[squid-users] Chrome auto-HTTPS-upgrade - not falling to http
Loučanský Lukáš
technik at kjj.cz
Wed Apr 3 06:14:42 UTC 2024
Hello,
this has recently started me up more then let it go. For a while chrome
is upgrading in-page links to https. It is supposed to work something
like
https://www.bleepingcomputer.com/news/google/google-chrome-now-auto-upgrades-to-secure-connections-for-all-users/
But there is a catch for me - my squid returns something like:
(104) Connection reset by peer (TLS code:
SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104)
Failed to establish a secure connection: [No Error]
or
[No Error] (TLS code:
SQUID_TLS_ERR_CONNECT+TLS_LIB_ERR=1408F10B+TLS_IO_ERR=1)
Failed to establish a secure connection: error:1408F10B:SSL
routines:ssl3_get_record:wrong version number
to the user - via error page
Log file:
1712122364.809 1172 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz BumpMode peek
- - - ServerNegoTLS - ServerRecTLS - ServerRecVer - ServerNegCiph -
Error: ERR_SECURE_CONNECT_FAIL |
SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104
1712122366.296 23 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz BumpMode peek
- - - ServerNegoTLS - ServerRecTLS - ServerRecVer - ServerNegCiph -
Error: ERR_SECURE_CONNECT_FAIL |
SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104
1712122366.293 21 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz BumpMode peek
- - - ServerNegoTLS - ServerRecTLS - ServerRecVer - ServerNegCiph -
Error: ERR_SECURE_CONNECT_FAIL |
SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104
1712122367.111 20 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz BumpMode peek
- - - ServerNegoTLS - ServerRecTLS - ServerRecVer - ServerNegCiph -
Error: ERR_SECURE_CONNECT_FAIL |
SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104
1712122367.114 21 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz BumpMode peek
- - - ServerNegoTLS - ServerRecTLS - ServerRecVer - ServerNegCiph -
Error: ERR_SECURE_CONNECT_FAIL |
SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104
In fact - this seems to be http only sites like -
https://www.ssllabs.com/ssltest/analyze.html?d=www.jarovnet.org or
https://www.ssllabs.com/ssltest/analyze.html?d=redir.netcentrum.cz&s=46.255.231.158&latest.
See this snapshot from centrum web mail page source code "Více informací
o tomto zapezpečení naleznete v <a
href="http://napoveda.centrum.cz/index.php?/Knowledgebase/Article/View/18/1/"
"
So - what is supposed to be happening is chrome should fallback to http
if there is a problem with https - i think the most obvious reason to
fall back would be no output at all. So I think my effort should target
the situation when squid says ERR_SECURE_CONNECT_FAIL |
SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104 and to remain silent to the
client.
Is there a way to do it - ie. do not show error page for not able to
connect to server at all? I'd like every other problems (ie.
bad/selfsigned/not matched certificate etc.) pushed to the client's
eyes. I have implemented
https://www.squid-cache.org/Doc/config/on_unsupported_protocol/ like in
the example - but it is for an accepted TCP connections. I'd like to
handle SSL errors - such as not being able to connect at all. - could it
be done with https://www.squid-cache.org/Doc/config/sslproxy_cert_error/?
LL
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240403/5b47ea4a/attachment.htm>
More information about the squid-users
mailing list