Hello,
I recently upgraded OpenSSL from 1.0.0 to 1.0.1 (which supports TLS1.2)
I also recompiled squid against new OpenSSL.
Now there is this (BROKEN) bank site:
https://www.mahaconnect.in
This site closes connection if you try TLS1.2 or TLS1.1
When squid tries to connect, it says:
Failed to establish a secure connection to 125.16.24.200
The system returned: (71) Protocol error (TLS code:
SQUID_ERR_SSL_HANDSHAKE) Handshake with SSL server failed:
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure
The site works, if I specify:
sslproxy_options NO_TLSv1_1
But then it stops using TLS1.2 for sites supporting it.
When I try in Chrome or Firefox without proxy settings, they auto detect
this and fallback to TLS1.0/SSLv3.
So my question is shouldn't squid fallback to TLS1.0 when TLS1.2/1.1
fails? Just like Chrome/Firefox does?
(PS: I can not tell bank to upgrade)
Amm.
