Hi
FYI I am using squid-2.4.STABLE7.
I read all the archives about the IE6 SP1 problem not being able to
authenticate through squid. There definitely is a bug in IE6 SP1 that is
not present in IE5 and plain IE6. For a number of workstations I could
solve the problem by:
1. Installing the MS critical updates Q810847 and Q813951
2. And by disabling the "Show friendly http error messages" in Tool -
Internet options - Advanced tab of IE6
However on some windows XP clients the problem is not solved???
Another thing I saw was that when I tried to authenticate with an XP
client not being able to authenticate with squid-2.4.STABLE7, it works
ok with squid-2.2.STABLE4. I recorded the authentication session of that
winXP client with the two different squids and this is the result
(captured with tcpdump and displayed with ethereal):
A. Session with squid-2.4.STABLE7 (simplified a bit)
Source Destination Protocol
Info
wc-winxp.able.be wc-test.able.be TCP 1066 >
3128 [SYN]
wc-test.able.be wc-winxp.able.be TCP 3128 >
1066 [SYN, ACK]
wc-winxp.able.be wc-test.able.be TCP 1066 >
3128 [ACK]
wc-winxp.able.be wc-test.able.be HTTP GET
http://www.google.be/ HTTP/1.0
wc-test.able.be wc-winxp.able.be TCP 3128 >
1066 [ACK]
wc-test.able.be wc-winxp.able.be HTTP HTTP/1.0
407 Proxy Authentication Required
wc-test.able.be wc-winxp.able.be TCP 3128 >
1066 [FIN, ACK]
wc-winxp.able.be wc-test.able.be TCP 1066 >
3128 [ACK]
wc-winxp.able.be wc-test.able.be HTTP GET
http://www.google.be/ HTTP/1.0
wc-test.able.be wc-winxp.able.be TCP 3128 >
1066 [RST]
wc-winxp.able.be wc-test.able.be TCP 1066 >
3128 [FIN, ACK]
wc-test.able.be wc-winxp.able.be TCP 3128 >
1066 [RST]
B. Session with squid-2.2.STABLE4
Source Destination Protocol
Info
wc-winxp.able.be wc-test.able.be TCP 1066 >
3128 [SYN]
wc-test.able.be wc-winxp.able.be TCP 3128 >
1066 [SYN, ACK]
wc-winxp.able.be wc-test.able.be TCP 1066 >
3128 [ACK]
wc-winxp.able.be wc-test.able.be HTTP GET
http://www.google.be/ HTTP/1.0
wc-test.able.be wc-winxp.able.be TCP 3128 >
1066 [ACK]
wc-test.able.be wc-winxp.able.be HTTP HTTP/1.0
407 Proxy Authentication Required
wc-test.able.be wc-winxp.able.be TCP 3128 >
1066 [FIN, ACK]
wc-winxp.able.be wc-test.able.be TCP 1066 >
3128 [ACK]
wc-winxp.able.be wc-test.able.be TCP 1066 >
3128 [FIN, ACK]
wc-test.able.be wc-winxp.able.be TCP 3128 >
1066 [ACK]
wc-winxp.able.be wc-test.able.be HTTP GET
http://www.google.be/ HTTP/1.0
wc-test.able.be wc-winxp.able.be TCP 3128 >
1066 [RST]
wc-winxp.able.be wc-test.able.be TCP 1066 >
3128 [FIN, ACK]
wc-test.able.be wc-winxp.able.be TCP 3128 >
1066 [RST]
wc-winxp.able.be wc-test.able.be TCP 1066 >
3128 [SYN]
wc-test.able.be wc-winxp.able.be TCP 3128 >
1066 [SYN, ACK]
wc-winxp.able.be wc-test.able.be TCP 1066 >
3128 [ACK]
wc-winxp.able.be wc-test.able.be HTTP GET
http://www.google.be/ HTTP/1.0
wc-test.able.be wc-winxp.able.be TCP 3128 >
1066 [ACK]
wc-test.able.be wc-winxp.able.be HTTP HTTP/1.0
200 OK
See the difference? By analyzing the headers of the swuid answer (what a
great tool ethereal is), is see only one difference:
1. squid-2.4.STABLE7 gives a:
Proxy-Connection: Keep-Alive
2. squid-2.2.STABLE4 gives a:
Proxy-Connection: close
That's why this IE bug does not happen with older versions of squid.
Does anyone know how to force squid-2.4.STABLE7 to close the connection
in stead of keeping it alive?
Also is this correct reasoning: after a proxy authentication the
connection should always be finished by the browser even if keep-alive
header is present? Or is this to be considered a bug in squid?
Thanks and regards
-- Wim Ceulemans R&D Engineer Secure Internet Communication with aXs Guard Able NV Leuvensesteenweg 282 - B-3190 Boortmeerbeek - Belgium Phone: + 32 15 50.44.00 - Fax: + 32 15 50.44.09 E-mail: wim.ceulemans@able.be -- Security check done by aXs GUARD (http://www.axsguard.com)Received on Thu Apr 10 2003 - 02:56:58 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:54 MST