Search squid archive

Re: SSLBump SSL error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




that's a broken server the initial client hello handshake to be SSL2
compatible, but then requires immediate protocol upgrade to SSL3 or
TLSv1, but fails if the initial handshake is SSL3 or TLSv1. OpenSSL in
somewhat current versions by default disable all use pf SSLv2 due to
numerous weaknesses in the SSLv2 protocol and is as result normally
sending an SSL3 client hello handshake.

It's likely to hit problems some newer browsers as well, as SSL/TLS
security is being tightened up.

A workaround is to set ciphers to 'ALL:!COMPLEMENTOFDEFAULT' which
somehow magically enables SSLv2 again. But it's not a very good idea as
it may also enable some SSLv2 related attacks.

Regards
Henrik


Henrik,

I now have this http_port line in place.

http_port 3128 sslBump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/www.sample.com.pem cipher=ALL:!COMPLEMENTOFDEFAULT

However it has made no difference to this site or the others. I even wiped my generated certs before restarting squid.

Any more ideas?

Cheers

Alex


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux