[squid-users] HTTPS Settings

Amos Jeffries squid3 at treenet.co.nz
Fri Dec 14 05:08:25 UTC 2018

On 14/12/18 5:39 pm, John Refwe wrote:
> Hi,
> I am writing about assistance with my SSL bump settings.
> My squid conf (this is a simple version I'm using to test this issue) looks as follows:
> # Leave coredumps in the first cache dir
> coredump_dir /usr/local/squid/var/cache/squid
> #
> # Add any of your own refresh_pattern entries above these.
> #
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
> http_access allow all
> sslcrtd_children 2 startup=2 idle=1
> http_port 3129 ssl-bump generate-host-certificates=on cert=/home/Guyfer/ssl_bump.pem options=NO_SSL_v2 

FYI: SSLv2 support have been removed completely from Squid-4. That
includes things like "NO_SSL_v2".

> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
> There are a few websites, one of which is https://opts.ssa.gov where I get an error I'm having trouble understanding in the logs.
> My browser shows a screen that reads: "Failed to establish a secure connection to The system returned: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) Handshake with SSL server failed: error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message"... The cache logs contains the error "kid1| ERROR: negotiating TLS on FD 14: error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message (1/-1/0)"

The weird message is from your OpenSSL library. Apparently the server
being contacted for this transaction is not responding with TLS.

> Now, if I were to modify the ssl bump settings to just be ssl_bump bump all (no peek), things seem to function fine. Am I running into a known limitation of server-first bumping? I have tried this on Squid 4.4 and Squid 4.3.

server-first is more equivalent to bumping at step3. You should use a
"stare" at step2 before bumping for more reliable behaviour. That may
not fix your issue though.

The best way to debug this further is to perform a packet capture of a
test transaction which is failing and look at what the server is sending
to Squid.


More information about the squid-users mailing list