[squid-users] FW: squid tproxy ssl-bump and Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Amos Jeffries squid3 at treenet.co.nz
Fri Sep 30 02:04:04 UTC 2016


On 30/09/2016 11:23 a.m., Eliezer Croitoru wrote:
> Hey Vieri,
> 
> Just as a tiny reply I must admit that it's expected.
> What you see is the result of squid and it's ssl stack support the goal of a minimum specific version of ssl encrypted connections.
> I am not sure but there might be  a way to make it all work for these clients.
> Have you tried search the squid-cache lists using google\yahoo\bing\other?

Small correction. It is the "Handshake with SSL server failed" (note
"server"). After several years of ciphers and SSLv2/v3 protocol things
being found to be badly insecure and removed from browser and servers
all over the place. It is indeed expected.

Firefox works because Mozilla have their own SSL/TLS library built into
the browser with modern capabilities. IE uses the WinXP one which is no
longer compatible with most of the Internet servers.

Squid mimics the client details when contacting the server. So you would
get the same problem (though maybe different description) if going
directly without the proxy.

To get around this you require the latest Squid version (with
peek-and-splice feature) doing the "bump" action on these clients
traffic so that it can upgrade the TLS/SSL handshake and use some
ciphers etc the server will accept on their connections.

Amos



More information about the squid-users mailing list