[squid-users] TLS renegotiation failing between squids in hierarchy in Squid 4.

Manoj Wajekar manojwajekar93 at gmail.com
Wed Nov 11 15:19:37 UTC 2020


I am currently squid-cache in hierarchy setup, with TLS enabled throughout.

client --> child Squid --> parent Squid --> web server

Openssl version: 1.0.2k
This setup is working for 3.5.20.

But when I updated to squid 4(tried 4.8, 4.11 and 4.13),
initial HTTP request goes through, but TLS renegotiation is failing between
child and parent squid for the following requests.

>From the logs, it looks like child squid is trying to initialize TLS
renegotiating using old TLS session ID, but parent squid is rejecting
session resumption.

I confirm this behavior using openssl s_client --reconnect option.

I tried to disabled client initialed TLS renegotiating by setting
tls-options=NO_TICKET (on child squid), but it is affecting the behavior.

Are there any changes in default TLS renegotiation behavior between squid
3.5 and 4.x?
Is there a way to disable the client (child squid) initialized TLS
renegotiation in squid 4?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20201111/d26ae293/attachment.htm>

More information about the squid-users mailing list