<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><font face="Calibri">My effort so far:</font></p>
<p><font face="Calibri"><br>
acl SquidTLSErrorConnect ssl_error SQUID_TLS_ERR_CONNECT<br>
<br>
##############################<br>
#unsupported protocol definice<br>
##############################<br>
# define what Squid errors indicate receiving non-HTTP traffic:<br>
acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG<br>
<br>
# define what Squid errors indicate receiving nothing:<br>
acl serverTalksFirstProtocol squid_error
ERR_REQUEST_START_TIMEOUT<br>
<br>
acl SquidSecureConnectFail squid_error ERR_SECURE_CONNECT_FAIL<br>
<br>
# tunnel everything that does not look like HTTP:<br>
on_unsupported_protocol tunnel foreignProtocol<br>
<br>
# tunnel if we think the client waits for the server to talk
first:<br>
on_unsupported_protocol tunnel serverTalksFirstProtocol<br>
<br>
#tunnel all for connection errors<br>
on_unsupported_protocol tunnel SquidTLSErrorConnect<br>
on_unsupported_protocol tunnel SquidSecureConnectFail<br>
<br>
<br>
# in all other error cases, just send an HTTP "error page"
response:<br>
on_unsupported_protocol respond all</font></p>
<p><font face="Calibri">This is how it changed the behaviour
(checked only with </font><font face="Calibri">redir.netcentrum.cz
so far)</font></p>
<p><font face="Calibri"><br>
1712126917.823 0 10.0.0.1 NONE_NONE/503 13605 GET
<a class="moz-txt-link-freetext" href="https://redir.netcentrum.cz/favicon.ico">https://redir.netcentrum.cz/favicon.ico</a> - HIER_NONE/- text/html
redir.netcentrum.cz<br>
1712126918.842 23 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - redir.netcentrum.cz<br>
1712126918.881 0 10.0.0.1 NONE_NONE/503 13605 GET
<a class="moz-txt-link-freetext" href="https://redir.netcentrum.cz/favicon.ico">https://redir.netcentrum.cz/favicon.ico</a> - HIER_NONE/- text/html
redir.netcentrum.cz<br>
1712126919.116 21 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - redir.netcentrum.cz<br>
1712126919.156 0 10.0.0.1 NONE_NONE/503 13605 GET
<a class="moz-txt-link-freetext" href="https://redir.netcentrum.cz/favicon.ico">https://redir.netcentrum.cz/favicon.ico</a> - HIER_NONE/- text/html
redir.netcentrum.cz<br>
1712126918.839 19 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - redir.netcentrum.cz<br>
1712126918.845 0 10.0.0.1 NONE_NONE/503 13605 GET
<a class="moz-txt-link-freetext" href="https://redir.netcentrum.cz/">https://redir.netcentrum.cz/</a>? - HIER_NONE/- text/html
redir.netcentrum.cz<br>
1712126919.113 19 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - redir.netcentrum.cz<br>
1712126919.119 0 10.0.0.1 NONE_NONE/503 13605 GET
<a class="moz-txt-link-freetext" href="https://redir.netcentrum.cz/">https://redir.netcentrum.cz/</a>? - HIER_NONE/- text/html
redir.netcentrum.cz<br>
1712127729.466 66 10.0.0.1 TCP_MISS/200 719 GET
<a class="moz-txt-link-freetext" href="http://redir.netcentrum.cz/">http://redir.netcentrum.cz/</a>? - ORIGINAL_DST/46.255.231.158
text/html -<br>
1712127729.516 9 10.0.0.1 TCP_MISS/403 424 GET
<a class="moz-txt-link-freetext" href="http://redir.netcentrum.cz/favicon.ico">http://redir.netcentrum.cz/favicon.ico</a> -
ORIGINAL_DST/46.255.231.158 text/plain -<br>
1712127768.494 8 10.0.0.1 TCP_MISS/200 794 GET
<a class="moz-txt-link-freetext" href="http://redir.netcentrum.cz/">http://redir.netcentrum.cz/</a>? - ORIGINAL_DST/46.255.231.158
text/html -<br>
1712127768.544 7 10.0.0.1 TCP_MISS/403 424 GET
<a class="moz-txt-link-freetext" href="http://redir.netcentrum.cz/favicon.ico">http://redir.netcentrum.cz/favicon.ico</a> -
ORIGINAL_DST/46.255.231.158 text/plain -<br>
1712127833.348 9 10.0.0.1 TCP_MISS/200 794 GET
<a class="moz-txt-link-freetext" href="http://redir.netcentrum.cz/">http://redir.netcentrum.cz/</a>? - ORIGINAL_DST/46.255.231.158
text/html -<br>
1712127833.486 15 10.0.0.1 TCP_MISS/403 424 GET
<a class="moz-txt-link-freetext" href="http://redir.netcentrum.cz/favicon.ico">http://redir.netcentrum.cz/favicon.ico</a> -
ORIGINAL_DST/46.255.231.158 text/plain -<br>
1712129450.601 27 10.0.0.1 TCP_MISS/200 851 GET
<a class="moz-txt-link-freetext" href="http://redir.netcentrum.cz/">http://redir.netcentrum.cz/</a>? - ORIGINAL_DST/46.255.231.158
text/html -<br>
1712129450.688 8 10.0.0.1 TCP_MISS/403 424 GET
<a class="moz-txt-link-freetext" href="http://redir.netcentrum.cz/favicon.ico">http://redir.netcentrum.cz/favicon.ico</a> -
ORIGINAL_DST/46.255.231.158 text/plain -<br>
1712130278.514 54 10.0.0.1 TCP_MISS/200 795 GET
<a class="moz-txt-link-freetext" href="http://redir.netcentrum.cz/">http://redir.netcentrum.cz/</a>? - ORIGINAL_DST/46.255.231.158
text/html -<br>
1712130278.565 9 10.0.0.1 TCP_MISS/403 422 GET
<a class="moz-txt-link-freetext" href="http://redir.netcentrum.cz/favicon.ico">http://redir.netcentrum.cz/favicon.ico</a> -
ORIGINAL_DST/46.255.231.158 text/plain -<br>
1712130282.165 9 10.0.0.1 TCP_MISS/200 815 GET
<a class="moz-txt-link-freetext" href="http://redir.netcentrum.cz/">http://redir.netcentrum.cz/</a>? - ORIGINAL_DST/46.255.231.158
text/html -<br>
1712130282.222 8 10.0.0.1 TCP_MISS/403 424 GET
<a class="moz-txt-link-freetext" href="http://redir.netcentrum.cz/favicon.ico">http://redir.netcentrum.cz/favicon.ico</a> -
ORIGINAL_DST/46.255.231.158 text/plain -<br>
<br>
I can see clear change from GET https to GET http only. I have
to check what else does not work and why. (for example many
users complained about heureka.cz subdomains not openning right
with https.) I have to say - there many less competent admins in
the wild with selfsigned or unmatched certificates on their
websites, thinking they did the homework right. It is tough to
explaing to my users that the error page they are getting is not
a result of a faulty local gear - nor an attempt of the admin to
spy on them or to block some sites etc.</font></p>
<p><font face="Calibri">LL<br>
</font></p>
<div class="moz-cite-prefix">Dne 03.04.2024 v 8:14 Loučanský Lukáš
napsal(a):<br>
</div>
<blockquote type="cite"
cite="mid:82ae59b8-c835-4715-a836-418e8d44d33f@kjj.cz">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<p><font face="Calibri">Hello,</font></p>
<p><font face="Calibri">this has recently started me up more then
let it go. For a while chrome is upgrading in-page links to
https. It is supposed to work something like
<a class="moz-txt-link-freetext"
href="https://www.bleepingcomputer.com/news/google/google-chrome-now-auto-upgrades-to-secure-connections-for-all-users/"
moz-do-not-send="true">https://www.bleepingcomputer.com/news/google/google-chrome-now-auto-upgrades-to-secure-connections-fo
r-all-users/</a></font></p>
<p><font face="Calibri">But there is a catch for me - my squid
returns something like:</font></p>
<p><font face="Calibri">(104) Connection reset by peer (TLS code:
SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104)<br>
Failed to establish a secure connection: [No Error]<br>
</font></p>
<p><font face="Calibri">or</font></p>
<p><font face="Calibri">[No Error] (TLS code:
SQUID_TLS_ERR_CONNECT+TLS_LIB_ERR=1408F10B+TLS_IO_ERR=1)<br>
Failed to establish a secure connection: error:1408F10B:SSL
routines:ssl3_get_record:wrong version number</font></p>
<p><font face="Calibri">to the user - via error page<br>
</font></p>
<p><font face="Calibri">Log file:</font></p>
<p><font face="Calibri">1712122364.809 1172 10.0.0.1
NONE_NONE_ABORTED/000 0 CONNECT 46.255.231.158:443 -
HIER_NONE/- - SNI redir.netcentrum.cz BumpMode peek - - -
ServerNegoTLS - ServerRecTLS - ServerRecVer - ServerNegCiph -
Error: ERR_SECURE_CONNECT_FAIL |
SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104<br>
1712122366.296 23 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz
BumpMode peek - - - ServerNegoTLS - ServerRecTLS -
ServerRecVer - ServerNegCiph - Error: ERR_SECURE_CONNECT_FAIL
| SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104<br>
1712122366.293 21 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz
BumpMode peek - - - ServerNegoTLS - ServerRecTLS -
ServerRecVer - ServerNegCiph - Error: ERR_SECURE_CONNECT_FAIL
| SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104<br>
1712122367.111 20 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz
BumpMode peek - - - ServerNegoTLS - ServerRecTLS -
ServerRecVer - ServerNegCiph - Error: ERR_SECURE_CONNECT_FAIL
| SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104<br>
1712122367.114 21 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz
BumpMode peek - - - ServerNegoTLS - ServerRecTLS -
ServerRecVer - ServerNegCiph - Error: ERR_SECURE_CONNECT_FAIL
| SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104<br>
<br>
</font></p>
<p><font face="Calibri">In fact - this seems to be http only sites
like - <a class="moz-txt-link-freetext"
href="https://www.ssllabs.com/ssltest/analyze.html?d=www.jarovnet.org"
moz-do-not-send="true">https://www.ssllabs.com/ssltest/analyze.html?d=www.jarovnet.org</a>
or
<a class="moz-txt-link-freetext"
href="https://www.ssllabs.com/ssltest/analyze.html?d=redir.netcentrum.cz&s=46.255.231.158&latest"
moz-do-not-send="true">https://www.ssllabs.com/ssltest/analyze.html?d=redir.netcentrum.cz&s=46.255.231.158&latest</a>.
See this snapshot from centrum web mail page source code "Více
informací o tomto zapezpečení naleznete v <a
href=<a class="moz-txt-link-rfc2396E"
href="http://napoveda.centrum.cz/index.php?/Knowledgebase/Article/View/18/1/"
moz-do-not-send="true">"http://napoveda.centrum.cz/index.php?/Knowledgebase/Article/View/18/1/"</a>
"<br>
</font></p>
<p><font face="Calibri">So - what is supposed to be happening is
chrome should fallback to http if there is a problem with
https - i think the most obvious reason to fall back would be
no output at all. So I think my effort should target the
situation when squid says ERR_SECURE_CONNECT_FAIL |
SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104 and to remain
silent to the client.</font></p>
<p><font face="Calibri">Is there a way to do it - ie. do not show
error page for not able to connect to server at all? I'd like
every other problems (ie. bad/selfsigned/not matched
certificate etc.) pushed to the client's eyes. I have
implemented <a class="moz-txt-link-freetext"
href="https://www.squid-cache.org/Doc/config/on_unsupported_protocol/"
moz-do-not-send="true">https://www.squid-cache.org/Doc/config/on_unsupported_protocol/</a>
like in the example - but it is for an accepted TCP
connections. I'd like to handle SSL errors - such as not being
able to connect at all. - could it be done with <a
class="moz-txt-link-freetext"
href="https://www.squid-cache.org/Doc/config/sslproxy_cert_error/"
moz-do-not-send="true">https://www.squid-cache.org/Doc/config/sslproxy_cert_error/</a>?</font></p>
<p><font face="Calibri">LL<br>
</font></p>
<p><br>
</p>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
squid-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-freetext" href="https://lists.squid-cache.org/listinfo/squid-users">https://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
</blockquote>
</body>
</html>