Exception page not returned when accessing blocked HTTPS website through explicit proxy with latest browser versions



If an explicitly proxied client attempts to access an HTTPS website that is blocked based on the content filtering rules that have been applied, the user will get a browser error instead of an exception page.

This behavior has been seen with Firefox 3.0.10 and above and with IE 8.  It is believed that the latest version of Opera (as of 29 June 2009) also demonstrates this behavior. 

It results from a change made to the browser to prevent possible "Man in the Middle" attacks occurring when a non-200 HTTP response is returned in response to an HTTP CONNECT.

The following Mozilla bug documents this change:



This is not a Proxy problem.

The following KB article gives a good step-by-step approach to working round this issue.   However, it is not possible to work around this issue without an SSL license:


If the preceding KB article does not prove helpful, then the following two workarounds which require SSL interception to be enabled will work in some circumstances:

The first possible solution, which requires enabling SSL interception is:

1. ALLOW all CONNECT requests. Deny anything that isn't SSL (for security).
2. Enable SSL interception on these CONNECT requests.

The second possible solution, which also requires enabling SSL interception is to replace any "Deny" actions in the Web Access Layer for HTTPS sites with "Notify User" actions. The "deny" action will return an exception which uses HTTP 403 responses. These are rejected by recent browsers as discussed above. Notify User actions instead use HTTP 200 responses, so browsers will happily accept this and display the message to the client.

Additional Information
Bug Number
InQuira Doc IdKB3787

Article Feedback

Did this Article solve your issue?
Additional Comments:
Previous MonthNext Month