[squid-users] FW: squid tproxy ssl-bump and Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Eliezer Croitoru eliezer at ngtech.co.il
Mon Oct 10 09:41:55 UTC 2016 

Thanks for updating!

May I ask what version of Linux are you using squid ontop?
I have released couple RPMs and am working on releasing a drop-in tar.xz for debian based systems.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile+WhatsApp: +972-5-28704261
Email: eliezer at ngtech.co.il


-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Marc
Sent: Sunday, October 9, 2016 11:51 PM
To: Vieri
Cc: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] FW: squid tproxy ssl-bump and Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Hi Vieri,

Squid 4 fixes it, in my case. Same config, same system.

Regards,

Marc

On Thu, Oct 6, 2016 at 11:00 PM, Marc <gaardiolor at gmail.com> wrote:
> Hi Viery,
>
> Sorry, copy/paste error, my bad. Please try:
>
> openssl s_client -quiet -connect www.google.com:443 -tls1 -cipher
> RC4-MD5:RC4-SHA:DES-CBC3-SHA:DES-CBC-SHA:EXP1024-RC4-SHA:EXP1024-DES-CBC-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5:DHE-DSS-DES-CBC3-SHA:DHE-DSS-CBC-SHA:EXP1024-DHE-DSS-DES-CBC-SHA
> < <(echo -e "GET / HTTP/1.1\nHost: www.google.com\n\n")
> That one fails (at least with me). Squid replies with 503 Service
> unavailable, SQUID_ERR_SSL_HANDSHAKE .
>
> Now adding a random extension:
> openssl s_client -quiet -connect www.google.com:443 -tls1 -cipher
> RC4-MD5:RC4-SHA:DES-CBC3-SHA:DES-CBC-SHA:EXP1024-RC4-SHA:EXP1024-DES-CBC-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5:DHE-DSS-DES-CBC3-SHA:DHE-DSS-CBC-SHA:EXP1024-DHE-DSS-DES-CBC-SHA
> -serverinfo 12345 < <(echo -e "GET / HTTP/1.1\nHost:
> www.google.com\n\n")
> That one succeeds (302 Found). At least with me. The extension doesn't
> have to be 12345, some regular ones do the trick as well. But openssl
> doesn't always include the existing ones correctly, so I used the
> dummy.
>
> Please let me know. If adding a random extension fixes the error with
> you too, well.. It could be a step in the right direction towards
> finding the cause of this problem.
>
> Marc
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list