<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>Looks like your SSL library does not contain SSLv3 protocol
      support already, but site announce it.<br>
    </p>
    <br>
    <div class="moz-cite-prefix">27.06.2016 20:42, Renato Jop пишет:<br>
    </div>
    <blockquote
cite="mid:CAHha_zUDWQEFJjWgupS55gibNxSZ=gy--CfvQesYoPv6akciDQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">I removed the NO_SSLv2, NO_SSLv3 however, right
        before the SSL3_GET_<a class="moz-txt-link-freetext" href="RECORD:wrong">RECORD:wrong</a> version number the SSL
        routines:SSL23_GET_SERVER_HELLO:unknown protocol is shown.<br>
      </div>
      <div class="gmail_extra"><br clear="all">
        <div>
          <div class="gmail_signature" data-smartmail="gmail_signature">Renato
            Jop<br>
          </div>
        </div>
        <br>
        <div class="gmail_quote">On Mon, Jun 27, 2016 at 8:29 AM, Yuri <span
            dir="ltr"><<a moz-do-not-send="true"
              href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000">
              <p>Try to remove NO_SSLv2,NO_SSLv3 from options. SSLv2
                already not supported everywhere, RC4/3DES is SSLv3
                ciphers, so it can be confuse software. I.e., you use
                custom ciphers/protocols combinations, which can lead
                issue.<br>
              </p>
              <br>
              <div>27.06.2016 20:25, Renato Jop пишет:<br>
              </div>
              <div>
                <div class="h5">
                  <blockquote type="cite">
                    <div dir="ltr">
                      <div>Thank you both for your valuable help.<br>
                      </div>
                      I've configured the tls-dh param with a strong
                      Diffie-Hellman group (2048 bits) and configured
                      the cipher as Yuri specified and I was able to get
                      pass the unknown cipher, however now I get a "SSL
                      routines:SSL3_GET_<a moz-do-not-send="true">RECORD:wrong</a>
                      version number". Here's the configuration I
                      changed:<br>
 cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
                      dhparams=/etc/dh-parameters.2048
                      options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
                      tls-dh=/usr/local/etc/squid/dhparams.pem<br>
                      <br>
                      <br>
                    </div>
                    <div class="gmail_extra"><br clear="all">
                      <div>
                        <div data-smartmail="gmail_signature">Renato Jop<br>
                        </div>
                      </div>
                      <br>
                      <div class="gmail_quote">On Sat, Jun 25, 2016 at
                        11:34 AM, Yuri Voinov <span dir="ltr"><<a
                            moz-do-not-send="true"
                            href="mailto:yvoinov@gmail.com"
                            target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:yvoinov@gmail.com">yvoinov@gmail.com</a></a>></span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0
                          0 0 .8ex;border-left:1px #ccc
                          solid;padding-left:1ex"><span><br>
                            -----BEGIN PGP SIGNED MESSAGE-----<br>
                            Hash: SHA256<br>
                            <br>
                            <br>
                            <br>
                          </span><a moz-do-not-send="true"
                            href="tel:25.06.2016" value="+50225062016"
                            target="_blank">25.06.2016</a> 23:09, Amos
                          Jeffries пишет:<br>
                          <span>> On 26/06/2016 4:32 a.m., Yuri
                            Voinov wrote:<br>
                            >><br>
                            >> Amos, you are a wrong.<br>
                            >><br>
                            >> No Squid-4. It's unstable and not
                            ready for production. Whenever it's<br>
                            >> features.<br>
                            ><br>
                            > So some beta software has bugs
                            therefore nobody should ever use it for<br>
                            > anything. I find that to be a strange
                            and sad view of the world.<br>
                            ><br>
                            > Care to guess why I listed it as the
                            last option amongst several?<br>
                            >  Or why 4.0.11 exists as a beta still?<br>
                            > It *is* an option for the mentioned
                            problem(s) though whatever its<br>
                            utility.<br>
                          </span>Agreed.<br>
                          <span>><br>
                            ><br>
                            ><br>
                            >><br>
                            >> Some time ago I have the same issue
                            and know what happens exactly.<br>
                            >><br>
                            >> Skype initial connection site uses
                            RC4 cipher. Which is disabled in most<br>
                            >> squid's configuration.<br>
                            ><br>
                            > Your "know what happens exactly"
                            differs from at least two other peoples<br>
                            > debugging experiences with Skype.<br>
                            ><br>
                            > RC4 is on the hitlist for most of the
                            big vendors for the past year or<br>
                            > so. IIRC there were several Windows
                            Updates to remove it and other<br>
                            > broken bits from a lot of things over
                            the past year.<br>
                            > If Skype is still using RC4 it might be
                            part of this problem.<br>
                          </span>I'm sure this is problem and this
                          problem exists. MS do nothing to make<br>
                          they sites/services more secure. BTW, MS
                          Updates uses RC4 ciphers itself<br>
                          this time. With strong siphers there is no way
                          to setup WU via Squid.<br>
                          I've spent much time to identify this problem
                          in my setup and find<br>
                          working workaround.<br>
                          <br>
                          Another part of problem is: MS often uses it's
                          own self-signed roots,<br>
                          which is exists in Windows, but nowhere else.
                          And which has not<br>
                          cross-signed by well-known root CA's. They
                          think it make MS services<br>
                          more secure. They wrong. But we can't do
                          anything with it. So, this is<br>
                          forced us to add self-signed MS roots to our
                          Squid's CA bundles to<br>
                          bump/splice.<br>
                          <span>><br>
                            ><br>
                            >><br>
                            >> To make it works (as by as most M$
                            update sites) it's require simple use<br>
                            >> this cipher's suite:<br>
                            >><br>
                            >>
                            HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS<br>
                            >><br>
                            >> That works for me in 5 SSL bumped
                            setups. There is no matter which squid<br>
                            >> version installed.<br>
                            ><br>
                            > Thank you. Thats another option then.
                            I'd rate that below trying the EC<br>
                            > ciphers, and above library updates.<br>
                          </span>You are welcome.<br>
                          <br>
                          Just for information: MS has own IT
                          infrastructure, with some strange<br>
                          configured and non well-managed elements. I
                          can't guarantee this<br>
                          workaround will work everywhere or for every
                          MS service.<br>
                          <br>
                          When I made my research, I've seen some
                          strange security TLS<br>
                          combinations on MS sites/services. I.e., for
                          example, RC4+ECDSA+TLSv1.2.<br>
                          Or, for example, RC4+MD5+TLSv1. And some
                          similar. Very idiotic and<br>
                          potentially dangerous combinations. And - they
                          support ignores all<br>
                          requests. As usual.<br>
                          <br>
                          To my regret, I can not order all of its users
                          to abandon the use of<br>
                          Windows. So far, in my infrastructure have
                          machines with Windows XP.<br>
                          <br>
                          With this nothing can be done, it is necessary
                          only to weaken the<br>
                          security - for the sake of compatibility.<br>
                          <span>><br>
                            ><br>
                            > Amos<br>
                            >
                            _______________________________________________<br>
                            > squid-users mailing list<br>
                            > <a moz-do-not-send="true"
                              href="mailto:squid-users@lists.squid-cache.org"
                              target="_blank">squid-users@lists.squid-cache.org</a><br>
                            > <a moz-do-not-send="true"
                              href="http://lists.squid-cache.org/listinfo/squid-users"
                              rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
                            <br>
                          </span><span>-----BEGIN PGP SIGNATURE-----<br>
                            Version: GnuPG v2<br>
                            <br>
                          </span>iQEcBAEBCAAGBQJXbsC5AAoJENNXIZxhPexGiFoH/jrtimBNppF1uHpVTNwOO10z<br>
yF2APMA56S8woNZzhUNjT8+oJFPrthnMoQFrqgicjS77SBAFp9KcOV+SxOKl9+sW<br>
OdAHDPuCD7dGnKzAdFDR1YR7Vp5IpElP1rFO5rqKXeBc3iKjq65BfF+T6atHy6cS<br>
0VAaluvqvHQps2wVKoYxGURDf3Y2K0lJn+qF+s2CaBwEufhzgKSvG0aUIDqTfHfK<br>
3EMQTpPtlTqm+pcexR+oZM1WE1hlES1khOXs51fgo6puPryqWJiHGvO4EBEfWoXF<br>
Skval2COzcdzMvC5jjfGbMEPNGNJrYUeq/KNgppRvE2wQJ+gCLYG317decKHty0=<br>
                          =8BTp<br>
                          -----END PGP SIGNATURE-----<br>
                          <br>
                          <br>
_______________________________________________<br>
                          squid-users mailing list<br>
                          <a moz-do-not-send="true"
                            href="mailto:squid-users@lists.squid-cache.org"
                            target="_blank">squid-users@lists.squid-cache.org</a><br>
                          <a moz-do-not-send="true"
                            href="http://lists.squid-cache.org/listinfo/squid-users"
                            rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
                          <br>
                        </blockquote>
                      </div>
                      <br>
                    </div>
                  </blockquote>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>