[squid-users] Peeking on TLS traffic: unknown cipher returned

Alex Rousskov rousskov at measurement-factory.com
Thu Oct 20 04:10:30 UTC 2016


On 10/19/2016 08:51 PM, Leandro Barragan wrote:
> I get the unknown cipher error on Squid
> but on the client I see a certificate error. When I look at the
> certificate info, it is signed by Squid. It makes no sense at all.

When Squid v3 encounters an OpenSSL error (such as an unsupported
cipher), it tries to serve the corresponding error page to the user.
This happens before your "terminate" rules are reached and requires
impersonating the server, which explains why you see a Squid-signed
error page.

Squid v4 works better in this situation because:

* v4 does not rely on OpenSSL during step1. This will help if you are
willing to make decisions based on SNI/host alone (requires changing
your config).

* v4 can be configured to tunnel unexpected non-SSL traffic (via
on_unsupported_protocol). I am not sure whether this helps with the
ciphers issue during step2 (if you leave your configuration unchanged)
-- I do not remember whether Squid treats that kind of failure as an
unsupported protocol issue (but I doubt it does).


HTH,

Alex.



More information about the squid-users mailing list