[squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Olly Lennox oliver at lennox-it.uk
Thu Apr 27 16:53:29 UTC 2017 

Hi David,

I'm battling with similar problems at the moment. One thing that I've found is that the system seems happier when you don't peek prior to a bump, my current config is:

acl nobumpserver ssl::server_name "/etc/squid/nobump"
acl ignoreclients src "/etc/squid/nobumpclients"
acl step1 at_step SslBump1

ssl_bump peek nobumpserver step1
ssl_bump peek ignoreclients step1
ssl_bump splice nobumpserver
ssl_bump splice ignoreclients 

ssl_bump stare step1 !nobumpserver !ignoreclients 

ssl_bump bump !nobumpserver !ignoreclients

where nobump is a list of regex domains (like .apple.com) and nobumpclients is a list of IPs I never want to bump. I'm still battling with errors and sites not always working but of all the configurations I've tried this one seems to work for the majority of sites

Cheers, 
oliver at lennox-it.uk
lennox-it.uk
tel: 07900 648 252



________________________________
From: David Touzeau <david at articatech.com>
To: squid-users at lists.squid-cache.org 
Sent: Thursday, 27 April 2017, 17:48
Subject: [squid-users] 3.5.25: (71) Protocol error (TLS code:    SQUID_ERR_SSL_HANDSHAKE)




Hi,

I'm unable to access to https://www.boutique.afnor.org website.

I would like to know if this issue cannot be fixed and must deny bump

website to fix it.

Without Squid the website is correctly displayed 


Squid claim an error page with "(71) Protocol error (TLS code:

SQUID_ERR_SSL_HANDSHAKE)"


In cache.log: "Error negotiating SSL on FD 17:

error:00000000:lib(0):func(0):reason(0) (5/0/0)"


Using the following configuration:


http_port 0.0.0.0:3128  name=MyPortNameID20 ssl-bump

generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

cert=/etc/squid3/ssl/0c451f46b4d05031560d8195f30165cb.dyn

sslproxy_foreign_intermediate_certs /etc/squid3/intermediate_ca.pem

sslcrtd_program /lib/squid3/ssl_crtd -s /var/lib/squid/session/ssl/ssl_db -M

8MB

sslcrtd_children 16 startup=5 idle=1

acl FakeCert ssl::server_name .apple.com

acl FakeCert ssl::server_name .icloud.com

acl FakeCert ssl::server_name .mzstatic.com

acl FakeCert ssl::server_name .dropbox.com

acl ssl_step1 at_step SslBump1

acl ssl_step2 at_step SslBump2

acl ssl_step3 at_step SslBump3

ssl_bump peek ssl_step1

ssl_bump splice FakeCert

ssl_bump bump ssl_step2 all

ssl_bump splice all


sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression

sslproxy_cipher

ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL

:!eNULL

sslproxy_flags DONT_VERIFY_PEER

sslproxy_cert_error allow all




Openssl info 

----------------------------------------------------------------------------

----------------------------------------------------------------------------

---


openssl s_client -connect 195.115.26.58:443 -showcerts


CONNECTED(00000003)

depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c)

2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public

Primary Certification Authority - G5

verify return:1

depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN =

Symantec Class 3 Secure Server CA - G4

verify return:1

depth=0 C = FR, ST = Seine Saint Denis, L = ST DENIS, O = ASSOCIATION

FRANCAISE DE NORMALISATION, OU = ASSOCIATION FRANCAISE DE NORMALISATION, CN

= www.boutique.afnor.org

verify return:1

---

Certificate chain

0 s:/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE DE

NORMALISATION/OU=ASSOCIATION FRANCAISE DE

NORMALISATION/CN=www.boutique.afnor.org

   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec

Class 3 Secure Server CA - G4

-----BEGIN CERTIFICATE-----

../..

-----END CERTIFICATE-----

1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec

Class 3 Secure Server CA - G4

   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign,

Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary

Certification Authority - G5

-----BEGIN CERTIFICATE-----

../..

-----END CERTIFICATE-----

---

Server certificate

subject=/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE DE

NORMALISATION/OU=ASSOCIATION FRANCAISE DE

NORMALISATION/CN=www.boutique.afnor.org

issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec

Class 3 Secure Server CA - G4

---

No client certificate CA names sent

---

SSL handshake has read 3105 bytes and written 616 bytes

---

New, TLSv1/SSLv3, Cipher is AES128-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1

    Cipher    : AES128-SHA

    Session-ID:

833B0000A2346F50C5AAFC6B5188B4EBD9304CD25411BECFF0713F8D76C65D9D

    Session-ID-ctx:

    Master-Key:

D2DF6C62264D03D7D44AF44EB8C0B1B7AD0E650D34DF6EBEB1CBEBFE4F30CB9C6F5080AA94F5

D6B5955DD8DF06608416

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1493311275

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---

read:errno=0




_______________________________________________

squid-users mailing list

squid-users at lists.squid-cache.org

http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list