[squid-users] SQUID_ERR_SSL_HANDSHAKE
Amos Jeffries
squid3 at treenet.co.nz
Sat Jun 29 08:17:11 UTC 2019
On 29/06/19 3:03 am, Walter H. wrote:
>
> sslproxy_cipher
> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!RSA:!SRP
> sslproxy_options NO_SSLv2 NO_SSLv3 TLSv1 TLSv1_1 TLSv1_2
>
I do not see the tls-dh setting necessary for the elliptic curves to
work in your displayed config. So that would make the above cipher
directive essentially disable everything except SSLv3 with MEDIUM/HIGH
level non-RSA ciphers.
The value of sslproxy_options directive is colon (:) or comma (,)
delimited. When multiple values like the above are configured only the
first in the list is used. Which forces only TLS/1.2
It is not clear what OpenSSL will do when those conflicting options are
handed to it. But it looks like it is down-grading to SSLv3 as L.P.H.
said then breaking when something else arrives back.
I would start by removing the sslproxy_cipher directive entirely and
fixing sslproxy_options to be:
sslproxy_options NO_SSLv2:NO_SSLv3
then re-adding the cipher *restrictions* (the ones with '!' prefix)
gradually to see what you actually need and where the problem starts.
You should not need the additions as secure ciphers are always enabled
by default.
If you can watch the TLS negotiations with wireshark as you experiment
it can help understand which options actually do anything. There are
overlaps like "!LOW" should be including the removals that "!RC4" does
and such overlaps.
Amos
More information about the squid-users
mailing list