This is probably not a problem with Squid, but I'm posting here in the hope that someone may have more clue than me when it comes to SSL :) When accessing https://www.taxdisc.service.gov.uk/ through an SSL bumping squid, I get: ----- The following error was encountered while trying to retrieve the URL: https://www.taxdisc.service.gov.uk/* Failed to establish a secure connection to 62.25.101.198 The system returned: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) Handshake with SSL server failed: [No Error] ----- Trying to connect with openssl directly also fails: [steve@atlantis ~]$ openssl s_client -connect 62.25.101.198:443 -showcerts CONNECTED(00000003) 140259944179584:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 249 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- If I force openssl into TLS1 mode (with the -tls1 argument) then it works fine. TLS 1.1 and 1.2 both fail. However, shouldn't openssl be negotiating the highest TLS version supported by both server and client? It works correctly when FireFox connects directly to the web server rather than going through the proxy. So my question is: is the web server broken, or am I misunderstanding something? Many thanks. -- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:steve@xxxxxxxxxxxx Email: steve@xxxxxxxxxxxx Phone: sip:steve@xxxxxxxxxxxx Sales / enquiries contacts: Email: sales@xxxxxxxxxxxx Phone: +44-1792-825748 / sip:sales@xxxxxxxxxxxx Support contacts: Email: support@xxxxxxxxxxxx Phone: +44-1792-824568 / sip:support@xxxxxxxxxxxx _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
