[squid-users] FW: Encrypted browser-Squid connection errors

Wed Oct 19 14:33:18 UTC 2022

On 10/19/22 09:53, LEMRAZZEQ, Wadie wrote:

> As you can see firefox sends a plain text CONNECT request, and I did
> parameter https proxy in firefox settings

I do not know exactly what you mean by "https proxy" in this context, 
but I suspect that you are using the wrong FireFox setting. The easily 
accessible "HTTPS proxy" setting in the "Configure Proxy Access to the 
Internet" dialog is _not_ what you need! That setting configures a plain 
text HTTP proxy for handling HTTPS traffic. Very misleading, I know.

You need a PAC file that tells FireFox to use an HTTPS proxy.

See (again) 
https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection 
which refers to https://bugzilla.mozilla.org/show_bug.cgi?id=378637#c68

HTH,

Alex.

> On 10/19/22 09:53, LEMRAZZEQ, Wadie wrote:
>> On 10/18/22 04:55, LEMRAZZEQ, Wadie wrote:
>> 
>>>>> I have problem only web browsers (Firefox, chromium), and I do specify
>>>>> to use https proxy in the browser proxy config But if I use curl, it
>>>>> works
>> 
>> 
>>>>>> ERROR: failure while accepting a TLS connection on conn77
>>>>>> local=172.17.0.2:3129 remote=172.17.0.1:56608 FD 12 flags=1:
>>>>>>
>>>>>> connection: conn77 local=172.17.0.2:3129 remote=172.17.0.1:56608 FD
>>>>>> 12
>>>>>> flags=1
>>>>>>
>>>>>> Error.cc(22) update: recent:
>>>>>> ERR_SECURE_ACCEPT_FAIL/SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=1408F09B+TLS
>>>>>> _I
>>>>>> O_ERR=1
>> 
>>>>> According to "openssl errstr", that OpenSSL error is:
>>>>>        error:1408F09B:SSL routines:ssl3_get_record:https proxy request
>> 
>> 
>>>>> Most likely, the client is sending a plain text CONNECT request
>>>>> before encrypting the TLS connection to the HTTPS proxy. In other
>>>>> words, the client thinks it is talking to an HTTP proxy while > you
>>>>> want it to think that it is talking to an HTTPS proxy. For example,
>>>>>
>>>>> * HTTP proxy:  curl -x http://172.17.0.2:3128/ ...
>>>>> https://example.com
>>>>> * HTTPS proxy: curl -x https://172.17.0.2:3129/ ...
>>>>> https://example.com
>> 
>> 
>>>> Yes indeed, requesting with curl works unless the web browsers
>> 
>>> As far as I can tell based on the information you have provided, your browser is not doing what you want it to do. I can only speculate that the browser is misconfigured.
>> 
>>> You can confirm what the browser is doing by looking at browser-Squid packets using wireshark or a similar tool. If you see an HTTP CONNECT requests sent to Squid over a plain text TCP
>>> connection, then your browser is _not_ configured to use an HTTPS proxy (or is buggy). The browser should be opening a TCP connection and then initiating a TLS handshake.
>> 
>> Yes, that's what I did
>> Here is the capture of firefox: https://i.stack.imgur.com/NNnGx.png
>> And here the capture of curl: https://i.stack.imgur.com/OxJJ3.png
>> As you can see firefox sends a plain text CONNECT request, and I did parameter https proxy in firefox settings
>> If it is a browser bug, firefox team resolved this compatibility issue a while ago: https://bugzilla.mozilla.org/show_bug.cgi?id=378637#c68
>> But still the issue persists or I did miss something
>> 
>> Thank you
>> Regards,
>> 
>> 
>> This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.