On 12/04/16 09:45, Chris Puttick wrote: > Hi > > Our schools filtering product utilises OpenSSL with Squid; we're seeing issues connecting to some sites which seem OpenSSL related. Two sites with known issues are: > > https://www.spellanywhere.co.uk/ > > https://www.mymaths.co.uk/ > > Connecting to either of these Squid returns the error: > > (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) > Handshake with SSL server failed: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error It seems these servers require connections to supply SNI information. Supplying the servername option to s_client adds it: # openssl s_client -connect www.spellanywhere.co.uk:443 -servername www.spellanywhere.co.uk I am able to create successful connections to both of the sites you list above with OpenSSL 1.0.1 using the above option. Unfortunately I am unfamiliar with Squid configuration, so I can't advise as to whether this is the problem with your squid setup, and if it is - how you fix it. Matt > > Running openssl tests direct from a schools box (OpenSSL 1.0.1) gets: > > # openssl s_client -connect www.spellanywhere.co.uk:443 > CONNECTED(00000003) > 3073661128:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:734: > > Attempting to disable protocols for testing gets: > > openssl s_client -no_tls1 -no_tls1_1 -no_tls1_2 -connect www.spellanywhere.co.uk:443 > CONNECTED(00000003) > 3074005192:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:734: > > and eventually > > openssl s_client -no_tls1 -no_tls1_1 -no_tls1_2 -no_ssl3 -no_ssl2 -connect www.spellanywhere.co.uk:443 > CONNECTED(00000003) > 3073534152:error:140740BF:SSL routines:SSL23_CLIENT_HELLO:no protocols available:s23_clnt.c:385: > > While forcing dtls with > > openssl s_client -dtls1 -connect www.spellanywhere.co.uk:443 > > seems to establish a tunnel as expected. > > Using curl or wget on the same boxes to those sites works as expected. Tests on a local box with OpenSSL 1.0.2e return similar results, although the disabled protocols test returns a different error: > > openssl s_client -no_tls1 -no_tls1_1 -no_tls1_2 -no_ssl3 -no_ssl2 -connect www.spellanywhere.co.uk:443 > CONNECTED(00000003) > 139735616550552:error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol:s23_clnt.c:735: > > Is this some sort of SSL handshake fallback error? Is there anything we can do in terms of configuration? Are we barking up the wrong tree? > > All input/questions welcome. > > Thanks > > Chris > > > --- > Chris Puttick > CEO & Chief Asst to the duck > TwoTen > http://twoten.is > Making the Internet better. For kids. > +44 7908 997 146 > @putt1ck > Two Ten Web Limited, Regd Company no. 7774762 Regd office Unit 6, Southill, Cornbury Park, Charlbury, Oxfordshire OX7 3EW United Kingdom >
