[squid-users] SSL bump fails accessing .gov.uk servers
Steve Hill
steve at opendium.com
Fri Oct 31 18:20:52 UTC 2014
This is probably not a problem with Squid, but I'm posting here in the
hope that someone may have more clue than me when it comes to SSL :)
When accessing https://www.taxdisc.service.gov.uk/ through an SSL
bumping squid, I get:
-----
The following error was encountered while trying to retrieve the URL:
https://www.taxdisc.service.gov.uk/*
Failed to establish a secure connection to 62.25.101.198
The system returned:
(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: [No Error]
-----
Trying to connect with openssl directly also fails:
[steve at atlantis ~]$ openssl s_client -connect 62.25.101.198:443 -showcerts
CONNECTED(00000003)
140259944179584:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 249 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
If I force openssl into TLS1 mode (with the -tls1 argument) then it
works fine. TLS 1.1 and 1.2 both fail. However, shouldn't openssl be
negotiating the highest TLS version supported by both server and client?
It works correctly when FireFox connects directly to the web server
rather than going through the proxy.
So my question is: is the web server broken, or am I misunderstanding
something?
Many thanks.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:steve at opendium.com
Email: steve at opendium.com
Phone: sip:steve at opendium.com
Sales / enquiries contacts:
Email: sales at opendium.com
Phone: +44-1792-825748 / sip:sales at opendium.com
Support contacts:
Email: support at opendium.com
Phone: +44-1792-824568 / sip:support at opendium.com
More information about the squid-users
mailing list