[squid-users] Gateway Proxy failure - but only with one browser ...
Amos Jeffries
squid3 at treenet.co.nz
Wed Apr 29 18:39:10 UTC 2020
On 30/04/20 6:16 am, Walter H. wrote:
> It is very probable that the following has the same reason - but I don't
> know what's causing it ...
>
> the old browser on old OS gives this
>
> <errorpage>
> While trying to retrieve the URL: https://mein.elba.hypo.at/*
>
> The following error was encountered:
>
> * Failed to establish a secure connection to 217.13.188.204
>
> The system returned:
>
> (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
>
> Handshake with SSL server failed: error:1407742E:SSL
> routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
> ...
> </errorpage>
>
> the new browser works ...
>
> I thought that the SSL connection between browser and squid is different
> from the one between squid and server;
> how can there be a SSL handshake problem between squid and server when
> using an old browser?
>
For transparency and because TLS requirements are embedded in the
certificates Squid makes the connection to the server as close as
possible to the same properties the client connection uses.
The change in browser thus affects both what Squid can pass on to the
server, and what can be passed back from the server to the client.
...
>> sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA
This is a misconfiguration. Please drop the DONT_VERIFY_PEER.
If the server is not validating using the CA certs you told Squid were
the *only* acceptible CAs:
sslproxy_cafile /etc/squid/ca-bundle.trust.crt
... then either the contents of that file are wrong, or the server
connection is compromised. Determining the latter is the whole point of TLS.
Amos
More information about the squid-users
mailing list