[squid-users] Reverse proxy for HTTPS cloudfront server
philip.munaawa at appliansys.com
Tue Feb 14 09:48:12 UTC 2017
openssl test to reproduce the error:
openssl s_client -connect www.coursera.org:443 - FAILS (Testing with
cousera since it is also hosted on cloudfront, and uses TLS/SNI)
alert handshake failure:s23_clnt.c:757:
openssl s_client -connect www.coursera.org:443 -servername www.coursera.org
Also, with nginx, if I switch off the proxy_ssl_server_name flag, I get the
same openssl error as squid,
2017/02/14 09:20:39 [error] 23604#0: *6 SSL_do_handshake() failed (SSL:
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure) while S
SL handshaking to upstream,..."
This makes me suspect that squid is not sending the servername ...
On 14 February 2017 at 02:40, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 14/02/2017 4:40 a.m., Philip Munaawa wrote:
> > I am trying to reverse proxy a site hosted on cloudfront, using the
> > https_port accel. I have the key/cert pair for the origin. The cloudfront
> > uses TLS/SNI to negotiate an SSL connection. However, when I try to
> > through the proxy, I get the error below in the logs:
> > Error negotiating SSL on FD 39: error:14094410:SSL
> > routines:SSL3_READ_BYTES:sslv3 alert handshake failure (1/0/0)
> > I have seen a similar issie with nginx, which was resolved by adding a
> > switch to send the server_host_name. see:
> > http://stackoverflow.com/questions/25329941/nginx-
> > Does squid (3.5.24) have a similar switch/functionality?
> The only thing that SSL23_SERVER_HELLO and SSL3_READ_BYTES have in
> common is that they are errors. So no they are not "similar".
> The server is closing the connection without reporting what the problem
> actually is. Squid-3.5 should already be sending SNI using the
> cache_peer hostname or request-URL hostname.
> has some hints from Dave Thompson on how to find out what is going on
> with the server.
> squid-users mailing list
> squid-users at lists.squid-cache.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the squid-users