[squid-users] SQUID_ERR_SSL_HANDSHAKE
Walter H.
Walter.H at mathemainzel.info
Sat Jun 29 14:03:49 UTC 2019
Hello Amos,
On 29.06.2019 14:13, Amos Jeffries wrote:
>
> That is a good sign. That exact combo is in the set supported by the
> breaking server so it is unlikely your Squid or its OpenSSL is
> contributing to this particular problem.
>
>> quite strange only a few sites don't work, https://www.3bg.at is an
>> example of such; many others work as expected;
> That is a bit odd. Though looking at the SSL Labs report for this
> www.3bg.at site their restricting to only TLS/1.2 and there are many
> clients for which the encryption handshake does not work.
>
> <https://www.ssllabs.com/ssltest/analyze.html?d=www.3bg.at> look to the
> list of failures under "Handshake Simulation" and the whole list of "Not
> simulated clients" for comparison with UA of any of your clients having
> trouble connecting there.
I have my own website and there I did something similar - disabling
TLSv1 and TLSv1.1,
thus only allowing TLSv1.2
here
https://www.ssllabs.com/ssltest/analyze.html?d=ssl.mathemainzel.info
shows the same; many failures under "Handshake Simulation"
but the weird thing, this works with my Squid :-)
>
>
> Squid SSL-Bump is limited to negotiating use of TLS versions and
> features which are supported by both itself and the client when offering
> things to the server. So the problem of some clients agents not
> supporting TLS/1.2 or the ciphers the server wants to use can make the
> site fail even if your Squid outbound settings support them.
>
>
> PS. At the technical level that exact error from OpenSSL means that some
> data arrived from the server at a time when only TLS alert messages were
> supposed to be happening.
there is also something different; when doing the following:
openssl s_client -connect HOST:PORT -servername HOST
this lasts about 1 or 2 minutes until a certificate is shown with
www.3bg.at
but with my site this goes quickly withing seconds;
> I suspect it could be a sign that the
> Internet between your proxy and that server is being MITM'd by an agent
> that corrupts the protocol for some reason. eg someone elses proxy
> rejecting the connection but getting its error response syntax wrong.
could this be a proxy on the server side?
but the strange: without SSL bump or direct without squid this site works;
(even my browser uses an uncommon UA string and is not the original Firefox)
what strange thing is doing this bad on some sites?
Thanks,
Walter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3491 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190629/f0994ca5/attachment.bin>
More information about the squid-users
mailing list