinov wrote: >> >> Netcat plaintext is not HTTPS :) Also via 443 port :) >> > > Thanks Yuri. Can't believe I missed that bit :-0 > > Amos > >> 14.11.15 1:26, Amos Jeffries пишет: >>> On 13/11/2015 10:00 p.m., Tarik Demirci wrote: Hi, Did anyone try on_unsupported_protocol for bumped https connections? I made a simple test with netcat but test failed. Same test is successful for port 80 (also intercepted by squid). >> >>> HTTPS is a supported protocol. >> >>> Amos > Hi again, I did more detailed tests for this case. Constructing a tcp-in-https connection results with error ERR_PROTOCOL_UNKNOWN in spite of "on_unsupported_protocol tunnel all" conf directive. Is this a Squid bug? Doc for on_unsupported_protocol says it works for bumped tunnels but I can't confirm this in any way. I debugged the code and it fails in a check in clientTunnelOnError function. By the time Squid understands it's not http inside https, conn->nrequests value is 2. So conn->nrequests <= 1 check fails. Here how I did the test: - Install stunnel to both 'Netcat Server' and 'Client'. - Add Issuer CA of the stunnel certificate to trusted authorities of 'Squid Box'. - Open a tcp connection with netcat through stunnel. This results with familiar ERR_PROTOCOL_UNKNOWN. Note: I'm confident that https setup is correct because redirecting traffic to nginx instead of netcat results with a successfull connection. Thanks, -- Tarık Demirci ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] on_unsupported_protocol doesn't work for bumped https connecttions
Hi, Did anyone try on_unsupported_protocol for bumped https connections? I made a simple test with netcat but test failed. Same test is successful for port 80 (also intercepted by squid). Netcat Server --- Squid Box --- Client On Client: echo "" | nc 10.50.13.1 443 *** On Netcat Server: nc -kl 443 *** On Squid Box: squid.conf: https_port 8443 intercept ssl-bump \ cert=/etc/squid/ssl_cert/myCA.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=4MB acl step1 at_step SslBump1 acl step2 at_step SslBump2 ssl_bump peek step1 all ssl_bump bump step2 all on_unsupported_protocol tunnel all access.log: 1447235165.673 9 10.41.0.100 NONE/200 0 CONNECT 10.50.13.1:443 - HIER_NONE/- - -- Tarık Demirci ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] on_unsupported_protocol doesn't work for bumped https connecttions
On 13/11/2015 10:00 p.m., Tarik Demirci wrote: > Hi, > Did anyone try on_unsupported_protocol for bumped https connections? I > made a simple test with netcat but test failed. Same test is > successful for port 80 (also intercepted by squid). HTTPS is a supported protocol. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] on_unsupported_protocol doesn't work for bumped https connecttions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Netcat plaintext is not HTTPS :) Also via 443 port :) 14.11.15 1:26, Amos Jeffries пишет: > On 13/11/2015 10:00 p.m., Tarik Demirci wrote: >> Hi, >> Did anyone try on_unsupported_protocol for bumped https connections? I >> made a simple test with netcat but test failed. Same test is >> successful for port 80 (also intercepted by squid). > > HTTPS is a supported protocol. > > Amos > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWRjzHAAoJENNXIZxhPexG3h4IAL3wm8swMPzM1jjcRfZMoqWK QrxmOWwsXGTrbqOTPYgj/4ZKy/mVKSZvXJD5licNn3AAmOc1e1kCoqwQAqVZcx9D v9XMeTD5kGj1vtSmNzqRzFDrITRGg+Rd64s38sNZ+izBqku057aaCeIpjJPEf5bQ qADc46jRdf0i5M0dJnMk5gZ8wMPHeZdY4Wwvf7s3U3mGMKsw5cKtOybVZ5g3vnwR k4AnSX5lzQSRCPVq4gCFpkwip2iy4/QGih0ud0btnaFzm46h3ECGdpJwjeIDL0pT 1W4nAjidqAm9cBuLntks6uNJXRtqe6VU4Ojp2/vQ1stpgnep4BD3l9Xk1C3nHgU= =mB9Q -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] on_unsupported_protocol doesn't work for bumped https connecttions
On 14/11/2015 8:40 a.m., Yuri Voinov wrote: > > Netcat plaintext is not HTTPS :) Also via 443 port :) > Thanks Yuri. Can't believe I missed that bit :-0 Amos > 14.11.15 1:26, Amos Jeffries пишет: >> On 13/11/2015 10:00 p.m., Tarik Demirci wrote: >>> Hi, >>> Did anyone try on_unsupported_protocol for bumped https connections? I >>> made a simple test with netcat but test failed. Same test is >>> successful for port 80 (also intercepted by squid). > >> HTTPS is a supported protocol. > >> Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users