[squid-users] tls12_check_peer_sigalg:wrong signature type
Edouard Gaulué
listes at e-gaulue.com
Fri Mar 13 12:08:42 UTC 2020
>> ERROR: negotiating TLS on FD 57: error:1414D172:SSL
>> routines:tls12_check_peer_sigalg:wrong signature type (1/-1/0)
>>
> This is an error from your Squid machines OpenSSL library.
That's what I thought. I also have: tls_process_ske_dhe:dh_key_too_small
for ssl server using SHA1.
>> openssl s_client -connect www.marches-securises.fr:443 is OK
>>
>> I believed in the beginning, it was an intermediate certificate trouble,
>> but it doesn't look so. I read this :
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934453
>>
>> I'm not sure squid is involved, but maybe some of you have already
>> overcome this kind of trouble through squid or openssl configuration.
>>
> If you can get a packet trace and inspect the TLS messages with
> wireshark you should be able to determine what is actually happening.
>
> If you can find for certain what the cause of problem is we might be
> able to help with solutions (if not obvious to you by then).
>
Yes, that's a way. But as the provided link mentioned (and also some
issues on SSLLabs), it often looks to be a trouble with SSL server
configuration and even on big or prestigious sites.
I've set the "sslproxy_cert_error" option to "allow all", but despite
this I still get SQUID_ERR_SSL_HANDSHAKE.
Maybe there is a configuration to tell squid to allow (better than the
one above) or to splice in case of such trouble with handshake?
Best regards, Edouard
More information about the squid-users
mailing list