[squid-dev] [PATCH] Handle SSL v2 Hello
Amos Jeffries
squid3 at treenet.co.nz
Tue Sep 1 06:13:52 UTC 2015
On 1/09/2015 5:32 p.m., Alex Rousskov wrote:
> Hello,
>
> The attached trunk and v3.5 patches allow Squid to splice SSLv3 and
> TLSv1 sessions that start with an SSL v2 Hello message. Such sessions
> are created, for example, by some SSL clients using OpenSSL v0.9.8 with
> default options. These patches do _not_ re-enable SSLv2 sessions support
> in trunk.
>
> Bumping TLSv1 sessions that start with SSL v2 Hello also appears to work.
>
>
> In my tests, attempts to bump SSLv3 sessions that start with SSL v2
> Hello message terminate during server handshake if Squid stares at the
> server certificate (i.e., if an "ssl_bump stare" rule matches at bumping
> step #2). When this happens, Squid logs the following error message:
>
> 2015/08/31 22:11:56.459| Error negotiating SSL on FD 14:
> error:1409F07F:SSL routines:SSL3_WRITE_PENDING:bad write retry
> (1/-1/0)
>
> However, AFAICT, the same or similar problem exists in the unpatched
> Squid (for connections that start with SSL v3 Hello). It could be
> another bug or a deficiency of my test setup.
+1. Looks good to me.
Please apply to trunk ASAP. Or if you dont get this within an hour or so
I will apply it on your behalf so this can make 3.5.8.
Amos
More information about the squid-dev
mailing list