[squid-users] on_unsupported_protocol doesn't work for bumped https connecttions

[Tarik Demirci]

On 14/11/2015 8:55 a.m., Amos Jeffries wrote:
> On 14/11/2015 8:40 a.m., Yuri Voinov wrote:
>>
>> Netcat plaintext is not HTTPS :) Also via 443 port :)
>>
>
> Thanks Yuri. Can't believe I missed that bit :-0
>
> Amos
>
>> 14.11.15 1:26, Amos Jeffries пишет:
>>> On 13/11/2015 10:00 p.m., Tarik Demirci wrote:
>>>> Hi,
>>>> Did anyone try on_unsupported_protocol for bumped https connections? I
>>>> made a simple test with netcat but test failed. Same test is
>>>> successful for port 80 (also intercepted by squid).
>>
>>> HTTPS is a supported protocol.
>>
>>> Amos
>

Hi again,
I did more detailed tests for this case. Constructing a tcp-in-https
connection results with error ERR_PROTOCOL_UNKNOWN in spite of
"on_unsupported_protocol tunnel all" conf directive. Is this a Squid
bug? Doc for on_unsupported_protocol says it works for bumped tunnels
but I can't confirm this in any way.

I debugged the code and it fails in a check in clientTunnelOnError
function. By the time Squid understands it's not http inside https,
conn->nrequests value is 2. So conn->nrequests <= 1 check fails.

Here how I did the test:
- Install stunnel to both 'Netcat Server' and 'Client'.
- Add Issuer CA of the stunnel certificate to trusted authorities of
'Squid Box'.
- Open a tcp connection with netcat through stunnel.

This results with familiar ERR_PROTOCOL_UNKNOWN.

Note: I'm confident that https setup is correct because redirecting
traffic to nginx instead of netcat results with a successfull
connection.

Thanks,


-- 
Tarık Demirci