[squid-users] Gateway Proxy failure - but only with one browser ...

Amos Jeffries squid3 at treenet.co.nz
Wed Apr 29 18:39:10 UTC 2020

On 30/04/20 6:16 am, Walter H. wrote:
> It is very probable that the following has the same reason - but I don't
> know what's causing it ...
> the old browser on old OS gives this
> <errorpage>
> While trying to retrieve the URL: https://mein.elba.hypo.at/*
> The following error was encountered:
>     * Failed to establish a secure connection to
> The system returned:
>     (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
>     Handshake with SSL server failed: error:1407742E:SSL
> routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
> ...
> </errorpage>
> the  new browser works ...
> I thought that the SSL connection between browser and squid is different
> from the one between squid and server;
> how can there be a SSL handshake problem between squid and server when
> using an old browser?

For transparency and because TLS requirements are embedded in the
certificates Squid makes the connection to the server as close as
possible to the same properties the client connection uses.
 The change in browser thus affects both what Squid can pass on to the
server, and what can be passed back from the server to the client.



This is a misconfiguration. Please drop the DONT_VERIFY_PEER.

If the server is not validating using the CA certs you told Squid were
the *only* acceptible CAs:

  sslproxy_cafile /etc/squid/ca-bundle.trust.crt

... then either the contents of that file are wrong, or the server
connection is compromised. Determining the latter is the whole point of TLS.


More information about the squid-users mailing list