[squid-users] Problem with ssl_choose_client_version:inappropriate fallback on some sites when using TLS1.2

Amos Jeffries squid3 at treenet.co.nz
Tue Sep 17 06:26:10 UTC 2019


On 15/09/19 10:41 pm, John Sweet-Escott wrote:
> Hi All
> 
> We are trying to run Squid 4.8, compiled with OpenSSL 1.1.1 (see [1]) on
> Ubuntu 18.04 as a transparent proxy for the purpose of egress filtering
> of HTTPS traffic using SNI (see config in [2]). It it works correctly
> when contacting some addresses (e.g. https://www.ubuntu.com) but not
> others (e.g. https://www.google.com). When we contact
> https://www.google.com using TLS1.2 we get the error in the logs:
> 2019/09/15 10:33:09 kid1| ERROR: negotiating TLS on FD 19:
> error:1425F175:SSL routines:ssl_choose_client_version:inappropriate
> fallback (1/-1/0)
...
>     Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)

I suspect it might have something to do with these ECDSA keys.

You do not have Elliptic-Curves enabled on the https_port client-facing
connection. So the TLS extensions associated are likely not to be
compatible between the client and the server connections Squid is
attempting to bridge between.

Amos


More information about the squid-users mailing list