[squid-users] SSL options on different http_port resolving into a single config for all ports
Amos Jeffries
squid3 at treenet.co.nz
Fri Jul 28 04:24:42 UTC 2017
On 27/07/17 19:57, Wahaj Ali wrote:
> Resending the logs as they were not formatted correctly:
>
>
> First request going to port 3128
> root at madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:3128"
AFAIK, the above is in valid value for the https_proxy variable. It is
missing the URL scheme which tells curl whether HTTP or TLS is used to
connect to the proxy.
Since you are sending identical plain-text CONNECT requests in the two
ports the first one to receive the request forms the security context
used by the TLS server connection.
I believe what you are seeing is a result of the fake server
certificates being cached. The client requested domain is identical for
all tests, so the cached cert should be identical. However curl is
rejecting the certificate generated from SSLv3-enabled server connections.
Try with the dynamic_cert_mem_cache_size=0 option to disable cert caching.
Also, I highly recommend leaving port 443 for encrypted connections
(https_port directive). Using plain-text over it (http_port directive)
can be extremely problematic.
Amos
More information about the squid-users
mailing list