On 10/03/2016 11:50 AM, Marc wrote: > 2) Squid forwards the Client Hello, including ciphers the host running > squid doesn't support (in my case, the DES and RC4 ones). This could > also potentially lead to problems. Why doesn't squid filter them out > from the Client Hello sent from squid to the webserver? If this is what happens, then it is a Squid bug. During step2, the matching "stare" action instructs Squid to start establishing the secure connection with the origin server with the intent to "bump" it. Unlike peeking, Squid must not advertise what it does not support in this case because, as you said, doing so may jeopardize future bumping. If Squid v4 does the same thing, I recommend filing a bug report. > 3) Nice to have: Is it possible for squid to report errors to the user > over HTTPS instead of HTTP ? Squid is supposed to report bumping errors over HTTPS whenever it can establish a secure connection with the client. Based on your email, I am not sure whether Squid could establish a secure connection with the client, but I suspect that your FD 12 "ssl3_get_client_hello:no shared cipher" error indicates that Squid tried but failed to do so. Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
