[squid-users] ssl_bump problems with pypi servers
Alex Rousskov
rousskov at measurement-factory.com
Fri May 29 18:27:22 UTC 2020
On 5/26/20 7:43 PM, hanxie wrote:
> The problem is that occasionally requests to "https://pypi.org" will
> time out.
I believe you are dealing with a TLS v1.3 server. TLS v1.3 fakes its
handshakes to pretend that they are TLS v1.2 handshakes. However, IIRC,
those fake handshakes do not end with a plain text ServerHelloDone
message like TLS v1.2 handshakes do. Squid v4.9 will wait for that plain
text ServerHelloDone which will never come from (some?) TLS v1.3
servers, leading to a timeout.
TLS v1.3-related improvements are currently available in Squid v5
(commit 4d714a3) or master/v6 (commits 699ade2 and cd29a42). The
corresponding v4 change is coming via
https://github.com/squid-cache/squid/pull/648
I do not know whether those changes will solve your specific problem,
but trying them could be the best next step.
HTH,
Alex.
More information about the squid-users
mailing list