Hey Vieri, Just as a tiny reply I must admit that it's expected. What you see is the result of squid and it's ssl stack support the goal of a minimum specific version of ssl encrypted connections. I am not sure but there might be a way to make it all work for these clients. Have you tried search the squid-cache lists using google\yahoo\bing\other? Eliezer ---- Eliezer Croitoru Linux System Administrator Mobile+WhatsApp: +972-5-28704261 Email: eliezer@xxxxxxxxxxxx -----Original Message----- From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Vieri Sent: Thursday, September 29, 2016 3:03 PM To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: squid tproxy ssl-bump and Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) Hi, I'm running a Squid proxy like so: http_port 3129 tproxy https_port 3130 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem The squid server certificate was self-generated: openssl req -new -newkey rsa:2048 -sha256 -days 7300 -nodes -x509 -keyout /etc/ssl/squid/proxyserver.pem -out /etc/ssl/squid/proxyserver.pem I configured my firewall rules approriately and everything seems to work fine on systems such as Windows 7 32bits/64bits with IE11, IE8 or latest Firefox. However, I'm having trouble with Windows XP Pro SP3 and IE8. On this client OS, Firefox 45.0.1 works fine with HTTP and HTTPS sites. However, IE8 on this same client OS works fine accessing HTTP sites but not HTTPS. When I try to access google.com I first get a certificate warning (untrusted cert). That's the first flaw because I shouldn't get this page since the proxy server's certificate is in the IE Trust Store (under root certificates). Then if I try to connect to google.com despite the "untrusted certificate" warning, I get the exception: 71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) Handshake with SSL server failed: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry I noticed that this browser/OS only has TLS up to 1.0 (no 1.2 or 1.1). I can reproduce the same Squid exception on a Windows 7 IE8 system if I disable TLS 1.2 and only use TLS 1.1 and/or lower. Any ideas? Regards, Vieri _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
