With OpenSSL 1.0.1e-fips :
openssl s_client -connect www.taxdisc.service.gov.uk:443 fails (tries TLS1.2)
openssl s_client -connect www.taxdisc.service.gov.uk:443 -ssl3 works
The webmail server of my ISP works like this: it uses only TLS1.0, so no TLS1.1 or TLS1.2,
but when with
openssl s_client -connect WEBMAIL:443 -tls1_2
the connection is automagically downgraded to TLS1.0. taxdisc does not do this.
Taxdisc does not negotiate, so the client must guess the desired protocol (SSL3 or TLS1.0)
and use that.
I do not know all details about TLS and downgrading rules but the server seems broken to me.
Firefox knows how to deal with it and Squid not yet.
Marcus
On 10/31/2014 06:03 PM, Dieter Bloms wrote:
Hi Steve,
On Fri, Oct 31, Steve Hill wrote:
This is probably not a problem with Squid, but I'm posting here in the
hope that someone may have more clue than me when it comes to SSL :)
...
If I force openssl into TLS1 mode (with the -tls1 argument) then it
works fine. TLS 1.1 and 1.2 both fail. However, shouldn't openssl be
negotiating the highest TLS version supported by both server and client?
but when the server is broken, it will not work.
Have a look at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.taxdisc.service.gov.uk
It works correctly when FireFox connects directly to the web server
rather than going through the proxy.
yes the browsers have a workaround and try with different cipher suites,
when the first connect fails.
So my question is: is the web server broken, or am I misunderstanding
something?
The webserver is broken.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
