[squid-users] NET::ERR_CERT_COMMON_NAME_INVALID

Amos Jeffries squid3 at treenet.co.nz
Fri Oct 17 02:00:02 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 17/10/2014 1:30 p.m., Robert Watson wrote:
> I believe my problem relates to a previous post regarding TLS
> fallback 
> <http://www.mail-archive.com/squid-users%40squid-cache.org/msg95916.html>
> in the squid-users list. Has there been any progress with sslbump
> and tls fallback to tls1.0 if tls1.2/tls1.1 fails?
> 

Not specifically that I'm aware of.

With TLS version selection should be automatic - provided both
endpoints support at least one TLS version. The complications come in
when SSLv3 gets involved, since it has a different handshake syntax
and various clients/servers have some fancy failover dances perform
with various amounts of bugs.


You may want to also try 3.5.0.1 when it becomes available in ~3 hrs.
The peek-n-splice feature there should have much better TLS behaviour
than the older ssl-bump designs. No guarantees though.

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUQHgiAAoJELJo5wb/XPRjah4H/jE4WxbJJeDfHjSHVccHpApY
rIXd82XRTD0wJ5aGIqCxuL/X3VMf+WPqSvLPP6KGJXVC5TmMy6edsYMY9Mr9p7+7
3l+lt6IUwE1w3r6os2jvywoyiwSDI1DPiKSJ9OKh/gMS6w+8VuOMDlkEU4NEB0qb
1vOmRj+vboha97xZ8OdbgVCimUZq1tFknlhxRl1x4Dfzaf/4Bai+Y42yWSwKl5Y3
V15ML3RE7sAqRuRj9+n8pSXAHi0G9NBghpODYVoBWvXip0rkVnDNbgdILZa7Xh1f
OQo9EFbc//xD4OlxCoe0UB1OndilUIgLFUYKWYfqruOABCUG3kL4aa0VEzQDrNc=
=anIc
-----END PGP SIGNATURE-----


More information about the squid-users mailing list