Hi, ----- Original Message ----- > From: Yuri Voinov <yvoinov@xxxxxxxxx> > >> Why is Squid negotiating cipher RC4-MD5 which is reported "insecure" >> and unsupported by the google web site?> Because your antique client request it. XP desupported years ago. [...] > Throw out XP and IE8 and set up W7 as minimum with IE10. I see no other > way. I am afraid that in this case, the cactus is too large and inedible. I agree that XP clients shouldn't be used anymore but it's easier said than done in corporate environments. In any case, on a purely technical level, I don't know the internals of Squid and standard proxying protocols but if a Windows XP+IE8 client has no problem whatsoever connecting directly (no proxy) to https://www.google.com but fails with Squid in the middle (ssl-bump) then that makes me think that it could be either a Squid bug or a missing feature (or maybe the fact that Squid is stricter when implementing protocols than Microsoft products). Whatever the reason, for an end-user like me it seems that the XP client is able to negotiate TLS correctly with Google and presumably using the cipher DES-CBC3-SHA (maybe after failing with RC4-MD5 on a first attempt), whereas Squid immediately fails with RC4-MD5. It doesn't ever seem to try DES-CBC3-SHA even though it's available in openssl. So I guess I'll start forcing users to use Firefox on WinXP or any other sane OS. I just wanted to point out though that I'm still confused as to why the client connection is failing. Vieri _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
