<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p>Thanks for the reply, Amos. A few follow up questions:</p>
<p>1) Setting <span style="white-space: pre-wrap; font-size: 12pt;">dynamic_cert_mem_cache_size=0 does solve the issue. However, I fail to understand why caching the cert allows the connection to continue on SSLv3, on a port that I've disabled it. Isn't cert
 exchange done after the protocol has been selected. I don't think curl is rejecting the cert, but rather the ssl connection fails to establish before the cert exchange, since I also tried with the following command, which ignores cert errors:
<span> </span></span></p>
<p><span style="white-space: pre-wrap; font-size: 12pt;"><span>curl -k -vv -x https://127.0.0.1:3128 https://uatmail02.cimb.com -ssl3</span></span></p>
<p><span style="white-space: pre-wrap; font-size: 12pt;"><span><br>
</span></span></p>
<p><span style="white-space: pre-wrap; font-size: 12pt;"><span></p>
<div>root@madmin-VirtualBox:/home/madmin/# curl -k -vv -x https://127.0.0.1:3128 https://uatmail02.cimb.com -ssl3</div>
<div>* About to connect() to proxy 127.0.0.1 port 3128 (#0)</div>
<div>*   Trying 127.0.0.1... connected</div>
<div>* Establish HTTP proxy tunnel to uatmail02.cimb.com:443</div>
<div>> CONNECT uatmail02.cimb.com:443 HTTP/1.1</div>
<div>> Host: uatmail02.cimb.com:443</div>
<div>> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3</div>
<div>> Proxy-Connection: Keep-Alive</div>
<div>> </div>
<div>< HTTP/1.1 200 Connection established</div>
<div>< </div>
<div>* Proxy replied OK to CONNECT request</div>
<div>* successfully set certificate verify locations:</div>
<div>*   CAfile: none</div>
<div>  CApath: /etc/ssl/certs</div>
<div>* SSLv3, TLS handshake, Client hello (1):</div>
<div>* SSLv3, TLS alert, Server hello (2):</div>
<div>* error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure</div>
<div>* Closing connection #0</div>
<br>
</span></span>
<p></p>
<p><span style="white-space: pre-wrap; font-size: 12pt;">2) You mentioned "</span><span style="white-space: pre-wrap; font-size: 12pt;">leaving port 443 for encrypted connections", can you please elaborate on why it might be problematic to use "http_port" directive
 - i.e. have both plain-text and SSL connections?</span></p>
<p><span style="white-space: pre-wrap; font-size: 12pt;"><br>
</span></p>
<p><span style="white-space: pre-wrap; font-size: 12pt;">Thanks.</span></p>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Wahaj Ali<br>
<b>Sent:</b> Thursday, July 27, 2017 12:57:14 PM<br>
<b>To:</b> squid-users@lists.squid-cache.org<br>
<b>Subject:</b> Re: SSL options on different http_port resolving into a single config for all ports</font>
<div> </div>
</div>
<div><style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p>Resending the logs as they were not formatted correctly:</p>
<p><br>
</p>
<p></p>
<div>First request going to port 3128<br>
root@madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:3128"<br>
root@madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com -ssl3<br>
* About to connect() to proxy 127.0.0.1 port 3128 (#0)<br>
*   Trying 127.0.0.1... connected<br>
* Establish HTTP proxy tunnel to uatmail02.cimb.com:443<br>
> CONNECT uatmail02.cimb.com:443 HTTP/1.1<br>
> Host: uatmail02.cimb.com:443<br>
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3<br>
> Proxy-Connection: Keep-Alive<br>
> <br>
< HTTP/1.1 200 Connection established<br>
< <br>
* Proxy replied OK to CONNECT request<br>
* successfully set certificate verify locations:<br>
*   CAfile: none<br>
  CApath: /etc/ssl/certs<br>
* SSLv3, TLS handshake, Client hello (1):<br>
* SSLv3, TLS alert, Server hello (2):<br>
* error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure<br>
* Closing connection #0<br>
<br>
Now hit port 443:</div>
<div><br>
root@madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:443"<br>
root@madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com -ssl3<br>
* About to connect() to proxy 127.0.0.1 port 443 (#0)<br>
*   Trying 127.0.0.1... connected<br>
* Establish HTTP proxy tunnel to uatmail02.cimb.com:443<br>
> CONNECT uatmail02.cimb.com:443 HTTP/1.1<br>
> Host: uatmail02.cimb.com:443<br>
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3<br>
> Proxy-Connection: Keep-Alive<br>
> <br>
< HTTP/1.1 200 Connection established<br>
< <br>
* Proxy replied OK to CONNECT request<br>
* successfully set certificate verify locations:<br>
*   CAfile: none<br>
  CApath: /etc/ssl/certs<br>
* SSLv3, TLS handshake, Client hello (1):<br>
* SSLv3, TLS alert, Server hello (2):<br>
* error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure<br>
* Closing connection #0<br>
<br>
Restart squid, then send first request on port 443 (which has ssl3 enabled):</div>
<div><br>
root@madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:443"<br>
root@madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com -ssl3<br>
* About to connect() to proxy 127.0.0.1 port 443 (#0)<br>
*   Trying 127.0.0.1... connected<br>
* Establish HTTP proxy tunnel to uatmail02.cimb.com:443<br>
> CONNECT uatmail02.cimb.com:443 HTTP/1.1<br>
> Host: uatmail02.cimb.com:443<br>
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3<br>
> Proxy-Connection: Keep-Alive<br>
> <br>
< HTTP/1.1 200 Connection established<br>
< <br>
* Proxy replied OK to CONNECT request<br>
* successfully set certificate verify locations:<br>
*   CAfile: none<br>
  CApath: /etc/ssl/certs<br>
* SSLv3, TLS handshake, Client hello (1):<br>
* SSLv3, TLS handshake, Server hello (2):<br>
* SSLv3, TLS handshake, CERT (11):<br>
* SSLv3, TLS handshake, Server key exchange (12):<br>
* SSLv3, TLS handshake, Server finished (14):<br>
* SSLv3, TLS handshake, Client key exchange (16):<br>
* SSLv3, TLS change cipher, Client hello (1):<br>
* SSLv3, TLS handshake, Finished (20):<br>
* SSLv3, TLS change cipher, Client hello (1):<br>
* SSLv3, TLS handshake, Finished (20):<br>
* SSL connection using ECDHE-RSA-AES256-SHA<br>
* Server certificate:<br>
* subject: C=MY; ST=CIMB Bank Berhad ; L=Kuala Lumpur   ; OU=CIMB Bank Berhad; CN=uatmail02.cimb.com<br>
* start date: 2017-07-03 09:00:37 GMT<br>
* expire date: 2019-07-04 09:00:37 GMT<br>
* common name: uatmail02.cimb.com (matched)<br>
* issuer: C=US; ST=California; L=San Jose; O=Elastica Inc; OU=Development; emailAddress=service-engineering@elastica.co; CN=Elastica<br>
* SSL certificate verify ok.<br>
> GET / HTTP/1.1<br>
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3<br>
> Host: uatmail02.cimb.com<br>
> Accept: */*<br>
> <br>
< HTTP/1.1 302 Found<br>
< Date: Wed, 26 Jul 2017 10:12:48 GMT<br>
< Location: http://127.0.0.1:7999/gateway_auth/?__eln__=1468917241090744452&elastica_relay=https%3A%2F%2Fuatmail02.cimb.com%2F<br>
< Server: elastica-gateway-service/v1.0<br>
< Connection: close<br>
< <br>
* SSLv3, TLS alert, Client hello (1):<br>
* Closing connection #0<br>
* SSLv3, TLS alert, Client hello (1):<br>
<br>
Now send the same request on port 3128, which has ssl3 disabled:</div>
<div><br>
root@madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:3128"<br>
root@madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com -ssl3<br>
* About to connect() to proxy 127.0.0.1 port 3128 (#0)<br>
*   Trying 127.0.0.1... connected<br>
* Establish HTTP proxy tunnel to uatmail02.cimb.com:443<br>
> CONNECT uatmail02.cimb.com:443 HTTP/1.1<br>
> Host: uatmail02.cimb.com:443<br>
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3<br>
> Proxy-Connection: Keep-Alive<br>
> <br>
< HTTP/1.1 200 Connection established<br>
< <br>
* Proxy replied OK to CONNECT request<br>
* successfully set certificate verify locations:<br>
*   CAfile: none<br>
  CApath: /etc/ssl/certs<br>
* SSLv3, TLS handshake, Client hello (1):<br>
* SSLv3, TLS handshake, Server hello (2):<br>
* SSLv3, TLS handshake, CERT (11):<br>
* SSLv3, TLS handshake, Server key exchange (12):<br>
* SSLv3, TLS handshake, Server finished (14):<br>
* SSLv3, TLS handshake, Client key exchange (16):<br>
* SSLv3, TLS change cipher, Client hello (1):<br>
* SSLv3, TLS handshake, Finished (20):<br>
* SSLv3, TLS change cipher, Client hello (1):<br>
* SSLv3, TLS handshake, Finished (20):<br>
* SSL connection using ECDHE-RSA-AES256-SHA<br>
* Server certificate:<br>
* subject: C=MY; ST=CIMB Bank Berhad ; L=Kuala Lumpur   ; OU=CIMB Bank Berhad; CN=uatmail02.cimb.com<br>
* start date: 2017-07-03 09:00:37 GMT<br>
* expire date: 2019-07-04 09:00:37 GMT<br>
* common name: uatmail02.cimb.com (matched)<br>
* issuer: C=US; ST=California; L=San Jose; O=Elastica Inc; OU=Development; emailAddress=service-engineering@elastica.co; CN=Elastica<br>
* SSL certificate verify ok.<br>
> GET / HTTP/1.1<br>
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3<br>
> Host: uatmail02.cimb.com<br>
> Accept: */*<br>
> <br>
< HTTP/1.1 302 Found<br>
< Date: Wed, 26 Jul 2017 10:12:58 GMT<br>
< Location: http://127.0.0.1:7999/gateway_auth/?__eln__=2303332476459826439&elastica_relay=https%3A%2F%2Fuatmail02.cimb.com%2F<br>
< Server: elastica-gateway-service/v1.0<br>
< Connection: close<br>
< <br>
* SSLv3, TLS alert, Client hello (1):<br>
* Closing connection #0<br>
* SSLv3, TLS alert, Client hello (1):<br>
</div>
<br>
<p></p>
<p></p>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Wahaj Ali<br>
<b>Sent:</b> Thursday, July 27, 2017 12:51:57 PM<br>
<b>To:</b> squid-users@lists.squid-cache.org<br>
<b>Subject:</b> SSL options on different http_port resolving into a single config for all ports</font>
<div> </div>
</div>
<div>
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p><span style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px;">With squid 3.5.25, I have two http_port configs, on one of which I want to disable SSLv3 while leaving it enabled on the other. Here is part of that config:</span></p>
<div style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px;">
<br>
</div>
<div style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px;">
<span style="color: rgb(69, 84, 100); font-family: "Source Code Pro", Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 12.9px; white-space: pre-wrap; background-color: rgb(248, 250, 251);">http_port 3128 ssl-bump generate-host-certificates=on
 dynamic_cert_mem_cache_size=<wbr>4MB cert=/home/madmin/certs/<wbr>elastica-ca.pem key=/home/madmin/certs/ca.key cipher=ALL:!DES-CBC-SHA:!EXP-<wbr>DES-CBC-SHA:!EXP-RC4-MD5:!EXP-<wbr>RC2-CBC-MD5:@STRENGTH options=<b>NO_SSLv2,NO_SSLv3</b>,<wbr>SINGLE_ECDH_USE
 tls-dh=prime256v1:/etc/ssl/<wbr>private/el-dhparams.pem</span><br>
</div>
<div style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px;">
<span style="color: rgb(69, 84, 100); font-family: "Source Code Pro", Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 12.9px; white-space: pre-wrap; background-color: rgb(248, 250, 251);"><br>
</span></div>
<div style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px;">
<span style="color: rgb(69, 84, 100); font-family: "Source Code Pro", Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 12.9px; white-space: pre-wrap; background-color: rgb(248, 250, 251);">http_port 443 ssl-bump generate-host-certificates=on
 dynamic_cert_mem_cache_size=<wbr>4MB cert=/home/madmin/certs/<wbr>elastica-ca.pem key=/home/madmin/certs/ca.key cipher=ALL:!DES-CBC-SHA:!EXP-<wbr>DES-CBC-SHA:!EXP-RC4-MD5:!EXP-<wbr>RC2-CBC-MD5:@STRENGTH options=SINGLE_ECDH_USE tls-dh=prime256v1:/etc/ssl/<wbr>private/el-dhparams.pem</span><span style="color: rgb(69, 84, 100); font-family: "Source Code Pro", Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 12.9px; white-space: pre-wrap; background-color: rgb(248, 250, 251);"><br>
</span></div>
<br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px;">
<span style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px;">If I first proxy my traffic to port 443, it seems to apply the port 443 config on all other ports from here on. On the other hand if my first request goes through port
 3128, then squid sets whatever SSL version is supported on 3128 for all the other ports as well. </span>
<div style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px;">
<br>
</div>
<div style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px;">
<b>First request going to port 3128</b></div>
<div style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px;">
<span style="color: rgb(69, 84, 100); font-family: "Source Code Pro", Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 12.9px; white-space: pre-wrap; background-color: rgb(248, 250, 251);">root@madmin-VirtualBox:/home/<wbr>madmin# export https_proxy="<a href="http://127.0.0.1:3128/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://127.0.0.1:3128&source=gmail&ust=1501228239712000&usg=AFQjCNGhwAK7CMycoOhtHgk8DpHpqDP77w" style="color: rgb(17, 85, 204);" id="LPlnk188636" previewremoved="true">127.0.0.1:3128</a>"
 root@madmin-VirtualBox:/home/<wbr>madmin# curl -v <a href="https://uatmail02.cimb.com/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=https://uatmail02.cimb.com&source=gmail&ust=1501228239713000&usg=AFQjCNEkjfh0JV0UwkhSssN5FRj9Uzy-VA" style="color: rgb(17, 85, 204);" id="LPlnk860024" previewremoved="true">
https://uatmail02.cimb.com</a> -ssl3 * About to connect() to proxy 127.0.0.1 port 3128 (#0) * Trying 127.0.0.1... connected * Establish HTTP proxy tunnel to
<a href="http://uatmail02.cimb.com:443/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://uatmail02.cimb.com:443&source=gmail&ust=1501228239713000&usg=AFQjCNEhfP_nLuPwEt-gGNYe-n6S2PT_5Q" style="color: rgb(17, 85, 204);" id="LPlnk534012" previewremoved="true">
uatmail02.cimb.com:443</a> > CONNECT <a href="http://uatmail02.cimb.com:443/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://uatmail02.cimb.com:443&source=gmail&ust=1501228239713000&usg=AFQjCNEhfP_nLuPwEt-gGNYe-n6S2PT_5Q" style="color: rgb(17, 85, 204);" id="LPlnk704176">
uatmail02.cimb.com:443</a> HTTP/1.1 > Host: <a href="http://uatmail02.cimb.com:443/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://uatmail02.cimb.com:443&source=gmail&ust=1501228239713000&usg=AFQjCNEhfP_nLuPwEt-gGNYe-n6S2PT_5Q" style="color: rgb(17, 85, 204);">
uatmail02.cimb.com:443</a> > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/<a href="http://1.2.3.4/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://1.2.3.4&source=gmail&ust=1501228239713000&usg=AFQjCNEpalCKaXTY6hmwbdNI_dgjlpOr4g" style="color: rgb(17, 85, 204);">1.2.3.4</a>
 libidn/1.23 librtmp/2.3 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to CONNECT request * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello
 (1): * SSLv3, TLS alert, Server hello (2): * error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure * Closing connection #0 * root@madmin-VirtualBox:/home/<wbr>madmin# export https_proxy="<a href="http://127.0.0.1:443/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://127.0.0.1:443&source=gmail&ust=1501228239713000&usg=AFQjCNHsboMMqK5UVa1fwSYydNzgYDERJg" style="color: rgb(17, 85, 204);">127.0.0.1:443</a>"
 root@madmin-VirtualBox:/home/<wbr>madmin# curl -v <a href="https://uatmail02.cimb.com/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=https://uatmail02.cimb.com&source=gmail&ust=1501228239713000&usg=AFQjCNEkjfh0JV0UwkhSssN5FRj9Uzy-VA" style="color: rgb(17, 85, 204);">
https://uatmail02.cimb.com</a> -ssl3 * About to connect() to proxy 127.0.0.1 port 443 (#0) * Trying 127.0.0.1... connected * Establish HTTP proxy tunnel to
<a href="http://uatmail02.cimb.com:443/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://uatmail02.cimb.com:443&source=gmail&ust=1501228239713000&usg=AFQjCNEhfP_nLuPwEt-gGNYe-n6S2PT_5Q" style="color: rgb(17, 85, 204);">
uatmail02.cimb.com:443</a> > CONNECT <a href="http://uatmail02.cimb.com:443/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://uatmail02.cimb.com:443&source=gmail&ust=1501228239713000&usg=AFQjCNEhfP_nLuPwEt-gGNYe-n6S2PT_5Q" style="color: rgb(17, 85, 204);">
uatmail02.cimb.com:443</a> HTTP/1.1 > Host: <a href="http://uatmail02.cimb.com:443/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://uatmail02.cimb.com:443&source=gmail&ust=1501228239713000&usg=AFQjCNEhfP_nLuPwEt-gGNYe-n6S2PT_5Q" style="color: rgb(17, 85, 204);">
uatmail02.cimb.com:443</a> > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/<a href="http://1.2.3.4/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://1.2.3.4&source=gmail&ust=1501228239713000&usg=AFQjCNEpalCKaXTY6hmwbdNI_dgjlpOr4g" style="color: rgb(17, 85, 204);">1.2.3.4</a>
 libidn/1.23 librtmp/2.3 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to CONNECT request * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello
 (1): * SSLv3, TLS alert, Server hello (2): * error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure * Closing connection #0</span><br>
<div><span style="color: rgb(69, 84, 100); font-family: "Source Code Pro", Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 12.9px; white-space: pre-wrap; background-color: rgb(248, 250, 251);"><br>
</span></div>
<div><font color="#455464" face="Source Code Pro, Consolas, Liberation Mono, Menlo, Courier, monospace"><span style="font-size: 12.9px; white-space: pre-wrap; background-color: rgb(248, 250, 251);"><b>First request hitting 443:</b></span></font></div>
<div><span style="color: rgb(69, 84, 100); font-family: "Source Code Pro", Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 12.9px; white-space: pre-wrap; background-color: rgb(248, 250, 251);">root@madmin-VirtualBox:/home/<wbr>madmin# export
 https_proxy="<a href="http://127.0.0.1:443/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://127.0.0.1:443&source=gmail&ust=1501228239713000&usg=AFQjCNHsboMMqK5UVa1fwSYydNzgYDERJg" style="color: rgb(17, 85, 204);">127.0.0.1:443</a>"
 root@madmin-VirtualBox:/home/<wbr>madmin# curl -v <a href="https://uatmail02.cimb.com/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=https://uatmail02.cimb.com&source=gmail&ust=1501228239713000&usg=AFQjCNEkjfh0JV0UwkhSssN5FRj9Uzy-VA" style="color: rgb(17, 85, 204);">
https://uatmail02.cimb.com</a> -ssl3 * About to connect() to proxy 127.0.0.1 port 443 (#0) * Trying 127.0.0.1... connected * Establish HTTP proxy tunnel to
<a href="http://uatmail02.cimb.com:443/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://uatmail02.cimb.com:443&source=gmail&ust=1501228239713000&usg=AFQjCNEhfP_nLuPwEt-gGNYe-n6S2PT_5Q" style="color: rgb(17, 85, 204);">
uatmail02.cimb.com:443</a> > CONNECT <a href="http://uatmail02.cimb.com:443/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://uatmail02.cimb.com:443&source=gmail&ust=1501228239713000&usg=AFQjCNEhfP_nLuPwEt-gGNYe-n6S2PT_5Q" style="color: rgb(17, 85, 204);">
uatmail02.cimb.com:443</a> HTTP/1.1 > Host: <a href="http://uatmail02.cimb.com:443/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://uatmail02.cimb.com:443&source=gmail&ust=1501228239713000&usg=AFQjCNEhfP_nLuPwEt-gGNYe-n6S2PT_5Q" style="color: rgb(17, 85, 204);">
uatmail02.cimb.com:443</a> > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/<a href="http://1.2.3.4/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://1.2.3.4&source=gmail&ust=1501228239713000&usg=AFQjCNEpalCKaXTY6hmwbdNI_dgjlpOr4g" style="color: rgb(17, 85, 204);">1.2.3.4</a>
 libidn/1.23 librtmp/2.3 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to CONNECT request * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello
 (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher,
 Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using ECDHE-RSA-AES256-SHA * Server certificate: * subject: C=MY; ST=CIMB Bank Berhad ; L=Kuala Lumpur
 ; OU=CIMB Bank Berhad; CN=<a href="http://uatmail02.cimb.com/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://uatmail02.cimb.com&source=gmail&ust=1501228239713000&usg=AFQjCNEXwmwHsTbyWvkHkYoCd3jD__eeBg" style="color: rgb(17, 85, 204);">uatmail02.cimb.com</a>
 * start date: 2017-07-03 09:00:37 GMT * expire date: 2019-07-04 09:00:37 GMT * common name:
<a href="http://uatmail02.cimb.com/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://uatmail02.cimb.com&source=gmail&ust=1501228239713000&usg=AFQjCNEXwmwHsTbyWvkHkYoCd3jD__eeBg" style="color: rgb(17, 85, 204);">
uatmail02.cimb.com</a> (matched) * issuer: C=US; ST=California; L=San Jose; O=Elastica Inc; OU=Development; emailAddress=<a href="mailto:service-engineering@elastica.co" target="_blank" style="color: rgb(17, 85, 204);">service-<wbr>engineering@elastica.co</a>;
 CN=Elastica * SSL certificate verify ok. > GET / HTTP/1.1 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/<a href="http://1.2.3.4/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://1.2.3.4&source=gmail&ust=1501228239713000&usg=AFQjCNEpalCKaXTY6hmwbdNI_dgjlpOr4g" style="color: rgb(17, 85, 204);">1.2.3.4</a>
 libidn/1.23 librtmp/2.3 > Host: <a href="http://uatmail02.cimb.com/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://uatmail02.cimb.com&source=gmail&ust=1501228239713000&usg=AFQjCNEXwmwHsTbyWvkHkYoCd3jD__eeBg" style="color: rgb(17, 85, 204);">
uatmail02.cimb.com</a> > Accept: */* > < HTTP/1.1 302 Found < Date: Wed, 26 Jul 2017 10:12:48 GMT < Location:
<a href="http://127.0.0.1:7999/gateway_auth/?__eln__=1468917241090744452&elastica_relay=https%3A%2F%2Fuatmail02.cimb.com%2F" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://127.0.0.1:7999/gateway_auth/?__eln__%3D1468917241090744452%26elastica_relay%3Dhttps%253A%252F%252Fuatmail02.cimb.com%252F&source=gmail&ust=1501228239713000&usg=AFQjCNH5ragDm6ohkcUcsCOiykys1skfYA" style="color: rgb(17, 85, 204);">
http://127.0.0.1:7999/gateway_<wbr>auth/?__eln__=<wbr>1468917241090744452&elastica_<wbr>relay=https%3A%2F%2Fuatmail02.<wbr>cimb.com%2F</a> < Server: elastica-gateway-service/v1.0 < Connection: close < * SSLv3, TLS alert, Client hello (1): * Closing connection
 #0 * SSLv3, TLS alert, Client hello (1): root@madmin-VirtualBox:/home/<wbr>madmin# root@madmin-VirtualBox:/home/<wbr>madmin# root@madmin-VirtualBox:/home/<wbr>madmin# export https_proxy="<a href="http://127.0.0.1:3128/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://127.0.0.1:3128&source=gmail&ust=1501228239713000&usg=AFQjCNGshjn19rp6EVIUvL8cjZRgUafbTw" style="color: rgb(17, 85, 204);">127.0.0.1:3128</a>"
 root@madmin-VirtualBox:/home/<wbr>madmin# curl -v <a href="https://uatmail02.cimb.com/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=https://uatmail02.cimb.com&source=gmail&ust=1501228239714000&usg=AFQjCNFcgr4JC7IM7AKdckakIMPgoF57MA" style="color: rgb(17, 85, 204);">
https://uatmail02.cimb.com</a> -ssl3 * About to connect() to proxy 127.0.0.1 port 3128 (#0) * Trying 127.0.0.1... connected * Establish HTTP proxy tunnel to
<a href="http://uatmail02.cimb.com:443/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://uatmail02.cimb.com:443&source=gmail&ust=1501228239714000&usg=AFQjCNHSga1LzSgGjplK4x7cvgOt6c8BWQ" style="color: rgb(17, 85, 204);">
uatmail02.cimb.com:443</a> > CONNECT <a href="http://uatmail02.cimb.com:443/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://uatmail02.cimb.com:443&source=gmail&ust=1501228239714000&usg=AFQjCNHSga1LzSgGjplK4x7cvgOt6c8BWQ" style="color: rgb(17, 85, 204);">
uatmail02.cimb.com:443</a> HTTP/1.1 > Host: <a href="http://uatmail02.cimb.com:443/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://uatmail02.cimb.com:443&source=gmail&ust=1501228239714000&usg=AFQjCNHSga1LzSgGjplK4x7cvgOt6c8BWQ" style="color: rgb(17, 85, 204);">
uatmail02.cimb.com:443</a> > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/<a href="http://1.2.3.4/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://1.2.3.4&source=gmail&ust=1501228239714000&usg=AFQjCNGDtpFJnzaGlTHfFnmPHKPTnbUErA" style="color: rgb(17, 85, 204);">1.2.3.4</a>
 libidn/1.23 librtmp/2.3 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to CONNECT request * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello
 (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher,
 Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using ECDHE-RSA-AES256-SHA * Server certificate: * subject: C=MY; ST=CIMB Bank Berhad ; L=Kuala Lumpur
 ; OU=CIMB Bank Berhad; CN=<a href="http://uatmail02.cimb.com/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://uatmail02.cimb.com&source=gmail&ust=1501228239714000&usg=AFQjCNG3wlVcSPbts4XZhBqJwyRR8iMdTg" style="color: rgb(17, 85, 204);">uatmail02.cimb.com</a>
 * start date: 2017-07-03 09:00:37 GMT * expire date: 2019-07-04 09:00:37 GMT * common name:
<a href="http://uatmail02.cimb.com/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://uatmail02.cimb.com&source=gmail&ust=1501228239714000&usg=AFQjCNG3wlVcSPbts4XZhBqJwyRR8iMdTg" style="color: rgb(17, 85, 204);">
uatmail02.cimb.com</a> (matched) * issuer: C=US; ST=California; L=San Jose; O=Elastica Inc; OU=Development; emailAddress=<a href="mailto:service-engineering@elastica.co" target="_blank" style="color: rgb(17, 85, 204);">service-<wbr>engineering@elastica.co</a>;
 CN=Elastica * SSL certificate verify ok. > GET / HTTP/1.1 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/<a href="http://1.2.3.4/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://1.2.3.4&source=gmail&ust=1501228239714000&usg=AFQjCNGDtpFJnzaGlTHfFnmPHKPTnbUErA" style="color: rgb(17, 85, 204);">1.2.3.4</a>
 libidn/1.23 librtmp/2.3 > Host: <a href="http://uatmail02.cimb.com/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://uatmail02.cimb.com&source=gmail&ust=1501228239714000&usg=AFQjCNG3wlVcSPbts4XZhBqJwyRR8iMdTg" style="color: rgb(17, 85, 204);">
uatmail02.cimb.com</a> > Accept: */* > < HTTP/1.1 302 Found < Date: Wed, 26 Jul 2017 10:12:58 GMT < Location:
<a href="http://127.0.0.1:7999/gateway_auth/?__eln__=2303332476459826439&elastica_relay=https%3A%2F%2Fuatmail02.cimb.com%2F" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://127.0.0.1:7999/gateway_auth/?__eln__%3D2303332476459826439%26elastica_relay%3Dhttps%253A%252F%252Fuatmail02.cimb.com%252F&source=gmail&ust=1501228239714000&usg=AFQjCNFBpoXnxoRfgVp1Ap-bhyM76CCPlg" style="color: rgb(17, 85, 204);">
http://127.0.0.1:7999/gateway_<wbr>auth/?__eln__=<wbr>2303332476459826439&elastica_<wbr>relay=https%3A%2F%2Fuatmail02.<wbr>cimb.com%2F</a> < Server: elastica-gateway-service/v1.0 < Connection: close < * SSLv3, TLS alert, Client hello (1): * Closing connection
 #0 * SSLv3, TLS alert, Client hello (1):</span><span style="color: rgb(69, 84, 100); font-family: "Source Code Pro", Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 12.9px; white-space: pre-wrap; background-color: rgb(248, 250, 251);"><br>
</span></div>
</div>
<div style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px;">
<br>
</div>
<br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px;">
<span style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px;">In the first case, SSLv3 fails on both ports, while in the second it works for both. My expectation was that I can configure the ports independently to use different SSL
 versions. Wonder if this is a bug?</span>
<div style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px;">
<br>
</div>
<div style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px;">
Regards, </div>
<br>
<p></p>
</div>
</div>
</div>
</body>
</html>