[squid-users] FW: squid tproxy ssl-bump and Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Vieri
rentorbuy at yahoo.com
Mon Oct 3 07:11:45 UTC 2016
Hi,
----- Original Message -----
> From: Yuri Voinov <yvoinov at gmail.com>
>
>> Why is Squid negotiating cipher RC4-MD5 which is reported "insecure"
>> and unsupported by the google web site?> Because your antique client request it. XP desupported years ago.
[...]
> Throw out XP and IE8 and set up W7 as minimum with IE10. I see no other
> way. I am afraid that in this case, the cactus is too large and inedible.
I agree that XP clients shouldn't be used anymore but it's easier said than done in corporate environments.
In any case, on a purely technical level, I don't know the internals of Squid and standard proxying protocols but if a Windows XP+IE8 client has no problem whatsoever connecting directly (no proxy) to https://www.google.com but fails with Squid in the middle (ssl-bump) then that makes me think that it could be either a Squid bug or a missing feature (or maybe the fact that Squid is stricter when implementing protocols than Microsoft products). Whatever the reason, for an end-user like me it seems that the XP client is able to negotiate TLS correctly with Google and presumably using the cipher DES-CBC3-SHA (maybe after failing with RC4-MD5 on a first attempt), whereas Squid immediately fails with RC4-MD5. It doesn't ever seem to try DES-CBC3-SHA even though it's available in openssl.
So I guess I'll start forcing users to use Firefox on WinXP or any other sane OS. I just wanted to point out though that I'm still confused as to why the client connection is failing.
Vieri
More information about the squid-users
mailing list