[squid-users] FW: squid tproxy ssl-bump and Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Eliezer Croitoru eliezer at ngtech.co.il
Thu Sep 29 22:23:22 UTC 2016 

Hey Vieri,

Just as a tiny reply I must admit that it's expected.
What you see is the result of squid and it's ssl stack support the goal of a minimum specific version of ssl encrypted connections.
I am not sure but there might be  a way to make it all work for these clients.
Have you tried search the squid-cache lists using google\yahoo\bing\other?

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile+WhatsApp: +972-5-28704261
Email: eliezer at ngtech.co.il


-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Vieri
Sent: Thursday, September 29, 2016 3:03 PM
To: squid-users at lists.squid-cache.org
Subject: [squid-users] squid tproxy ssl-bump and Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Hi,

I'm running a Squid proxy like so:

http_port 3129 tproxy
https_port 3130 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem

The squid server certificate was self-generated:
openssl req -new -newkey rsa:2048 -sha256 -days 7300 -nodes -x509 -keyout /etc/ssl/squid/proxyserver.pem -out /etc/ssl/squid/proxyserver.pem

I configured my firewall rules approriately and everything seems to work fine on systems such as Windows 7 32bits/64bits with IE11, IE8 or latest Firefox.
However, I'm having trouble with Windows XP Pro SP3 and IE8.
On this client OS, Firefox 45.0.1 works fine with HTTP and HTTPS sites. However, IE8 on this same client OS works fine accessing HTTP sites but not HTTPS.

When I try to access google.com I first get a certificate warning (untrusted cert). That's the first flaw because I shouldn't get this page since the proxy server's certificate is in the IE Trust Store (under root certificates).
Then if I try to connect to google.com despite the "untrusted certificate" warning, I get the exception:

71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) Handshake with SSL server failed: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry

I noticed that this browser/OS only has TLS up to 1.0 (no 1.2 or 1.1).

I can reproduce the same Squid exception on a Windows 7 IE8 system if I disable TLS 1.2 and only use TLS 1.1 and/or lower.

Any ideas?

Regards,

Vieri
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list