[squid-users] SSL bump fails accessing .gov.uk servers

Marcus Kool marcus.kool at urlfilterdb.com
Fri Oct 31 23:09:04 UTC 2014


With OpenSSL 1.0.1e-fips :

openssl s_client -connect www.taxdisc.service.gov.uk:443         fails (tries TLS1.2)
openssl s_client -connect www.taxdisc.service.gov.uk:443 -ssl3   works

The webmail server of my ISP works like this: it uses only TLS1.0, so no TLS1.1 or TLS1.2,
but when with
    openssl s_client -connect WEBMAIL:443 -tls1_2
the connection is automagically downgraded to TLS1.0.  taxdisc does not do this.
Taxdisc does not negotiate, so the client must guess the desired protocol (SSL3 or TLS1.0)
and use that.

I do not know all details about TLS and downgrading rules but the server seems broken to me.
Firefox knows how to deal with it and Squid not yet.

Marcus


On 10/31/2014 06:03 PM, Dieter Bloms wrote:
> Hi Steve,
>
> On Fri, Oct 31, Steve Hill wrote:
>
>> This is probably not a problem with Squid, but I'm posting here in the
>> hope that someone may have more clue than me when it comes to SSL :)
>
> ...
>
>> If I force openssl into TLS1 mode (with the -tls1 argument) then it
>> works fine.  TLS 1.1 and 1.2 both fail.  However, shouldn't openssl be
>> negotiating the highest TLS version supported by both server and client?
>
> but when the server is broken, it will not work.
> Have a look at:
>
> https://www.ssllabs.com/ssltest/analyze.html?d=www.taxdisc.service.gov.uk
>
>> It works correctly when FireFox connects directly to the web server
>> rather than going through the proxy.
>
> yes the browsers have a workaround and try with different cipher suites,
> when the first connect fails.
>
>> So my question is: is the web server broken, or am I misunderstanding
>> something?
>
> The webserver is broken.
>
>


More information about the squid-users mailing list