[squid-users] handshake problems with stare and bump

Alex Rousskov rousskov at measurement-factory.com
Mon Oct 3 19:12:40 UTC 2016


On 10/03/2016 11:50 AM, Marc wrote:

> 2) Squid forwards the Client Hello, including ciphers the host running
> squid doesn't support (in my case, the DES and RC4 ones). This could
> also potentially lead to problems. Why doesn't squid filter them out
> from the Client Hello sent from squid to the webserver?

If this is what happens, then it is a Squid bug. During step2, the
matching "stare" action instructs Squid to start establishing the secure
connection with the origin server with the intent to "bump" it. Unlike
peeking, Squid must not advertise what it does not support in this case
because, as you said, doing so may jeopardize future bumping. If Squid
v4 does the same thing, I recommend filing a bug report.


> 3) Nice to have: Is it possible for squid to report errors to the user
> over HTTPS instead of HTTP ?

Squid is supposed to report bumping errors over HTTPS whenever it can
establish a secure connection with the client. Based on your email, I am
not sure whether Squid could establish a secure connection with the
client, but I suspect that your FD 12 "ssl3_get_client_hello:no shared
cipher" error indicates that Squid tried but failed to do so.

Alex.



More information about the squid-users mailing list