That’s the version I’m on actually (RPM compiled by me): squid-3.5.13-1.el6.x86_64 openssl-1.0.1e-42.el6_7.2.x86_64 I’m not setting sslproxy_cipher in my config, so I guess that’s not it. My openssl library the problem perhaps? > On 24 Feb 2016, at 11:17 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > > On 24/02/2016 12:24 p.m., Dan Charlesworth wrote: >> Thanks Amos, good to know. I didn’t see your original reply for some reason; sorry about that. >> >> I thought I had read that these sort of errors could be avoided in Squid-4: >> Error negotiating SSL connection on FD 66: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher (1/-1) >> >> But now I can’t even a source for that … I need to spend some quality time with Google I think. >> > > The Squid-3.5.13 release may help you with that one... > > > That particular error is a direct result of the client TLS/SSL ciphers > not overlapping with the Squid openssl library ciphers (or configured > sub-set). > > If you are being strict and disabling everything that is being declared > as outdated /dangerous in TLS nowdays you can find yourself with the > very small set of just AES_GCM, and ECDH(E) ciphers being acceptible. > > Last years 3.5 did not have ECDH(E) support, and not very many clients > have AES_GCM yet. So - ouch. > > > Today there is no difference in supported ciphers between Squid-3.5 and > Squid-4, given the same library. > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
