[squid-users] SQUID_ERR_SSL_HANDSHAKE

Walter H. Walter.H at mathemainzel.info
Fri Jun 28 15:03:33 UTC 2019 

this is in my squid.conf


acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl nobumpsites ssl::server_name "/etc/squid/sslnobumpsites-acl.squid" 
<-- e.g. www.google.com

ssl_bump stare step1 all
ssl_bump splice nobumpsites
ssl_bump bump all

acl brokenButTrusted dstdomain 
"/etc/squid/brokenbuttrustedsites-acl.squid" <-- contains e.g.  
download.microsoft.com

acl certSelfSigned ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
...
acl squidSslHandshake ssl_error SQUID_ERR_SSL_HANDSHAKE

sslproxy_cert_sign_hash sha256

sslproxy_cert_error allow brokenButTrusted
sslproxy_cert_error deny all

sslproxy_cafile /etc/squid/ca-bundle.trust.crt
sslproxy_cipher 
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!RSA:!SRP
sslproxy_options NO_SSLv2 NO_SSLv3 TLSv1 TLSv1_1 TLSv1_2

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/local/squid/ssl_db -M 16MB
sslcrtd_children 8




On 28.06.2019 16:34, L.P.H. van Belle wrote:
> the SSL3_GET_MESSAGE?
> Maybe because the only support TLSv1.2 ?
> Its long ago i seen a site good configured for ones with its TLS 
> settings.
> So most probely, your downgrading the connection within the proxy 
> settings to sslv3
> And sharing you config might help to see that.
> Greetz,
> Louis
>
>     *Van:* squid-users
>     [mailto:squid-users-bounces at lists.squid-cache.org] *Namens *Walter H.
>     *Verzonden:* vrijdag 28 juni 2019 16:21
>     *Aan:* squid-users at lists.squid-cache.org
>     *Onderwerp:* [squid-users] SQUID_ERR_SSL_HANDSHAKE
>
>     Hello,
>
>     at some specific hosts
>     this is shown in cache.log
>     2019/06/28 16:11:12 kid1| Error negotiating SSL on FD 17:
>     error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message
>     (1/-1/0)
>
>     and this is the error page I get
>
>     Failed to establish a secure connection to .../
>
>      (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)/
>      Handshake with SSL server failed: error:1408E0F4:SSL
>     routines:SSL3_GET_MESSAGE:unexpected message
>
>     what is causing this?
>
>     in case some want to try: https://www.3bg.at/
>     (when disabling SSL-bump no problem)
>
>     Thanks,
>     Walter
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190628/b561c7b0/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3491 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190628/b561c7b0/attachment-0001.bin>

More information about the squid-users mailing list