On 27/09/2013 1:31 a.m., Robert Fischer wrote:
> Dear squid developers and users,
>
> after upgrading our squid 2.7 setup to squid 3.3.8 we experience
> problems with a custom Java applet connecting to a HTTPS server.
>
> Both squid 2.7 and squid 3.3.8 are installed on the same machine and use
> the same configuration except the 'http_port' directive. (squid 3.3.8
> uses a copy of the squid 2.7 config file with configuration options
> adapted to the new squid 3.x syntax where necessary).
>
> With squid 2.7 *all* HTTP CONNECT requests from the applet (the applet
> issues a bunch of HTTPS requests to a single server) work just fine.
>
> With squid 3.3.8 however, the applet issues a couple of HTTPS requests
> and then hangs. Switching the Java proxy settings to the squid 2.7 port
> and starting the applet again solves the problem.
That seems very strange. It would not seem to be a Squid problem though
unless maybe the some.host.name resolved to a machine with IPv6
addresses and 3.3 was confusing the client by contacting one of those.
The behaviour changes in CONNECT request handling between 2.7 and 3.3
have only been in the areas of authentication and peer server relaying.
Given the request headers below those would seem extremely unlikely to
be relevant.
> The only apparent difference between squid 2.7 and squid 3.3.8 from
> clients perspective seems to be HTTP/1.0 vs. HTTP/1.1 in the proxy requests:
>
> connect using squid 2.7:
>
> CONNECT some.host.name:443 HTTP/1.1
> User-Agent: Java/1.7.0_17
> Host: some.host.name
> Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
> Proxy-Connection: keep-alive
>
> HTTP/1.0 200 Connection established
>
> connect using squid 3.3.8:
>
> CONNECT some.host.name:443 HTTP/1.1
> User-Agent: Java/1.7.0_17
> Host: some.host.name
> Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
> Proxy-Connection: keep-alive
>
> HTTP/1.1 200 Connection established
>
> Looking at the packet dumps taken from the client and internet facing
> NICs on the proxy there are no (at least according to my limited
> knowledge) apparent errors.
>
> So my question would be if there were any changes between the listed
> squid versions in handling HTTP CONNECT requests that might cause the
> above mentioned issue.
Two things here.
Firstly, keep-alive has no meaning on these CONNECT requests. They are a
request to open a tunnel to a given host:port and then *stop* HTTP on
those sockets. The proxy will setup the connection then keep shovelling
bytes back and forward between the client and server until one end
disconnects. Then it will close both server and client connections. End
of story.
Secondly, "Proxy-Connection:" is undefined in HTTP. It is a very old
experimental header created from a misunderstanding about what
Connection: header did in HTTP/1.0 and still happens to cause problems
all over the place with software written by people who think it has
useful meaning. If you have any say with the developers of that client
please try to get them to stop using it. They could also do with using a
proper User-Agent: header value, they are supposed to place the applet
software label/version.number either as the value or appended to the
relevant GUI U-A label(s).
Amos
Received on Thu Sep 26 2013 - 15:13:42 MDT
This archive was generated by hypermail 2.2.0 : Thu Sep 26 2013 - 12:00:04 MDT