[squid-users] SSL handshake

Alex Rousskov rousskov at measurement-factory.com
Tue Jul 27 17:29:58 UTC 2021


On 7/27/21 11:45 AM, Vieri wrote:

> Just recently I've noticed that LAN clients going through Squid with sslbump are all of a sudden unable to access certain HTTPS sites such as login.yahoo.com.
> The squid log has lines like:
> 
> kid1| 4,3| Error.cc(22) update: recent: ERR_SECURE_CONNECT_FAIL/SQUID_ERR_SSL_HANDSHAKE+TLS_LIB_ERR=1423506E+TLS_IO_ERR=1
> 
> and the client error page shows a line like this:
> 
> SQUID_TLS_ERR_CONNECT+TLS_LIB_ERR=14094410+TLS_IO_ERR=1
> 
> I'm not sure why the lib error code is different. I might not have tracked down the right connection in the log.
> 
> I have not changed anything in the OS so it might be because of change in the remote web service.
> It might be that my openssl version is already too old (1.1.1g), and that the web site forces the use of an unsupported cypher?


FWIW, I get the following additional info from my OpenSSL 1.1.1f (your
values may differ -- do check):

$ openssl errstr 1423506E
error:1423506E:SSL routines:ssl_next_proto_validate:bad extension

$ openssl errstr 14094410
error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

The former looks like an NPN negotiation failure. More detailed analysis
is needed to confirm and get to the root cause. I doubt it is an OpenSSL
version issue though.


HTH,

Alex.


More information about the squid-users mailing list