[squid-users] SSLBUMP Issue
Amos Jeffries
squid3 at treenet.co.nz
Mon Jan 11 08:20:35 UTC 2016
On 11/01/2016 10:54 a.m., Roman Gelfand wrote:
> I am getting the following error. Would anyone know the reason?
>
> Error negotiating SSL connection on FD 37: error:1408F10B:SSL
> routines:SSL3_GET_RECORD:wrong version number
>
Please supply the rquired details:
* Squid version (squid -v output)
If it is older than 3.5.10 please upgrade.
* OpenSSL version
If it is older than 1.0.0 please (try to) upgrade.
>
> My sslbump config is
>
> http_port 3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/usr/local/ssl_cert/squidCA.pem
>
> ssl_bump server-first all
At this point all the following directives about bumping are useless and
will not happen.
> ssl_bump peek all
> ssl_bump terminate all
>
*DO NOT* mix deprecated and current bumping actions together.
"Does not support peeking, which causes various problems.
When used for intercepted traffic SNI is not available and the server
raw-IP will be used in certificates. "
One of those "various problems" is probably what you are encountering.
Amos
More information about the squid-users
mailing list