On tor, 2008-05-15 at 19:16 +0300, Jancs wrote:
> didn't got:
>
> i am on my machine trying to contact https://sourceforge.net/my/, my
> browser contacts "slave" cache, which in it's order connects to parent
> cache using ssl and parent is supposed to connect to the site I want.
> In no place use of http_port is intended
Ok, that explains it, assuming these SSL messages is from the parent and
not the proxy closest to the clients... There is a bug in Squid where it
can not forward CONNECT requests properly to ssl enabled peers. On
forwarded CONNECT requests it forgets to set up the SSL wrapper on the
connection.
It only "randomly" works if there happened to be a existing idle
persistent connection to the same peer that could be reused for the
CONNECT request.
This bug only manifests itself on CONNECT requests.
A workaround is to forward CONNECT requests over http as usual instead
of wrapping them in yet another ssl layer. Another workaround if you
really MUST wrap the CONNECT requests in SSL between the proxy servers
is to offload the SSL wrapper from Squid by using stunnel. Or the better
solution is to fix Squid to behave proper and establis the SSL wrapper
on CONNECT requests forwarded to ssl peers just as it does in normal
forwarded http requests...
Regards
Henrik
Received on Thu May 15 2008 - 18:43:17 MDT
This archive was generated by hypermail 2.2.0 : Tue Aug 05 2008 - 01:05:13 MDT