-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 1/11/2014 12:09 p.m., Marcus Kool wrote: > With OpenSSL 1.0.1e-fips : > > openssl s_client -connect www.taxdisc.service.gov.uk:443 > fails (tries TLS1.2) openssl s_client -connect > www.taxdisc.service.gov.uk:443 -ssl3 works > > The webmail server of my ISP works like this: it uses only TLS1.0, > so no TLS1.1 or TLS1.2, but when with openssl s_client -connect > WEBMAIL:443 -tls1_2 the connection is automagically downgraded to > TLS1.0. taxdisc does not do this. Taxdisc does not negotiate, so > the client must guess the desired protocol (SSL3 or TLS1.0) and use > that. > > I do not know all details about TLS and downgrading rules but the > server seems broken to me. It is clearly not supporting TLS at all. TLS mandates that endpoints offer the highest TLS version they support, and the mutual highest is used. SSLv3 is not on that scale of TLS 1.0+ versions. Client implementations usually treat rejection of all TLS versions down to 1.0 as a signal that SSL handshake is required instead, abort and retry with SSLv3-only... > Firefox knows how to deal with it and Squid not yet. ... for now anyway. Firefox will be dropping SSLv3 support Nov 25th. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUVCVsAAoJELJo5wb/XPRj1rIIAIacxp8gQYhtIA49/+k9c2D9 cO+vnAhADOsIqg2qwtZKRXCYcpAba/s8IeiiouvcowTV54+6GCZ3yyP7uIztwEY3 x+Li2/VKdRYOSLf6QgFo4JU8y5garf9cMrqZw7eFS+Qo9GaYu+BZOcrtlzbAAehN DqABCRdHkJ+ZtVIC7obVX1fXTnuPlIC3W/QHzc6uGHp75Qs/QAAaV8ugYBMfPpX9 5G6gYSG5qMwQ1XMJ5nc14vFQxTxjrpydl4BKn0WhNLrGaDCWGZiOQYKi7ERlorNs 7yHzjROpWIxapmUChccHifrFEQIR0vo3vAq5StPad3a3aMMp5SW/scpbGFgW8jw= =mtZp -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users