ons 2008-01-16 klockan 07:06 -0500 skrev JSiergiej@xxxxxxxxxxxxxxxx: > I posted this to the users group and they said to file a bug with you. > Please review and let me know if you have any ideas. I tried the > version=3 as well as the option=NO_SSLv2,NO_SSLv3 tags at the end of the > https_port line. When I use the option= tag, I get a fatal error and I > have to remove it. When I use the version= tag, I can't view the https > page because it says the connection was interrupted and I get the > following in the squid terminal window after attempting to view the https > page: The options flag is spelled options= with an s I don't think you want to disable SSLv3 as well, so just use options=NO_SSLv2 > clientNegotiateSSL: Error negotiating SSL connection on FD 22: error > 1408A09F: SSL routines: SSL3_Get_Client_Hello: length mismatch (1/-1) > clientNegotiateSSL: Error negotiating SSL connection on FD 22: > error:1408F10B: SSL routines: SSL3_Get_Record: wrong version number (1/-1 Most likely the client is senting a SSLv2 hello message, not SSLv3/TLS. All known browsers do this unless manually configured otherwise. This in order to keep compatibility with SSLv2 servers, then upgrading the connection to SSLv3/TLS after the initial handshake if the server indicates it supports upgrading.. So you should use the options=NO_SSLv2 flag. The version= flag is only for very controlled environments where you have control over the clients. In this mode both SSLv2,3 & TLS hello messages is accepted, but if a SSLv2 hello message is used the connection must be upgraded to SSLv3/TLS before the request is accepted. If version=X is used then only that exact version of SSL/TLS is understood, and the hello message sent by the client must be of the correct version. Regards Henrik
Attachment:
signature.asc
Description: Detta =?ISO-8859-1?Q?=E4r?= en digitalt signerad meddelandedel
