Search squid archive

Re: Re: Bug: version= & option= tag failure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Henrik,

I used the options=NO_SSLv2 tag and I can still access the website with 
SSLv2.   I tested this with openssl and a firefox browser with tsl1 and 
sslv3 disabled and I get connected everytime.

If I use the version=3 tag, I get the error below multiple times in the 
squid terminal window and my browser tells me that my access to the 
webpage has been interrupted.  I am not sure how to fix this issue and 
allow just SSLv3.

clientNegotiateSSL: Error negotiating SSL connection on FD 22: error 
1408A09F: SSL routines: SSL3_Get_Client_Hello: length mismatch (1/-1) 

Any help is appreciated.  Thanks,

Jack Siergiej




Henrik Nordström <henrik@xxxxxxxxxxxxxxxxxxx> 
01/16/2008 08:34 AM

To
JSiergiej@xxxxxxxxxxxxxxxx, Squid Users <squid-users@xxxxxxxxxxxxxxx>
cc

Subject
 Re: Bug: version= & option= tag failure






ons 2008-01-16 klockan 07:06 -0500 skrev JSiergiej@xxxxxxxxxxxxxxxx:

> I posted this to the users group and they said to file a bug with you. 
> Please review and let me know if you have any ideas.  I tried the 
> version=3 as well as the option=NO_SSLv2,NO_SSLv3 tags at the end of the 

> https_port line.  When I use the option= tag, I get a fatal error and I 
> have to remove it.  When I use the version= tag, I can't view the https 
> page because it says the connection was interrupted and I get the 
> following in the squid terminal window after attempting to view the 
https 
> page:

The options flag is spelled options= with an s

I don't think you want to disable SSLv3 as well, so just use
options=NO_SSLv2


> clientNegotiateSSL: Error negotiating SSL connection on FD 22: error 
> 1408A09F: SSL routines: SSL3_Get_Client_Hello: length mismatch (1/-1)
> clientNegotiateSSL: Error negotiating SSL connection on FD 22: 
> error:1408F10B: SSL routines: SSL3_Get_Record: wrong version number 
(1/-1

Most likely the client is senting a SSLv2 hello message, not SSLv3/TLS.
All known browsers do this unless manually configured otherwise. This in
order to keep compatibility with SSLv2 servers, then upgrading the
connection to SSLv3/TLS after the initial handshake if the server
indicates it supports upgrading..

So you should use the options=NO_SSLv2 flag. The version= flag is only
for very controlled environments where you have control over the
clients. In this mode both SSLv2,3 & TLS hello messages is accepted, but
if a SSLv2 hello message is used the connection must be upgraded to
SSLv3/TLS before the request is accepted.

If version=X is used then only that exact version of SSL/TLS is
understood, and the hello message sent by the client must be of the
correct version.

Regards
Henrik



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux