<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
this is in my squid.conf<br>
<br>
<br>
acl step1 at_step SslBump1<br>
acl step2 at_step SslBump2<br>
acl step3 at_step SslBump3<br>
acl nobumpsites ssl::server_name
"/etc/squid/sslnobumpsites-acl.squid" <-- e.g.
<a class="moz-txt-link-abbreviated" href="http://www.google.com">www.google.com</a><br>
<br>
ssl_bump stare step1 all<br>
ssl_bump splice nobumpsites<br>
ssl_bump bump all<br>
<br>
acl brokenButTrusted dstdomain
"/etc/squid/brokenbuttrustedsites-acl.squid" <--
contains e.g. download.microsoft.com<br>
<br>
acl certSelfSigned ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT<br>
...<br>
acl squidSslHandshake ssl_error SQUID_ERR_SSL_HANDSHAKE<br>
<br>
sslproxy_cert_sign_hash sha256<br>
<br>
sslproxy_cert_error allow brokenButTrusted<br>
sslproxy_cert_error deny all<br>
<br>
sslproxy_cafile /etc/squid/ca-bundle.trust.crt<br>
sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!RSA:!SRP<br>
sslproxy_options NO_SSLv2 NO_SSLv3 TLSv1 TLSv1_1 TLSv1_2<br>
<br>
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/local/squid/ssl_db
-M 16MB<br>
sslcrtd_children 8<br>
<br>
<br>
<br>
<br>
On 28.06.2019 16:34, L.P.H. van Belle wrote:
<blockquote
cite="mid:vmime.5d162583.676d.f7ab49540e5a233@ms249-lin-003.rotterdam.bazuin.nl"
type="cite">
<meta http-equiv="Context-Type" content="text/html;
charset=windows-1252">
<div><span>the </span>SSL3_GET_MESSAGE<span> ? </span></div>
<div><span> </span> </div>
<div><span> Maybe because the only support TLSv1.2 ? </span></div>
<div><span> Its long ago i seen a site good configured for ones
with its TLS settings. </span></div>
<div><span> </span> </div>
<div><span> So most probely, your downgrading the connection
within the proxy settings to sslv3 </span></div>
<div><span> </span> </div>
<div><span> And sharing you config might help to see that. </span></div>
<div><span> </span> </div>
<div><span> Greetz, </span></div>
<div><span> </span> </div>
<div><span> Louis </span></div>
<div><span> </span> </div>
<br>
<blockquote>
<div lang="nl"> <b>Van:</b> squid-users
[<a class="moz-txt-link-freetext" href="mailto:squid-users-bounces@lists.squid-cache.org">mailto:squid-users-bounces@lists.squid-cache.org</a>] <b>Namens
</b>Walter H.<br>
<b>Verzonden:</b> vrijdag 28 juni 2019 16:21<br>
<b>Aan:</b> <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<b>Onderwerp:</b> [squid-users] SQUID_ERR_SSL_HANDSHAKE<br>
<br>
</div>
Hello,<br>
<br>
at some specific hosts<br>
this is shown in cache.log<br>
2019/06/28 16:11:12 kid1| Error negotiating SSL on FD 17:
error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message
(1/-1/0)<br>
<br>
and this is the error page I get<br>
<br>
Failed to establish a secure connection to ...<i><br>
<br>
(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)</i><br>
Handshake with SSL server failed: error:1408E0F4:SSL
routines:SSL3_GET_MESSAGE:unexpected message<br>
<br>
what is causing this?<br>
<br>
in case some want to try: <a moz-do-not-send="true"
href="https://www.3bg.at/">https://www.3bg.at/</a><br>
(when disabling SSL-bump no problem)<br>
<br>
Thanks,<br>
Walter<br>
</blockquote>
</blockquote>
<br>
</body>
</html>