[squid-users] on_unsupported_protocol doesn't work for bumped https connecttions

Alex Rousskov rousskov at measurement-factory.com
Wed Nov 18 15:55:19 UTC 2015 

On 11/18/2015 12:53 AM, Tarik Demirci wrote:

> I did more detailed tests for this case. Constructing a tcp-in-https
> connection results with error ERR_PROTOCOL_UNKNOWN in spite of
> "on_unsupported_protocol tunnel all" conf directive. Is this a Squid
> bug? Doc for on_unsupported_protocol says it works for bumped tunnels
> but I can't confirm this in any way.
> 
> I debugged the code and it fails in a check in clientTunnelOnError
> function. By the time Squid understands it's not http inside https,
> conn->nrequests value is 2. So conn->nrequests <= 1 check fails.


This is a development topic. Consider moving this thread to squid-dev.

AFAICT, the intended goal of the nrequests check is to prevent switching
to tunnel mode after the tunnel has already been proven to carry a
"supported" protocol (i.e., HTTPS or HTTP).

I do not think that nrequests check is correct: The nrequests member is
incremented on every request, so it may be very large if a browser
switches to a tunnel after sending many regular requests:

  GET
  GET
  GET
  CONNECT

I also suspect the check is difficult to get right because fake CONNECTs
on intercepted connections and real CONNECTs on forwarded connections
might be counted differently. I did not verify that, but it may explain
why you are hitting this bug -- the code may have been tested with
intercepted connections only and just "assumed" to work for CONNECT
tunnels as well.

I recommend replacing nrequests check with a check based on a new
tooLateToTunnel boolean data member. That member can be initialized to
false and set to true after receiving valid HTTP request headers inside
an inspected connection (at least).


Thank you,

Alex.


> Here how I did the test:
> - Install stunnel to both 'Netcat Server' and 'Client'.
> - Add Issuer CA of the stunnel certificate to trusted authorities of
> 'Squid Box'.
> - Open a tcp connection with netcat through stunnel.
> 
> This results with familiar ERR_PROTOCOL_UNKNOWN.
> 
> Note: I'm confident that https setup is correct because redirecting
> traffic to nginx instead of netcat results with a successfull
> connection.
> 
> Thanks,
> 
>

More information about the squid-users mailing list