[squid-users] FW: Encrypted browser-Squid connection errors
LEMRAZZEQ, Wadie
wadie.lemrazzeq at capgemini.com
Wed Oct 19 13:53:51 UTC 2022
On 10/18/22 04:55, LEMRAZZEQ, Wadie wrote:
>>> I have problem only web browsers (Firefox, chromium), and I do specify
>>> to use https proxy in the browser proxy config But if I use curl, it
>>> works
>>>> ERROR: failure while accepting a TLS connection on conn77
>>>> local=172.17.0.2:3129 remote=172.17.0.1:56608 FD 12 flags=1:
>>>>
>>>> connection: conn77 local=172.17.0.2:3129 remote=172.17.0.1:56608 FD
>>>> 12
>>>> flags=1
>>>>
>>>> Error.cc(22) update: recent:
>>>> ERR_SECURE_ACCEPT_FAIL/SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=1408F09B+TLS
>>>> _I
>>>> O_ERR=1
>>> According to "openssl errstr", that OpenSSL error is:
>>> error:1408F09B:SSL routines:ssl3_get_record:https proxy request
>>> Most likely, the client is sending a plain text CONNECT request
>>> before encrypting the TLS connection to the HTTPS proxy. In other
>>> words, the client thinks it is talking to an HTTP proxy while > you
>>> want it to think that it is talking to an HTTPS proxy. For example,
>>>
>>> * HTTP proxy: curl -x http://172.17.0.2:3128/ ...
>>> https://example.com
>>> * HTTPS proxy: curl -x https://172.17.0.2:3129/ ...
>>> https://example.com
>> Yes indeed, requesting with curl works unless the web browsers
> As far as I can tell based on the information you have provided, your browser is not doing what you want it to do. I can only speculate that the browser is misconfigured.
> You can confirm what the browser is doing by looking at browser-Squid packets using wireshark or a similar tool. If you see an HTTP CONNECT requests sent to Squid over a plain text TCP
> connection, then your browser is _not_ configured to use an HTTPS proxy (or is buggy). The browser should be opening a TCP connection and then initiating a TLS handshake.
Yes, that's what I did
Here is the capture of firefox: https://i.stack.imgur.com/NNnGx.png
And here the capture of curl: https://i.stack.imgur.com/OxJJ3.png
As you can see firefox sends a plain text CONNECT request, and I did parameter https proxy in firefox settings
If it is a browser bug, firefox team resolved this compatibility issue a while ago: https://bugzilla.mozilla.org/show_bug.cgi?id=378637#c68
But still the issue persists or I did miss something
Thank you
Regards,
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
More information about the squid-users
mailing list