[squid-users] tls12_check_peer_sigalg:wrong signature type

Edouard Gaulué listes at e-gaulue.com
Fri Mar 13 12:08:42 UTC 2020

>> ERROR: negotiating TLS on FD 57: error:1414D172:SSL
>> routines:tls12_check_peer_sigalg:wrong signature type (1/-1/0)
> This is an error from your Squid machines OpenSSL library.
That's what I thought. I also have: tls_process_ske_dhe:dh_key_too_small 
for ssl server using SHA1.
>> openssl s_client -connect www.marches-securises.fr:443 is OK
>> I believed in the beginning, it was an intermediate certificate trouble,
>> but it doesn't look so. I read this :
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934453
>> I'm not sure squid is involved, but maybe some of you have already
>> overcome this kind of trouble through squid or openssl configuration.
> If you can get a packet trace and inspect the TLS messages with
> wireshark you should be able to determine what is actually happening.
> If you can find for certain what the cause of problem is we might be
> able to help with solutions (if not obvious to you by then).
Yes, that's a way. But as the provided link mentioned (and also some 
issues on SSLLabs), it often looks to be a trouble with SSL server 
configuration and even on big or prestigious sites.

I've set the "sslproxy_cert_error" option to "allow all", but despite 

Maybe there is a configuration to tell squid to allow (better than the 
one above) or to splice in case of such trouble with handshake?

Best regards, Edouard

More information about the squid-users mailing list