[squid-users] Peek-and-splice not working when mixing TLS1.3 servers and TLS1.2 clients

Alex Rousskov rousskov at measurement-factory.com
Fri Sep 20 16:01:58 UTC 2019


On 9/20/19 10:53 AM, Nikolaus wrote:

> If server and squid use TLS 1.3, but client only supports TLS 1.2: The
> client terminates the connection due to certificate verification errors.
> 
> I have had a look at what happens at TLS protocol level using wireshark,
> and it seems that in the latter case, squid - for some reason - performs
> (something similar to) bumping instead of splicing!

Bumping happens when a splicing Squid wants to report an SslBump-related
error to the client.


> How can I get the splicing setup working when mixing TLS 1.3 servers and
> TLS 1.2 clients?

I do not know the exact answer to that question, but I would start by
figuring out what error Squid is trying to serve to the client. You may
be able to figure it out by looking at the corresponding access.log
records, especially if you log %err_code and %err_detail. In the worst
case, enabling and looking at debugging info in cache.log may be
necessary, but I would start with access.log anyway.

Alex.


More information about the squid-users mailing list