Henrik, I used the options=NO_SSLv2 tag and I can still access the website with SSLv2. I tested this with openssl and a firefox browser with tsl1 and sslv3 disabled and I get connected everytime. If I use the version=3 tag, I get the error below multiple times in the squid terminal window and my browser tells me that my access to the webpage has been interrupted. I am not sure how to fix this issue and allow just SSLv3. clientNegotiateSSL: Error negotiating SSL connection on FD 22: error 1408A09F: SSL routines: SSL3_Get_Client_Hello: length mismatch (1/-1) Any help is appreciated. Thanks, Jack Siergiej Henrik Nordström <henrik@xxxxxxxxxxxxxxxxxxx> 01/16/2008 08:34 AM To JSiergiej@xxxxxxxxxxxxxxxx, Squid Users <squid-users@xxxxxxxxxxxxxxx> cc Subject Re: Bug: version= & option= tag failure ons 2008-01-16 klockan 07:06 -0500 skrev JSiergiej@xxxxxxxxxxxxxxxx: > I posted this to the users group and they said to file a bug with you. > Please review and let me know if you have any ideas. I tried the > version=3 as well as the option=NO_SSLv2,NO_SSLv3 tags at the end of the > https_port line. When I use the option= tag, I get a fatal error and I > have to remove it. When I use the version= tag, I can't view the https > page because it says the connection was interrupted and I get the > following in the squid terminal window after attempting to view the https > page: The options flag is spelled options= with an s I don't think you want to disable SSLv3 as well, so just use options=NO_SSLv2 > clientNegotiateSSL: Error negotiating SSL connection on FD 22: error > 1408A09F: SSL routines: SSL3_Get_Client_Hello: length mismatch (1/-1) > clientNegotiateSSL: Error negotiating SSL connection on FD 22: > error:1408F10B: SSL routines: SSL3_Get_Record: wrong version number (1/-1 Most likely the client is senting a SSLv2 hello message, not SSLv3/TLS. All known browsers do this unless manually configured otherwise. This in order to keep compatibility with SSLv2 servers, then upgrading the connection to SSLv3/TLS after the initial handshake if the server indicates it supports upgrading.. So you should use the options=NO_SSLv2 flag. The version= flag is only for very controlled environments where you have control over the clients. In this mode both SSLv2,3 & TLS hello messages is accepted, but if a SSLv2 hello message is used the connection must be upgraded to SSLv3/TLS before the request is accepted. If version=X is used then only that exact version of SSL/TLS is understood, and the hello message sent by the client must be of the correct version. Regards Henrik
