Roel van Meer writes:
>> > I'm using squid 3.5.2 built with openssl 0.9.8zc on Slackware 13.1.
>> > Traffic is redirected from port 443 top 3130 with iptables.
>>
>> ... and with an older version of OpenSSL missing many of the last few
>> years worth of TLS crypto features. IIRC the library releases are now up
>> to 1.1.* or something. Its best to keep that kind of thing operating the
>> latest versions.
>
> I know it missing the latest features, but security patches are
> backported. And I know it is old, but it's what I have to work with
> now.Do you think it might be the cause of the problem I'm having with
> peek/splice, or was it a general recommendation?
Its a potential source of problems. Chrome is very much on the front
line of the arms race attempting to stop things like SSL-Bump working.
Firefox implement their own crypto library which tracks the latest TLS
features at a similar speed of development.
OpenSSL will be perpetually behind both of them, but at least the latest
one(s) have better chances not to be advertising features they reject in
"considered harmful" grounds.
I'll have a go then at trying with a newer openssl and the patches from the
thread you mentioned.
With Squid 3.5.2 built with openssl 1.0.1k I can splice https connections
with no trouble. Tested with Lync, Chrome, Firefox, and IE.
So you were right. :) Thanks a lot for pointing me in the right direction!
Cheers,
Roel
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
