On fre, 2008-01-25 at 10:21 -0500, JSiergiej@xxxxxxxxxxxxxxxx wrote: > However, I don't believe this should be how Squid should be handling this > issue. If users have both Use SSLv2 and Use SSLv3 checked in IE then > SSLv3 should be used and let the user in, ignoring the Use SSLv2 option. > The way this is working now, no one will be able to view the https page > unless everyone who browses to the site goes and unchecks the Use SSLv2 > option, which will be unacceptable for the client because buisness will be > impacted. If you have both versions enabled in the browser then the browser begins by using SSLv2, and then only after a successful SSLv2 handshake requests an SSL upgradeto SSL version 3 or TLS. And if you then configure Squid to listen with version=3 to support ONLY SSLv3 then it won't recognise the SSLv2 handshake at all and aborts the connection as malformed. As I said previously the version=X option should only be used in very controlled environments. In all other cases use options=NO_SSLv2 > I used the options=NO_SSLv2 tag and I can still access the website with > SSLv2. I tested this with openssl and a firefox browser with tsl1 and > sslv3 disabled and I get connected everytime. Works for me. https_port 1443 cert=/home/henrik/squid/etc/test.pem options=NO_SSLv2 openssl s_client -no_ssl3 -no_tls1 -connect localhost:1443 or openssl s_client -ssl2 -connect locahost:1443 both result in CONNECTED(00000003) write:errno=104 2008/01/25 18:38:21| clientNegotiateSSL: Error negotiating SSL connection on FD 27: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol (1/-1) and leaving either SSLv3 or TLSv1 enabled in openssl makes a successful connection. And so does telling openssl to use SSLv3 or TLSv1 directly from start. openssl s_client -no_ssl3 -connect localhost:1443 openssl s_client -no_tls1 -connect localhost:1443 openssl s_client -ssl3 -connect localhost:1443 openssl s_client -tls1 -connect localhost:1443 I can't test with Firefox as the version of Firefox I have doesn't even support SSLv2, only SSLv3 and TLSv1.. Regards Henrik
