[squid-users] FW: squid tproxy ssl-bump and Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Marc
gaardiolor at gmail.com
Sun Oct 9 20:51:23 UTC 2016
Hi Vieri,
Squid 4 fixes it, in my case. Same config, same system.
Regards,
Marc
On Thu, Oct 6, 2016 at 11:00 PM, Marc <gaardiolor at gmail.com> wrote:
> Hi Viery,
>
> Sorry, copy/paste error, my bad. Please try:
>
> openssl s_client -quiet -connect www.google.com:443 -tls1 -cipher
> RC4-MD5:RC4-SHA:DES-CBC3-SHA:DES-CBC-SHA:EXP1024-RC4-SHA:EXP1024-DES-CBC-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5:DHE-DSS-DES-CBC3-SHA:DHE-DSS-CBC-SHA:EXP1024-DHE-DSS-DES-CBC-SHA
> < <(echo -e "GET / HTTP/1.1\nHost: www.google.com\n\n")
> That one fails (at least with me). Squid replies with 503 Service
> unavailable, SQUID_ERR_SSL_HANDSHAKE .
>
> Now adding a random extension:
> openssl s_client -quiet -connect www.google.com:443 -tls1 -cipher
> RC4-MD5:RC4-SHA:DES-CBC3-SHA:DES-CBC-SHA:EXP1024-RC4-SHA:EXP1024-DES-CBC-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5:DHE-DSS-DES-CBC3-SHA:DHE-DSS-CBC-SHA:EXP1024-DHE-DSS-DES-CBC-SHA
> -serverinfo 12345 < <(echo -e "GET / HTTP/1.1\nHost:
> www.google.com\n\n")
> That one succeeds (302 Found). At least with me. The extension doesn't
> have to be 12345, some regular ones do the trick as well. But openssl
> doesn't always include the existing ones correctly, so I used the
> dummy.
>
> Please let me know. If adding a random extension fixes the error with
> you too, well.. It could be a step in the right direction towards
> finding the cause of this problem.
>
> Marc
More information about the squid-users
mailing list