Re: Facing issue in Internet explorer

["L.P.H. van Belle" <belle@xxxxxxxxx>]

> For example, in IE version 8, getting an error given below,

 

You can try to disable SSL3 in advanced options and enable TLS1.0 and/or better

 

SSLV3 is absolete now.

 

 

---

Van: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens Prasad Desai
Verzonden: vrijdag 12 februari 2016 9:08
Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx
Onderwerp: Facing issue in Internet explorer

 

Hi,

 

I have successfully configured SSLBump Peek and Splice in my transparent proxy and it is working as expected except in Internet explorer.

 

For example, in IE version 8, getting an error given below,

 

(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Handshake with SSL server failed: error:1409F07F:SSL routines:SSL3_WRITE_PENDING:bad write retry

 

Below is squid.conf,

 

visible_hostname mysite.com

httpd_suppress_version_string on

via off

forwarded_for delete

deny_info  MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "192.168.3.33" MailScanner warning: numerical links are often malicious: http://192.168.3.33/error.html blockfiles

acl lan src  MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "192.168.4.0" MailScanner warning: numerical links are often malicious: 192.168.4.0/24  MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "192.168.6.0" MailScanner warning: numerical links are often malicious: 192.168.6.0/24  MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "192.168.3.0" MailScanner warning: numerical links are often malicious: 192.168.3.0/24

http_access allow lan

acl SSL_ports port 443

acl Safe_ports port 80        # http

acl Safe_ports port 21        # ftp

acl Safe_ports port 443        # https

acl Safe_ports port 70        # gopher

acl Safe_ports port 210        # wais

acl Safe_ports port 1025-65535    # unregistered ports

acl Safe_ports port 280        # http-mgmt

acl Safe_ports port 488        # gss-http

acl Safe_ports port 591        # filemaker

acl Safe_ports port 777        # multiling http

acl CONNECT method CONNECT

strip_query_terms off

http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access deny all

sslproxy_flags DONT_VERIFY_PEER DONT_VERIFY_DOMAIN

acl disable-ssl-bump ssl::server_name "/etc/squid/no-ssl-bump.acl"

acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH

sslproxy_cert_error allow BadSite

acl step1 at_step SSLBump1

acl step2 at_step SSLBump2

acl step3 at_step SSLBump3

ssl_bump peek step1 all

ssl_bump splice step2 disable-ssl-bump

ssl_bump stare step2 all

ssl_bump splice step3 disable-ssl-bump

ssl_bump bump step3 all

http_port 3130

http_port 3128 intercept

https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 8MB

sslcrtd_children 8 startup=1 idle=1

coredump_dir /var/spool/squid

refresh_pattern ^ftp:        1440    20%    10080

refresh_pattern ^gopher:    1440    0%    1440

refresh_pattern -i (/cgi-bin/|\?) 0    0%    0

refresh_pattern .        0    20%    4320

 

Any inputs to resolve this error will be much appreciated.

 

--

Best,

Prasad Desai

Systems Engineer

 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users