[squid-users] Gateway Proxy failure - but only with one browser ...

Walter H. Walter.H at mathemainzel.info
Wed Apr 29 18:16:42 UTC 2020


It is very probable that the following has the same reason - but I don't 
know what's causing it ...

the old browser on old OS gives this

<errorpage>
While trying to retrieve the URL: https://mein.elba.hypo.at/*

The following error was encountered:

     * Failed to establish a secure connection to 217.13.188.204

The system returned:

     (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

     Handshake with SSL server failed: error:1407742E:SSL 
routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
...
</errorpage>

the  new browser works ...

I thought that the SSL connection between browser and squid is different 
from the one between squid and server;
how can there be a SSL handshake problem between squid and server when 
using an old browser?


On 29.04.2020 19:26, Walter H. wrote:
> I have two squids,
>
> one does SSL bump (3.5latest CentOS 6)
> the other doesn't SSL bump (3.4latest CentOS 6)
>
> everything works,
>
> I have a site that uses SSL/TLS, and two different browsers (one in a 
> VM with old windows),
>
> when I use the squid without SSL bump, the site works with both browsers,
>
> but when I use the squid with SSL bump, with the old browser I get a 
> "Gateway Proxy failure"
>
> the log shows this:
>
> host - - [29/Apr/2020:19:04:11 +0200] "CONNECT 
> ssl.mathemainzel.info:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows; 
> U; WinNT4.0; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20" 
> TAG_NONE:HIER_DIRECT SNI:ssl.mathemainzel.info
> host - - [29/Apr/2020:19:04:11 +0200] "GET 
> https://ssl.mathemainzel.info/sslinfo/ HTTP/1.1" 500 1679 "-" 
> "Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.8.1.20) Gecko/20081217 
> Firefox/2.0.0.20" TAG_NONE:HIER_NONE SNI:ssl.mathemainzel.info
>
> in compare to the log when using the other browser ...
>
> host - - [29/Apr/2020:19:05:53 +0200] "CONNECT 
> ssl.mathemainzel.info:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 
> 10.0; Win64; x64; rv:68.9) Goanna/4.5 PaleMoon/28.9.1" 
> TAG_NONE:HIER_DIRECT SNI:ssl.mathemainzel.info
> host - - [29/Apr/2020:19:05:53 +0200] "GET 
> https://ssl.mathemainzel.info/sslinfo/ HTTP/1.1" 200 1977 
> "https://ssl.mathemainzel.info/" "Mozilla/5.0 (Windows NT 10.0; Win64; 
> x64; rv:68.9) Goanna/4.5 PaleMoon/28.9.1" TCP_MISS:HIER_DIRECT 
> SNI:ssl.mathemainzel.info
>
> is this caused by the browser on old OS itself?
>
> squid.conf (of squid with SSL bump)
>
> reply_header_access Public-Key-Pins deny all
>
> reply_header_access Strict-Transport-Security deny all
> reply_header_replace Strict-Transport-Security max-age=0; 
> includeSubDomains
>
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> acl nobumpsites ssl::server_name "/etc/squid/sslnobumpsites-acl.squid"
>
> ssl_bump peek step1
> ssl_bump splice nobumpsites
> ssl_bump stare step2
> ssl_bump bump all
>
> sslproxy_cafile /etc/squid/ca-bundle.trust.crt
> sslproxy_cipher 
> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!RSA:!SRP
> sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA
> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
>
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/local/squid/ssl_db 
> -M 16MB
> sslcrtd_children 8
>
> http_port 3128 ssl-bump generate-host-certificates=on 
> dynamic_cert_mem_cache_size=16MB cert=/etc/squid/cert/squidCA.pem 
> options=NO_SSLv2,NO_SSLv3
>
>
> Thanks,
> Walter


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3511 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200429/f2e6db28/attachment.bin>


More information about the squid-users mailing list