[squid-users] peek/splice working with lynx but not with firefox or chrome [SOLVED]
Roel van Meer
roel at 1afa.com
Tue Mar 10 17:12:23 UTC 2015
Roel van Meer writes:
>> >> > I'm using squid 3.5.2 built with openssl 0.9.8zc on Slackware 13.1.
>> >> > Traffic is redirected from port 443 top 3130 with iptables.
>> >>
>> >> ... and with an older version of OpenSSL missing many of the last few
>> >> years worth of TLS crypto features. IIRC the library releases are now up
>> >> to 1.1.* or something. Its best to keep that kind of thing operating the
>> >> latest versions.
>> >
>> > I know it missing the latest features, but security patches are
>> > backported. And I know it is old, but it's what I have to work with
>> > now.Do you think it might be the cause of the problem I'm having with
>> > peek/splice, or was it a general recommendation?
>>
>> Its a potential source of problems. Chrome is very much on the front
>> line of the arms race attempting to stop things like SSL-Bump working.
>> Firefox implement their own crypto library which tracks the latest TLS
>> features at a similar speed of development.
>> OpenSSL will be perpetually behind both of them, but at least the latest
>> one(s) have better chances not to be advertising features they reject in
>> "considered harmful" grounds.
>
> I'll have a go then at trying with a newer openssl and the patches from the
> thread you mentioned.
With Squid 3.5.2 built with openssl 1.0.1k I can splice https connections
with no trouble. Tested with Lync, Chrome, Firefox, and IE.
So you were right. :) Thanks a lot for pointing me in the right direction!
Cheers,
Roel
More information about the squid-users
mailing list