that's a broken server the initial client hello handshake to be SSL2
compatible, but then requires immediate protocol upgrade to SSL3 or
TLSv1, but fails if the initial handshake is SSL3 or TLSv1. OpenSSL in
somewhat current versions by default disable all use pf SSLv2 due to
numerous weaknesses in the SSLv2 protocol and is as result normally
sending an SSL3 client hello handshake.
It's likely to hit problems some newer browsers as well, as SSL/TLS
security is being tightened up.
A workaround is to set ciphers to 'ALL:!COMPLEMENTOFDEFAULT' which
somehow magically enables SSLv2 again. But it's not a very good idea as
it may also enable some SSLv2 related attacks.
Regards
Henrik
Henrik,
I now have this http_port line in place.
http_port 3128 sslBump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB
cert=/etc/squid3/ssl_cert/www.sample.com.pem cipher=ALL:!COMPLEMENTOFDEFAULT
However it has made no difference to this site or the others. I even
wiped my generated certs before restarting squid.
Any more ideas?
Cheers
Alex
