[squid-users] Cant open some HTTPS with Squid 4.8

KOTOXJle6 23dmitry23 at gmail.com
Tue Sep 3 11:47:09 UTC 2019

Im trying to setup Squid 4.8 on Ubuntu 18.04 LTS with HTTPS redirecting to
squid error page for sites in ACL's. Yesterday i faced major problem HTTPS
sites doesnt open normally in IE11/EDGE and show blank page only + squid
replace certificate. If i tap F5, sometimes site opens like it should and
certificate replacement doesnt happen...and it works not for all sites. I
couldn't pinpoint the dependencies. I also can open some sites like
rambler.ru, kanobu.ru, alexa.com normally. The most interesting thing is
that other browsers like Chrome, FF and even Opera open all sites like it
should and spoof cert + redirect to error page only if site persist in ACL.

What i already did:
- Disabled IPv6 on Squid host
- Disabled/Enabled TLS in IE in any variations
- Disabled SPDY/3

Bump settings in squid.conf:

/http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/squidCA.pem
ssl_bump peek all/

I have this errors in /var/log/squid/cache.log

/ERROR: negotiating TLS on FD 46: error:1425F175:SSL
routines:ssl_choose_client_version:inappropriate fallback (1/-1/0)/

/ERROR: negotiating TLS on FD 104: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure (1/-1/0)

/ERROR: negotiating TLS on FD 27: error:1423406E:SSL
routines:tls_parse_stoc_sct:bad extension (1/-1/0)/

Error in access.log

/TCP_DENIED/407 4141 CONNECT i.ibb.co:443 - HIER_NONE/- text/html/

Same configuration work well on Squid 4.1. 

Sorry for complicated description, im new here and its really hard f or me.

Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html

More information about the squid-users mailing list