fre 2008-01-25 klockan 08:42 +0200 skrev Razard: > Question about basic user authentication on proxy. > > If user get http web page first times, the proxy respond to > authenticate them unsecure as default, so what described on login > windows on browser. But if user get https page, browser creates SSL > connection and no warnings about plain text password. > > Question: if user get https page, their password sends to squid by SSL > secure or same plain text as a http request?
The basic proxy authentication is the same plain text. It's then the CONNECT request that carries the proxy login credentials. CONNECT is the HTTP method used by clients to set up a TCP tunnel over the proxy so they can negotiate SSL with the web server. plain text CONNECT request/response if sucessful [authenticated, allowed access, and connection established] SSL negotiation starts as normal, with the proxy acting as a dumb relay between the two just shuffling binary data in both directions. Regards Henrik
signature.asc
Description: Detta är en digitalt signerad meddelandedel
