-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 13/11/2014 11:55 a.m., Jason Haar wrote: > Hi there > > I just found I cannot connect to https://www.bnz.co.nz/ using curl > on Ubuntu (7.35 compiled against openssl-1.0.1f), whereas > https://www.kiwibank.co.nz/ works fine. I first thought it was due > to my messing around with ssl-bump, but it happens when I don't go > through squid too > > I have a CentOS-6 server with curl-7.19 (compiled against 1.0.1e) > and it works fine. The same happens with "openssl s_client": it > works on CentOS but not on Ubuntu - so I think it's the root cause > (unless I call it with either "-ssl3" or "-tls1" - explicitly > asking for protocols seems to get around the issue with 1.0.1f). It > looks like www.bnz.co.nz doesn't negotiate SSL/TLS correctly? Sounds to me like they are using SSLv3 in their server. > > Any SSL guru out there willing to explain why newer command line > tools don't like www.bnz.co.nz (whereas browsers do - but I hear > it's because they "double try" in certain error conditions and > basically workaround this kind of issue) Lookup "SSLv3 POODLE" for what is happening in that area. FYI: The browsers all announced deadlines of their next regular update cycle[1][2][3] for dropping or disabling SSLv3 support. It's a dead duck walking right now, should be buried by the end of this year. [1] MSIE 6+ - (not sure exactly if this made it into the Patch Tuesday set on 12 Nov) <https://support.microsoft.com/kb/3009008> [2] Firefox 34 - 25 Nov <https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/> [3] Chrome 39,40 - 'next few months' <https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/Vnhy9aKM_l4> Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUZBGeAAoJELJo5wb/XPRj8ywH/0OMZzuTDHpVGGWpHR19AlTi Qvl/XYbhoDGdSjeLqpkvMT3vrElk2ukznOV1cNxjZY8GL1vgmxObJl3fSu2mBW1O pHh3j5WJDnNyXS9l1+9FyGRZo38Y0wZ56jjGRwPfhWr4rB5qDHNQU0w5MxXL3noS rCm/yuQgeX791Jv9pe9toq4nGSpBCc0SmNIKLZiQnsS8qZKbKlZYEeh7x4V2TiME 6niFKHaQP58+xiJrlGQL/1GFZkem0Hu4U09tr+4Ru6PNWnumgd19/doznRk2dS6r JX3F5+HdwZVbkfgjFEWcIaHaTq+YAOI1iMNq4CDjNaevjkSUIFgEYf6BCAhY3nM= =GWhN -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users