[squid-users] reverse proxy Squid 4

Amos Jeffries squid3 at treenet.co.nz
Thu Jun 25 08:28:52 UTC 2020


On 25/06/20 2:57 am, Vieri wrote:
> Hi,
> 
> Today I just migrated from Squid 3 to Squid 4, and I found that a reverse proxy that was working fine before is now failing. The client browser sees this message:
> 
> [No Error] (TLS code: SQUID_ERR_SSL_HANDSHAKE)
> Handshake with SSL server failed: [No Error]
> 
> This is how I configured the backend:
> 
> cache_peer 10.215.144.16 parent 443 0 no-query originserver login=PASS ssl sslcert=/etc/ssl/MY-CA/certs/W1_cert.cer sslkey=/etc/ssl/MY-CA/certs/W1_key_nopassphrase.pem sslcafile=/etc/ssl/MY-CA/cacert.pem ssloptions=NO_SSLv3,NO_SSLv2,NO_TLSv1_2,NO_TLSv1_1 sslflags=DONT_VERIFY_PEER front-end-https=on name=MyServer
> 

All options relating to SSLv2 are no longer supported in Squid-4+:
 <http://www.squid-cache.org/Versions/v4/RELEASENOTES.html#ss2.3>


> The NO_TLSv* options are because the backend server is an old Windows 2003 (which hasn't changed either).

Does it obey TLS/1.0 properly?

If so you should only need to configure these for Squid-4+
  tls-options=NO_SSLv3,NO_TLSv1_3 tls-min-version=1.0

If it is so broken that is cannot handle TLS 1.1 or 1.2 numbers in the
handshake (TLSv1.0 requires that it does). Then you will need:
  tls_options=NO_SSLv3,NO_TLSv1_1,NO_TLSv1_2,NO_TLSv1_3


> 
> How can I debug this?
> 

Start with removing the "sslflags=DONT_VERIFY_PEER" so TLS information
gets checked instead of silently ignored.

Then reduce the ssloptions= as much as you can. Remove if possible. A
packet trace of what is being attempted will be useful then.


Amos


More information about the squid-users mailing list