[squid-users] SSLBUMP Issue

Amos Jeffries squid3 at treenet.co.nz
Mon Jan 11 08:20:35 UTC 2016


On 11/01/2016 10:54 a.m., Roman Gelfand wrote:
> I am getting the following error.  Would anyone know the reason?
> 
>  Error negotiating SSL connection on FD 37: error:1408F10B:SSL
> routines:SSL3_GET_RECORD:wrong version number
> 

Please supply the rquired details:

* Squid version (squid -v output)

 If it is older than 3.5.10 please upgrade.

* OpenSSL version

If it is older than 1.0.0 please (try to) upgrade.

> 
> My sslbump config is
> 
> http_port 3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/usr/local/ssl_cert/squidCA.pem
> 
> ssl_bump server-first all

At this point all the following directives about bumping are useless and
will not happen.

> ssl_bump peek all
> ssl_bump terminate all
> 

*DO NOT* mix deprecated and current bumping actions together.

"Does not support peeking, which causes various problems.
When used for intercepted traffic SNI is not available and the server
raw-IP will be used in certificates. "

One of those "various problems" is probably what you are encountering.

Amos



More information about the squid-users mailing list