[squid-users] Ubuntu 20.04 "apt update" issues behind a VPN and Squid proxy

Amos Jeffries squid3 at treenet.co.nz
Sun Jul 18 06:43:28 UTC 2021


On 16/07/21 4:38 pm, David Mills wrote:
> Hi Amos,
> 
> sorry for the big delay here - I've had lots of other things to attend 
> to. It turned on the logging you suggested. For a failed "apt update" 
> attempt on the client I get the following attached access.log and cache.log.
> 
> Are any of the lines
> 
>     2021/07/16 04:28:01.423 kid1| 83,5| bio.cc(396) adjustSSL: Extension
>     13 does not supported!
> 
>     ...
> 
>     20212021/07/16 04:28:32.465 kid1| 83,2| client_side.cc(3749)
>     Squid_SSL_accept: Error negotiating SSL connection on FD 11: Aborted
>     by client: 5
>     ...
> 
>     2021/07/16 04:28:02.452 kid1| Error negotiating SSL on FD 17:
>     error:140920F8:SSL routines:ssl3_get_server_hello:unknown cipher
>     returned (1/-1/0)
> 
>     ...
> 
>     2021/07/16 04:28:01.413 kid1| 83,2| client_side.cc(4293)
>     clientPeekAndSpliceSSL: SSL_accept failed.
> 
> 
> important?
> 

Very. It means the libssl Squid is built with and using is not able to 
understand the TLS the server is sending.

Squid-4 should be more tolerant of this particular issue, or at least 
able to follow the on_unsupported_protocol directive when it is encountered.

Older Squid depend more directly on the library TLS parsing - which 
cannot handle unknown values well.

Amos


More information about the squid-users mailing list