[squid-users] SSL errors with Squid 3.5.27
squid3 at treenet.co.nz
Thu Jun 14 09:53:35 UTC 2018
On 14/06/18 09:20, Julian Perconti wrote:
> Here a example:
> openssl s_client -connect 188.8.131.52:443
> no peer certificate available
> No client certificate CA names sent
> SSL handshake has read 0 bytes and written 290 bytes
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> Protocol : TLSv1.2
> Cipher : 0000
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1528924452
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
The above says:
* do not encrypt this content
* disable all security checks
* disable all ability to becomes secure later
* send everything in plain-text format.
This is the "NULL" cipher (0000) which is forbidden in your
sslproxy_cipher config by "!aNULL:!eNULL:!LOW".
The existence of this cipher is one reason why a) TLS does not
necessarily make things secure, and b) making the proxy always "just
work" is not necessarily a good idea.
... so you now have the choice:
Do you *actually* want security?
if so let the proxy block the traffic.
Do you want users to have same experience as no-proxy gives?
if so remove the cipher etc restrictions you have improving security
at the proxy.
More information about the squid-users