[squid-users] SSL bump fails accessing .gov.uk servers

Dieter Bloms squid at bloms.de
Fri Oct 31 20:03:42 UTC 2014


Hi Steve,

On Fri, Oct 31, Steve Hill wrote:

> This is probably not a problem with Squid, but I'm posting here in the
> hope that someone may have more clue than me when it comes to SSL :)

...

> If I force openssl into TLS1 mode (with the -tls1 argument) then it
> works fine.  TLS 1.1 and 1.2 both fail.  However, shouldn't openssl be
> negotiating the highest TLS version supported by both server and client?

but when the server is broken, it will not work.
Have a look at:

https://www.ssllabs.com/ssltest/analyze.html?d=www.taxdisc.service.gov.uk

> It works correctly when FireFox connects directly to the web server
> rather than going through the proxy.

yes the browsers have a workaround and try with different cipher suites,
when the first connect fails.

> So my question is: is the web server broken, or am I misunderstanding
> something?

The webserver is broken.


-- 
Regards.

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.


More information about the squid-users mailing list