[squid-users] Unliked SSL cipher
Amos Jeffries
squid3 at treenet.co.nz
Wed Apr 19 16:39:24 UTC 2017
On 20/04/17 03:44, dijxie at gmail.com wrote:
> Do you recieve the same error while connecting to
> https://www.wikipedia.org?
>
> If you connect to https://91.198.174.192/* directly, your browser
> schould warn you about ssl issue; that is because of:
>
> CN = *.wikipedia.org
>
> SAN=
> *.wikipedia.org
> wikipedia.org
> *.m.wikipedia.org
> *.zero.wikipedia.org
> wikimedia.org
> *.wikimedia.org
> *.m.wikimedia.org
> *.planet.wikimedia.org
> mediawiki.org
>
> This certificate is not allowed to be used with IP address (which is
> common) and that is the issue I suppose. Certificate is V3 sha256,
> which is... perfectly normal.
Huh? With raw-IP there is no SNI, that is all. The TLS is not getting
far enough for the HTTPS message inside the encryption to have any
relevance to the TLS<->Host validation situation.
It is the server cipher being complained about. And with a particular
"unknown" error rather than the more usual "none negotiable" we see a
lot of when configs mis-match.
Amos
More information about the squid-users
mailing list