[squid-users] Chrome auto-HTTPS-upgrade - not falling to http

Alex Rousskov rousskov at measurement-factory.com
Fri Apr 5 17:56:20 UTC 2024 

On 2024-04-05 08:16, Loučanský Lukáš wrote:

> Build Info: GIT V6.8 commit 4bee0c8
> 
> Could you please somehow elaborate how this seems to be working?
> 
> acl SquidSecureConnectFail squid_error ERR_SECURE_CONNECT_FAIL
> acl SquidTLSErrorConnect ssl_error SQUID_TLS_ERR_CONNECT
> 
> #tunnel all for connection errors
> on_unsupported_protocol tunnel SquidTLSErrorConnect
> on_unsupported_protocol tunnel SquidSecureConnectFail

Assuming the above rules have the desired effect, I speculate that, in 
your particular test cases (where these rules have the desired effect), 
the tested non-https origin servers result in those two Squid TLS 
errors, those errors happen where on_unsupported_protocol still applies, 
and the selected "tunnel" action tickles the right Chrome behavior. I 
also speculate that not all non-https origin servers exhibit similar 
behavior because other errors were alleged to (also) matter during PR 
#1668 work (e.g., ERR_ZERO_SIZE_OBJECT).

Sorry, I currently do not have enough free time to verify any of the 
above assumptions and speculations. Some of them do surprise me, but 
that does not mean they have to be wrong/false.


> Is it a good or bad attempt? As I put redir.netcentrum.cz as an example 
> in my first post - now it seems to just request TCP_MISS/200 815 GET 
> http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158 text/html -.

If there is no corresponding TLS connection attempt (through Squid) 
before that, then Chrome has changed its behavior in your tests (or your 
network has stopped delivering that attempt to Squid if your Squid is 
intercepting Chrome TLS connections rather than receiving plain CONNECT 
requests from Chrome). Without such an attempt, you are not really 
testing what this thread calls "Chrome auto-HTTPS-upgrade"...


> I do not think my chrome just decided this site is http only and call it 
> like this forever. I just did not see more SSL errors till yesterday . I 
> do not say I haven't seen any (during some fairly short period) - such 
> as SSL version errors, TLS inappropiate fallbacks, broken certs, no 
> common ciphers etc. - but now I could not find a site that does not work 
> (for me) - I have to ask my users.

Same "If there is no..." comment applies.


> Anyway - squid seemed to have slight 
> problems downloading intermediate certificates - to work properly - so I 
> had to create a collection of several ones for myself (and some root 
> certificates too - for example from MS WU site etc.) - but this could be 
> just trouble with my Debian underlaying distro. (BTW I've alerady 
> implemented transaction_initiator certificate-fetching acl and have 
> http_access line for it)

This sounds like a completely separate issue. If you are suspecting that 
Squid should get certain intermediate certificates but does not, check 
Bugzilla, and, if there is no corresponding bug report, file a new one.


HTH,

Alex.


> Dne 03.04.2024 v 17:05 Alex Rousskov napsal(a):
>> On 2024-04-03 02:14, Loučanský Lukáš wrote:
>>
>>> this has recently started me up more then let it go. For a while
>>> chrome is upgrading in-page links to https.
>> Just to add two more pieces of related information to this thread:
>>
>> Some Squid admins report that their v6-based code does not suffer from 
>> this issue while their v5-based code does. I have not verified those 
>> reports, but there may be more to the story here. What Squid version 
>> are _you_ using?
>>
>> One way to track progress with this annoying and complex issue is to 
>> follow the following pull request. The current code cannot be 
>> officially merged as is, and I would not recommend using it in 
>> production (because of low-level bugs that will probably crash Squid 
>> in some cases), but testing it in the lab and providing feedback to 
>> authors may be useful:
>>
>> https://github.com/squid-cache/squid/pull/1668
>>
>> HTH,
>>
>> Alex.
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> https://lists.squid-cache.org/listinfo/squid-users
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list