On 24/02/2016 12:24 p.m., Dan Charlesworth wrote: > Thanks Amos, good to know. I didn’t see your original reply for some reason; sorry about that. > > I thought I had read that these sort of errors could be avoided in Squid-4: > Error negotiating SSL connection on FD 66: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher (1/-1) > > But now I can’t even a source for that … I need to spend some quality time with Google I think. > The Squid-3.5.13 release may help you with that one... That particular error is a direct result of the client TLS/SSL ciphers not overlapping with the Squid openssl library ciphers (or configured sub-set). If you are being strict and disabling everything that is being declared as outdated /dangerous in TLS nowdays you can find yourself with the very small set of just AES_GCM, and ECDH(E) ciphers being acceptible. Last years 3.5 did not have ECDH(E) support, and not very many clients have AES_GCM yet. So - ouch. Today there is no difference in supported ciphers between Squid-3.5 and Squid-4, given the same library. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
