[squid-users] Peek-and-splice not working when mixing TLS1.3 servers and TLS1.2 clients

Alex Rousskov rousskov at measurement-factory.com
Sun Sep 22 13:41:11 UTC 2019


On 9/22/19 9:18 AM, Nikolaus wrote:

> The access.log contains error code / detail "ERR_SECURE_CONNECT_FAIL /
> SQUID_ERR_SSL_HANDSHAKE" - which is not too helpful - but the cache.log
> contains the more detailed "ERROR: negotiating TLS on FD 19:
> error:1425F175:SSL routines:ssl_choose_client_version:inappropriate
> fallback (1/-1/0)".

> Is a TLS fallback prevention mechanism kicking in by error? If so, how
> to fix it?

I do not know the answers to your questions, but I am sure that it is
possible to figure it out by looking at either packet captures or
detailed debugging logs. Unfortunately, I do not have enough free time
to guide you through this triage. There were several similar complains
about "inappropriate fallback" errors on this list recently. I would
start by revisiting those threads for more clues.

Alex.


More information about the squid-users mailing list