[squid-users] SQUID 4.12 (Debian 10, OpenSSL 1.1.1d) - SSL bump no server helllo
Amos Jeffries
squid3 at treenet.co.nz
Wed Jun 17 03:14:23 UTC 2020
Sent from my alcatel U5
On 17/06/2020 09:36, Lukáš Loučanský wrote:
> But - according to
> https://github.com/squid-cache/squid/commit/eec67f04490a477d69891c8b05a94bea05e5efbfGREASE
> - as unknown extensions is meant to be ignored (?). The same said here
> https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/d_f6higCJzcBut
> - these information are years old - so I guess squid already does the
> right thing.
>
This is not a safe assumption. Squid tries to use the TLS library for as much as possible, but there are many bits like extension handling which have to be rewritten for SSL-Bump to work. Those are all recent code additions.
> Anyway - with debug_options ALL,1 83,2:
>
> 2020/06/16 23:24:34.831 kid2| 83,2| client_side.cc(3180)
> parseTlsHandshake: error on FD 22: check failed: vMajor == 3
> exception location: Handshake.cc(119) ParseProtocolVersion
>
That is somewhat useful. TLS version being received is not valid.
Amos
More information about the squid-users
mailing list