[squid-users] SQUID_ERR_SSL_HANDSHAKE
Walter H.
Walter.H at mathemainzel.info
Sat Jun 29 10:34:12 UTC 2019
On 29.06.2019 10:17, Amos Jeffries wrote:
> On 29/06/19 3:03 am, Walter H. wrote:
>> sslproxy_cipher
>> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!RSA:!SRP
>> sslproxy_options NO_SSLv2 NO_SSLv3 TLSv1 TLSv1_1 TLSv1_2
>>
> I do not see the tls-dh setting necessary for the elliptic curves to
> work in your displayed config.
do you mean the dhparams= at the http_port here?
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=16MB cert=/etc/squid/cert/squidCA.pem
options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
dhparams=/etc/squid/cert/dhparam.pem
> So that would make the above cipher
> directive essentially disable everything except SSLv3 with MEDIUM/HIGH
> level non-RSA ciphers.
even with this:
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
and the sslproxy_cipher commented out,
this site doesn't work;
sslcrtvalidator_program cache=8192 ttl=240
/usr/lib64/squid/ssl_crtvalid/main.sh
sslcrtvalidator_children 12 startup=5 idle=1 concurrency=1
this validator isn't called at all with the site https://www.3bg.at
e.g. with https://wiki.squid-cache.org this validator-script is
caled, and
there is the following traced
0 cert_validate 5324 host=wiki.squid-cache.org
proto_version=TLSv1.2
cipher=ECDHE-RSA-AES256-GCM-SHA384
...
>
> The value of sslproxy_options directive is colon (:) or comma (,)
> delimited. When multiple values like the above are configured only the
> first in the list is used. Which forces only TLS/1.2
I changed this to
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
> It is not clear what OpenSSL will do when those conflicting options are
> handed to it. But it looks like it is down-grading to SSLv3 as L.P.H.
> said then breaking when something else arrives back.
quite strange only a few sites don't work, https://www.3bg.at is an
example of such;
many others work as expected;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3491 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190629/65280c55/attachment.bin>
More information about the squid-users
mailing list