Henrik, So I figured out that the SSL errors I was getting were because I still had Use SSL2 checked in the security settings of Internet Explorer. Once I unchecked this, leaving only use SSLv3 checked, I no longer received the errors and was able to access the page. However, I don't believe this should be how Squid should be handling this issue. If users have both Use SSLv2 and Use SSLv3 checked in IE then SSLv3 should be used and let the user in, ignoring the Use SSLv2 option. The way this is working now, no one will be able to view the https page unless everyone who browses to the site goes and unchecks the Use SSLv2 option, which will be unacceptable for the client because buisness will be impacted. Am I missing something here in my configuration that we need to actually uncheck the Use SSLv2 option for this to work? You think it would just failover to Use SSLv3 if v2 didn't work. Thanks, Jack Jack Siergiej/PSTS/PMIC/US 01/25/2008 09:00 AM To Henrik Nordström <henrik@xxxxxxxxxxxxxxxxxxx> cc Squid Users <squid-users@xxxxxxxxxxxxxxx> Subject Re: Re: Bug: version= & option= tag failure Henrik, I used the options=NO_SSLv2 tag and I can still access the website with SSLv2. I tested this with openssl and a firefox browser with tsl1 and sslv3 disabled and I get connected everytime. If I use the version=3 tag, I get the error below multiple times in the squid terminal window and my browser tells me that my access to the webpage has been interrupted. I am not sure how to fix this issue and allow just SSLv3. clientNegotiateSSL: Error negotiating SSL connection on FD 22: error 1408A09F: SSL routines: SSL3_Get_Client_Hello: length mismatch (1/-1) Any help is appreciated. Thanks, Jack Siergiej Henrik Nordström <henrik@xxxxxxxxxxxxxxxxxxx> 01/16/2008 08:34 AM To JSiergiej@xxxxxxxxxxxxxxxx, Squid Users <squid-users@xxxxxxxxxxxxxxx> cc Subject Re: Bug: version= & option= tag failure ons 2008-01-16 klockan 07:06 -0500 skrev JSiergiej@xxxxxxxxxxxxxxxx: > I posted this to the users group and they said to file a bug with you. > Please review and let me know if you have any ideas. I tried the > version=3 as well as the option=NO_SSLv2,NO_SSLv3 tags at the end of the > https_port line. When I use the option= tag, I get a fatal error and I > have to remove it. When I use the version= tag, I can't view the https > page because it says the connection was interrupted and I get the > following in the squid terminal window after attempting to view the https > page: The options flag is spelled options= with an s I don't think you want to disable SSLv3 as well, so just use options=NO_SSLv2 > clientNegotiateSSL: Error negotiating SSL connection on FD 22: error > 1408A09F: SSL routines: SSL3_Get_Client_Hello: length mismatch (1/-1) > clientNegotiateSSL: Error negotiating SSL connection on FD 22: > error:1408F10B: SSL routines: SSL3_Get_Record: wrong version number (1/-1 Most likely the client is senting a SSLv2 hello message, not SSLv3/TLS. All known browsers do this unless manually configured otherwise. This in order to keep compatibility with SSLv2 servers, then upgrading the connection to SSLv3/TLS after the initial handshake if the server indicates it supports upgrading.. So you should use the options=NO_SSLv2 flag. The version= flag is only for very controlled environments where you have control over the clients. In this mode both SSLv2,3 & TLS hello messages is accepted, but if a SSLv2 hello message is used the connection must be upgraded to SSLv3/TLS before the request is accepted. If version=X is used then only that exact version of SSL/TLS is understood, and the hello message sent by the client must be of the correct version. Regards Henrik
