[squid-users] SSL bump fails accessing .gov.uk servers
Amos Jeffries
squid3 at treenet.co.nz
Sat Nov 1 00:12:28 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 1/11/2014 12:09 p.m., Marcus Kool wrote:
> With OpenSSL 1.0.1e-fips :
>
> openssl s_client -connect www.taxdisc.service.gov.uk:443
> fails (tries TLS1.2) openssl s_client -connect
> www.taxdisc.service.gov.uk:443 -ssl3 works
>
> The webmail server of my ISP works like this: it uses only TLS1.0,
> so no TLS1.1 or TLS1.2, but when with openssl s_client -connect
> WEBMAIL:443 -tls1_2 the connection is automagically downgraded to
> TLS1.0. taxdisc does not do this. Taxdisc does not negotiate, so
> the client must guess the desired protocol (SSL3 or TLS1.0) and use
> that.
>
> I do not know all details about TLS and downgrading rules but the
> server seems broken to me.
It is clearly not supporting TLS at all. TLS mandates that endpoints
offer the highest TLS version they support, and the mutual highest is
used. SSLv3 is not on that scale of TLS 1.0+ versions.
Client implementations usually treat rejection of all TLS versions
down to 1.0 as a signal that SSL handshake is required instead, abort
and retry with SSLv3-only...
> Firefox knows how to deal with it and Squid not yet.
... for now anyway. Firefox will be dropping SSLv3 support Nov 25th.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUVCVsAAoJELJo5wb/XPRj1rIIAIacxp8gQYhtIA49/+k9c2D9
cO+vnAhADOsIqg2qwtZKRXCYcpAba/s8IeiiouvcowTV54+6GCZ3yyP7uIztwEY3
x+Li2/VKdRYOSLf6QgFo4JU8y5garf9cMrqZw7eFS+Qo9GaYu+BZOcrtlzbAAehN
DqABCRdHkJ+ZtVIC7obVX1fXTnuPlIC3W/QHzc6uGHp75Qs/QAAaV8ugYBMfPpX9
5G6gYSG5qMwQ1XMJ5nc14vFQxTxjrpydl4BKn0WhNLrGaDCWGZiOQYKi7ERlorNs
7yHzjROpWIxapmUChccHifrFEQIR0vo3vAq5StPad3a3aMMp5SW/scpbGFgW8jw=
=mtZp
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list