<div dir="ltr"><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Hi All<br></div><div dir="ltr"><div><br></div><div>We use Squid 4.8 with OpenSSL 1.1.1d in a transparent mode for peek and splice interception.</div><div><br></div><div>With this version, we lost the possibility to connect to any HTTPS site.</div><div><br></div><div>There are a few issues: </div><div><ul><li>support TLSv1.2 sites (already discussed in thread <a href="http://squid-web-proxy-cache.1019090.n4.nabble.com/Problem-with-ssl-choose-client-version-inappropriate-fallback-on-some-sites-when-using-TLS1-2-td4688258.html" target="_blank">http://squid-web-proxy-cache.1019090.n4.nabble.com/Problem-with-ssl-choose-client-version-inappropriate-fallback-on-some-sites-when-using-TLS1-2-td4688258.html</a> )</li><li>support TLSv1.3 sites.</li></ul></div><div><br></div><div>Support TLSv1.2.</div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div>OpenSSL 1.1.1d adds support of TLSv1.3. These changes added some kind of guard if we perform a handshake with a lower version of the TLS protocol than we support. In this scenario, we receive downgrade fallback error.</div><div>Handshake version TLSv1.2 vs. max support TLSv1.3.</div></blockquote><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div>In such case, we have the next error:</div></blockquote><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">ERROR: negotiating TLS on FD 19: error:1425F175:SSL routines:ssl_choose_client_version:inappropriate fallback (1/-1/0)</blockquote></div><div><br></div><div><span style="font-family:arial,sans-serif">OpenSSL already </span>provided<span style="font-family:arial,sans-serif"> a fix for it. You can configure SSL session to use option </span><span style="font-family:arial,sans-serif;color:rgb(0,0,0)">SSL_MODE_SEND_FALLBACK_SCSV and setting SSL max proto version for current SSL session, but squid not yet supported these features.</span></div><div><br></div><div>You can find a patch in the attachments, will be grateful for the review.</div></blockquote><div><br></div><div>The issue with TLS 1.3 support, we are still investigating, any advice will be pleasant.</div><div><br></div><div>Best regards,</div><div>Yaroslav Pushko.</div><div><div>-- <br></div><div dir="ltr" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><font size="-1">Best Regards,<br><span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:12px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:bold">Yaroslav Pushko | Senior </span></font><b style="font-family:arial,helvetica,sans-serif;font-size:12.8px"><span style="font-size:9.5pt;font-family:Arial,sans-serif;color:rgb(51,51,51)">Software Engineer</span></b><font size="-1"><br><span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:12px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal">GlobalLogic</span><br><span style="vertical-align:baseline;font-variant:normal;font-style:normal;font-size:12px;background-color:transparent;text-decoration:none;font-family:Arial;font-weight:normal">P +380971842774  M +380634232226 S dithard</span><br><a href="http://www.globallogic.com/" target="_blank"><span style="font-size:12px;font-family:Arial;color:rgb(17,85,204);background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline">www.globallogic.com</span></a><br><span style="font-size:11px;font-family:Arial;color:rgb(17,85,204);background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline"><a href="http://www.globallogic.com/email_disclaimer.txt" target="_blank">http://www.globallogic.com/email_disclaimer.txt</a></span></font></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>