Re: handling 1xx responses

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 4 Sep 2002 15:48:25 +0200

Robert Collins wrote:

> > As the application of TLS is almost end-to-end the CONNECT method is
> > needed when using proxies.
>
> The CONNECT method is needed if the proxy does not support TLS itself,
> or if the client does not trust the proxy.

Or if the client need to use TLS end-to-end, which is a quite common
requirement.

You cannot proxy TLS without seriously impairing the protocol. TLS -> TLS
gatewaying/proxying is not TLS.

> > The only exception in terms of Squid is when Squid is used as a
> > transparent proxy. It should then detect the precense of Upgrade: TLS/1.0
> > in the request and switch to tunnel mode (and use CONNECT to any peer
> > proxies when forwarding, internally swallowing the 200 reply).
>
> I think that squid should do this regardless. I.e. treat transparent and
> non-transparent the same for Upgrade: TLS/1.0

Why? I se absolutely no reason why we should do anything else than intended by
the RFC.

If we receive a Upgrade: TLS/1.0 request and it is not transparently
redirected then it is our responsibility to process the request as it was a
request to connect to one of our https_port, just as it is for a origin
server supporting Upgrade: TLS/1.0.

If it was transparently redirected to us then it is our responsibility to
tunnel the request to the origin server.

Regards
Henrik
Received on Wed Sep 04 2002 - 07:48:27 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:16:26 MST