Fix regression in CONNECT authentication after rev.14142

diff --git a/src/client_side_request.cc b/src/client_side_request.cc
index 59296de841f75603dbff33c0e7558bac46785acb..d65ba2c4c7fbe0d2cb9b0d46e206e462233150af 100644 (file)
--- a/src/client_side_request.cc
+++ b/src/client_side_request.cc
@@ -1442,13 +1442,6 @@ ClientRequestContext::sslBumpAccessCheck()
         return false;
     }
 
-    if (error) {
-        debugs(85, 5, "SslBump applies. Force bump action on error " << err_type_str[(error->type >= ERR_NONE && error->type < ERR_MAX) ? error->type : ERR_NONE]);
-        http->sslBumpNeed(Ssl::bumpBump);
-        http->al->ssl.bumpMode = Ssl::bumpBump;
-        return false;
-    }
-
     // Do not bump during authentication: clients would not proxy-authenticate
     // if we delay a 407 response and respond with 200 OK to CONNECT.
     if (error && error->httpStatus == Http::scProxyAuthenticationRequired) {
@@ -1457,6 +1450,13 @@ ClientRequestContext::sslBumpAccessCheck()
         return false;
     }
 
+    if (error) {
+        debugs(85, 5, "SslBump applies. Force bump action on error " << err_type_str[(error->type >= ERR_NONE && error->type < ERR_MAX) ? error->type : ERR_NONE]);
+        http->sslBumpNeed(Ssl::bumpBump);
+        http->al->ssl.bumpMode = Ssl::bumpBump;
+        return false;
+    }
+
     debugs(85, 5, HERE << "SslBump possible, checking ACL");
 
     ACLFilledChecklist *aclChecklist = clientAclChecklistCreate(Config.accessList.ssl_bump, http);