[squid-users] tls12_check_peer_sigalg:wrong signature type

Amos Jeffries squid3 at treenet.co.nz
Fri Mar 13 07:27:58 UTC 2020


On 12/03/20 4:59 am, Edouard Gaulué wrote:
> Hi Community,
> 
> We moved from 3.4.8 to 4.10 two days ago (and more generally to Buster).
> 
> Some users complain today about HTTPS sites that are not reachable while
> it was before (we bump). They are reachable from browsers without proxy.
> 
> An example is : www.marches-securises.fr.
> 
> In the log I get :
> 
> ERROR: negotiating TLS on FD 57: error:1414D172:SSL
> routines:tls12_check_peer_sigalg:wrong signature type (1/-1/0)
> 

This is an error from your Squid machines OpenSSL library.


> openssl s_client -connect www.marches-securises.fr:443 is OK
> 
> I believed in the beginning, it was an intermediate certificate trouble,
> but it doesn't look so. I read this :
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934453
> 
> I'm not sure squid is involved, but maybe some of you have already
> overcome this kind of trouble through squid or openssl configuration.
> 

If you can get a packet trace and inspect the TLS messages with
wireshark you should be able to determine what is actually happening.

If you can find for certain what the cause of problem is we might be
able to help with solutions (if not obvious to you by then).

Amos


More information about the squid-users mailing list