Why I see “Cannot connect to site using HTTPS” browser message instead of usual “Site is blocked”?


Current version of Web Safety Virtual Appliance at https://www.diladele.com/download.html fixes this issue by first letting the CONNECT tunnel succeed and later blocking first request on this tunnel. Now users are able to see Blocked Page in HTTPS request too!

If your browser is set up to use proxy explicitly, and user goes to a blocked site (for example https://facebook.com) the following sequence of events occur:

  1. Browser establishes regular HTTP connection to the proxy server and sends the CONNECT facebook.com:443 request to setup the secure tunnel to Facebook.

  2. Squid intercepts this request and redirects it to Web Safety ICAP server.

  3. ICAP server sees the Facebook domain is blocked and returns “403 Blocked” HTTPS message to Squid.

  4. Squid forwards this “403 Blocked” message back to the browser.

  5. Browser expects to get the SSL handshake from Facebook back and instead sees some flow of unexpected bytes (the 403 Blocked response) and displays a standard “Cannot connect to site using HTTPS” message to the user instead of the expected 403 Blocked message.

This is a known limitation of all browsers. For more information see the following links - https://bugzilla.mozilla.org/show_bug.cgi?id=479880 and http://wiki.squid-cache.org/Features/MimicSslServerCert (Delayed error responses).