[squid-users] A bunch of SSL errors I am not sure why

Amos Jeffries squid3 at treenet.co.nz
Thu Jan 19 07:40:16 UTC 2017 

On 19/01/2017 12:53 p.m., Sameh Onaissi wrote:
> Hello, Amos… all
> 
> Yuri, thanks for the reply.
> 
> 
> Amos,
> 
> I added: Thanks to Eliezer)
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER

That is a spot-check config to see if TLS is fully broken or if the fix
can be done in Squid. It should never, ever, ever, be used in a
production proxy.

> to the config file, I am not too worried about the verification since the accessed sites showing problems are government site or local paying services/partners.
> 

The peer verify is not about whether communication to them is safe (it
might not be even when verify succeeds).

It is about whether you are actually communicating with the right
destination or with some hijacker responding to your TCP connections.

In other words, to check that the endpoint you are sending those
financial details actually is your bank. Not mine.


The situation I am trying to get you to is checking the certs actually
belong to the right entity. But ignoring some minor(-ish) details like
missing CA in their cert chain, their bad choice of cipher etc.


> However, some sites are still showing the Handshake problem. https://ibin.co/38uz8akvWayM.png
> 
> You had previously replied to this saying:
> 
> "If you actually read that error message it tells you exactly what the
> problem is.
> 
> "Handshake with SSL server failed: [blah blah codes]: dh key too small"
> 
> The server is trying to use a Diffi-Helman cipher with a too-short key.
> DH cipher with short keys has recently been broken. By recently I mean
> about a whole year ago.”
> 
> However, I still wonder what the solution is? is it possible to fix this? and who needs to fix it? is it a squid side error? is it an OS level error?
> 

The only solution for that one is for the server admin to change/fix
their DH key settings to make it longer.

You are unlikely to be the only one having such problem, so with any
luck they will fix it soon. You can try to contact their admin and tell
them about the problem.

Amos

More information about the squid-users mailing list