[squid-users] SSL handshake
Alex Rousskov
rousskov at measurement-factory.com
Tue Jul 27 17:29:58 UTC 2021
On 7/27/21 11:45 AM, Vieri wrote:
> Just recently I've noticed that LAN clients going through Squid with sslbump are all of a sudden unable to access certain HTTPS sites such as login.yahoo.com.
> The squid log has lines like:
>
> kid1| 4,3| Error.cc(22) update: recent: ERR_SECURE_CONNECT_FAIL/SQUID_ERR_SSL_HANDSHAKE+TLS_LIB_ERR=1423506E+TLS_IO_ERR=1
>
> and the client error page shows a line like this:
>
> SQUID_TLS_ERR_CONNECT+TLS_LIB_ERR=14094410+TLS_IO_ERR=1
>
> I'm not sure why the lib error code is different. I might not have tracked down the right connection in the log.
>
> I have not changed anything in the OS so it might be because of change in the remote web service.
> It might be that my openssl version is already too old (1.1.1g), and that the web site forces the use of an unsupported cypher?
FWIW, I get the following additional info from my OpenSSL 1.1.1f (your
values may differ -- do check):
$ openssl errstr 1423506E
error:1423506E:SSL routines:ssl_next_proto_validate:bad extension
$ openssl errstr 14094410
error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
The former looks like an NPN negotiation failure. More detailed analysis
is needed to confirm and get to the root cause. I doubt it is an OpenSSL
version issue though.
HTH,
Alex.
More information about the squid-users
mailing list