[squid-users] ssl_bump peek in squid-3.5.3

[Michael Hendrie]

Hi All

I’ve been running squid-3.4.x in tproxy mode with ssl_bump server-first for some time and has been working great.

I have just moved to 3.5.3 to use peek to overcome some issues with sites that require SNI to serve up the correct certificate.  In most cases this is work well however I seem to have an issue that (so far) only effects the Safari web browser with certain sites.  As an example, https://twitter.com <https://twitter.com/> and https://www.openssl.org <https://www.openssl.org/> will result in a Safari error page “can’t establish a secure connection with the server”.  There is also a correlating entry in the cache.log 'Error negotiating SSL connection on FD 45: error:140A1175:SSL routines:SSL_BYTES_TO_CIPHER_LIST:inappropriate fallback (1/-1)’

Google shows some hits for this SSL error on other products, mostly nginx, but nothing suggesting in those posting seems to have worked for me (settings specific SSL/TLS versions and ciphers)

If use a different browser the above mentioned sites work as expected.  If continue to bump ‘server-first’ for these problem sites they also load as expected in Safari however I’m hoping to move to peek exclusively to overcome SNI issues.

Anyone experiencing the same thing or have any suggestions?  ssl_bump related config below:

https_port 8090 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl-bump.cer key=/etc/squid/ssl-bump.key
acl p8090 myportname 8090
acl step1 at_step SslBump1
#acl broken_peek dstdomain .twttr.com .twitter.com .facebook.com .openssl.org
#ssl_bump server-first broken_peek
ssl_bump peek step1
ssl_bump bump p8090

Thanks!

Michael


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150423/d029dd87/attachment.html>