[squid-dev] [PATCH] Handle SSL v2 Hello

Alex Rousskov rousskov at measurement-factory.com
Tue Sep 1 05:32:14 UTC 2015


Hello,

    The attached trunk and v3.5 patches allow Squid to splice SSLv3 and
TLSv1 sessions that start with an SSL v2 Hello message. Such sessions
are created, for example, by some SSL clients using OpenSSL v0.9.8 with
default options. These patches do _not_ re-enable SSLv2 sessions support
in trunk.

Bumping TLSv1 sessions that start with SSL v2 Hello also appears to work.


In my tests, attempts to bump SSLv3 sessions that start with SSL v2
Hello message terminate during server handshake if Squid stares at the
server certificate (i.e., if an "ssl_bump stare" rule matches at bumping
step #2). When this happens, Squid logs the following error message:

2015/08/31 22:11:56.459| Error negotiating SSL on FD 14:
  error:1409F07F:SSL routines:SSL3_WRITE_PENDING:bad write retry
  (1/-1/0)

However, AFAICT, the same or similar problem exists in the unpatched
Squid (for connections that start with SSL v3 Hello). It could be
another bug or a deficiency of my test setup.


HTH,

Alex.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SQUID-100-parse-sslv2-hello-t2.patch
Type: text/x-diff
Size: 9333 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20150831/e51c81c3/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SQUID-100-parse-sslv2-hello-v3p5-t2.patch
Type: text/x-diff
Size: 9331 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20150831/e51c81c3/attachment-0001.patch>


More information about the squid-dev mailing list