[squid-users] FW: squid tproxy ssl-bump and Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Marc
gaardiolor at gmail.com
Thu Oct 6 21:00:21 UTC 2016
Hi Viery,
Sorry, copy/paste error, my bad. Please try:
openssl s_client -quiet -connect www.google.com:443 -tls1 -cipher
RC4-MD5:RC4-SHA:DES-CBC3-SHA:DES-CBC-SHA:EXP1024-RC4-SHA:EXP1024-DES-CBC-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5:DHE-DSS-DES-CBC3-SHA:DHE-DSS-CBC-SHA:EXP1024-DHE-DSS-DES-CBC-SHA
< <(echo -e "GET / HTTP/1.1\nHost: www.google.com\n\n")
That one fails (at least with me). Squid replies with 503 Service
unavailable, SQUID_ERR_SSL_HANDSHAKE .
Now adding a random extension:
openssl s_client -quiet -connect www.google.com:443 -tls1 -cipher
RC4-MD5:RC4-SHA:DES-CBC3-SHA:DES-CBC-SHA:EXP1024-RC4-SHA:EXP1024-DES-CBC-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5:DHE-DSS-DES-CBC3-SHA:DHE-DSS-CBC-SHA:EXP1024-DHE-DSS-DES-CBC-SHA
-serverinfo 12345 < <(echo -e "GET / HTTP/1.1\nHost:
www.google.com\n\n")
That one succeeds (302 Found). At least with me. The extension doesn't
have to be 12345, some regular ones do the trick as well. But openssl
doesn't always include the existing ones correctly, so I used the
dummy.
Please let me know. If adding a random extension fixes the error with
you too, well.. It could be a step in the right direction towards
finding the cause of this problem.
Marc
More information about the squid-users
mailing list