[squid-users] FW: Encrypted browser-Squid connection errors
Alex Rousskov
rousskov at measurement-factory.com
Tue Oct 18 13:52:48 UTC 2022
On 10/18/22 04:55, LEMRAZZEQ, Wadie wrote:
> I have problem only web browsers (Firefox, chromium), and I do
> specify to use https proxy in the browser proxy config But if I use
> curl, it works
>>> ERROR: failure while accepting a TLS connection on conn77
>>> local=172.17.0.2:3129 remote=172.17.0.1:56608 FD 12 flags=1:
>>>
>>> connection: conn77 local=172.17.0.2:3129 remote=172.17.0.1:56608 FD 12
>>> flags=1
>>>
>>> Error.cc(22) update: recent:
>>> ERR_SECURE_ACCEPT_FAIL/SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=1408F09B+TLS_I
>>> O_ERR=1
>> According to "openssl errstr", that OpenSSL error is:
>> error:1408F09B:SSL routines:ssl3_get_record:https proxy request
>> Most likely, the client is sending a plain text CONNECT request
>> before encrypting the TLS connection to the HTTPS proxy. In other
>> words, the client thinks it is talking to an HTTP proxy while > you
>> want it to think that it is talking to an HTTPS proxy. For
>> example,
>>
>> * HTTP proxy: curl -x http://172.17.0.2:3128/ ... https://example.com
>> * HTTPS proxy: curl -x https://172.17.0.2:3129/ ... https://example.com
> Yes indeed, requesting with curl works unless the web browsers
As far as I can tell based on the information you have provided, your
browser is not doing what you want it to do. I can only speculate that
the browser is misconfigured.
You can confirm what the browser is doing by looking at browser-Squid
packets using wireshark or a similar tool. If you see an HTTP CONNECT
requests sent to Squid over a plain text TCP connection, then your
browser is _not_ configured to use an HTTPS proxy (or is buggy). The
browser should be opening a TCP connection and then initiating a TLS
handshake.
HTH,
Alex.
More information about the squid-users
mailing list