You can't forge HTTPS certificate of the visited site, so you will never be able to show an error.
Thank you for answer.
So you can not deny a http site, without waiting timeout?
I don't understand why should present any certificate of "visited site", when in real that site is DENIED in proxy rules (as it appears in the log)?
In log I can see for example: CONNECT shavar.services.mozilla.com:443 action=deny, so I think the proxy should ignore this connect method.
In my mind it should work (but maybe i'm wrong):
-Client to proxy: please do a method CONNECT x.y:443
-proxy: hmm x.y is in my deny list so my answer: hey dude, it is forbidden for you!
-Client to proxy: omg... should show something to user (and not waiting for any timeout!).
While with a separate squid proxy it works, the browser immediately shows: "The proxy server is refusing connection", with my mikrotik (updated version, ccr1036 and rb750) the browser just waiting for response from the denied site.
I captured the proxy's answer, and I found the following differences:
-in case of squid in the tcp payload carries not only the html headers, but also a html formatted message body,
-while in case of mikrotik the answer tcp packet payload only includes the html headers without message body.
However both cases carries the "forbidden 403" answer in the headers!
Is it really only my problem? Is there anybody who deny some https pages and can receive a fast deny respone from his/her browser?
thank you very much