[squid-users] Peeking on TLS traffic: unknown cipher returned
Alex Rousskov
rousskov at measurement-factory.com
Thu Oct 20 04:01:33 UTC 2016
On 10/19/2016 12:44 AM, Leandro Barragan wrote:
>> error:140920F8:SSL routines:SSL3_GET_SERVER_HELLO:unknown cipher returned (1/-1/0)
> I fail to see why is this happening. I only need to peek on the
> connection and make a decision based on SNI,
Please note that "peek and make a decision based on SNI" is not what
your configuration tells Squid to do. Your configuration tells Squid to
peek during step2, which means making a decision based on server
certificates (and SNI).
> I'm not Bumping, so I
> don't understand why ciphers matter in my situation.
The ciphers matter because Squid v3 uses OpenSSL parsers during step1,
step2, and step3. FWIW, Squid v4 uses OpenSSL parsers during step2 (a
little) and step3. It is possible to completely remove OpenSSL from
step2 but there is currently no project to do that AFAIK.
>> ssl_bump peek all step1
>> ssl_bump peek all step2
>> ssl_bump terminate face step3
>> ssl_bump terminate twitter step3
>> ssl_bump splice all step3
BTW, "step1", "step2", and "step3" ACLs do nothing useful in the above
config. You can safely remove them to arrive at the equivalent ssl_bump
configuration.
On 10/19/2016 07:42 AM, Amos Jeffries wrote:
> Terminate means impersonating the server and responding to the client
> with an HTTPS error page.
Terminate means "close client and server connections immediately". The
problem is not with the terminate action but with peeking (which relies
on OpenSSL, especially during step2, especially in Squid v3).
HTH,
Alex.
More information about the squid-users
mailing list