[squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

David Touzeau david at articatech.com
Thu Apr 27 16:47:42 UTC 2017


Hi,
I'm unable to access to https://www.boutique.afnor.org website.
I would like to know if this issue cannot be fixed and must deny bump
website to fix it.
Without Squid the website is correctly displayed 

Squid claim an error page with "(71) Protocol error (TLS code:
SQUID_ERR_SSL_HANDSHAKE)"

In cache.log: "Error negotiating SSL on FD 17:
error:00000000:lib(0):func(0):reason(0) (5/0/0)"

Using the following configuration:

http_port 0.0.0.0:3128  name=MyPortNameID20 ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/etc/squid3/ssl/0c451f46b4d05031560d8195f30165cb.dyn
sslproxy_foreign_intermediate_certs /etc/squid3/intermediate_ca.pem
sslcrtd_program /lib/squid3/ssl_crtd -s /var/lib/squid/session/ssl/ssl_db -M
8MB
sslcrtd_children 16 startup=5 idle=1
acl FakeCert ssl::server_name .apple.com
acl FakeCert ssl::server_name .icloud.com
acl FakeCert ssl::server_name .mzstatic.com
acl FakeCert ssl::server_name .dropbox.com
acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3
ssl_bump peek ssl_step1
ssl_bump splice FakeCert
ssl_bump bump ssl_step2 all
ssl_bump splice all

sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
sslproxy_cipher
ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL
:!eNULL
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_error allow all



Openssl info 
----------------------------------------------------------------------------
----------------------------------------------------------------------------
---

openssl s_client -connect 195.115.26.58:443 -showcerts

CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c)
2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public
Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN =
Symantec Class 3 Secure Server CA - G4
verify return:1
depth=0 C = FR, ST = Seine Saint Denis, L = ST DENIS, O = ASSOCIATION
FRANCAISE DE NORMALISATION, OU = ASSOCIATION FRANCAISE DE NORMALISATION, CN
= www.boutique.afnor.org
verify return:1
---
Certificate chain
 0 s:/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE DE
NORMALISATION/OU=ASSOCIATION FRANCAISE DE
NORMALISATION/CN=www.boutique.afnor.org
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
Class 3 Secure Server CA - G4
-----BEGIN CERTIFICATE-----
../..
-----END CERTIFICATE-----
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
Class 3 Secure Server CA - G4
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign,
Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
Certification Authority - G5
-----BEGIN CERTIFICATE-----
../..
-----END CERTIFICATE-----
---
Server certificate
subject=/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE DE
NORMALISATION/OU=ASSOCIATION FRANCAISE DE
NORMALISATION/CN=www.boutique.afnor.org
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
Class 3 Secure Server CA - G4
---
No client certificate CA names sent
---
SSL handshake has read 3105 bytes and written 616 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID:
833B0000A2346F50C5AAFC6B5188B4EBD9304CD25411BECFF0713F8D76C65D9D
    Session-ID-ctx:
    Master-Key:
D2DF6C62264D03D7D44AF44EB8C0B1B7AD0E650D34DF6EBEB1CBEBFE4F30CB9C6F5080AA94F5
D6B5955DD8DF06608416
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1493311275
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
read:errno=0





More information about the squid-users mailing list