On 3/10/2016 8:11 p.m., Vieri wrote: > > > Hi, > > ----- Original Message ----- >> From: Yuri Voinov <yvoinov@xxxxxxxxx> >> > >>> Why is Squid negotiating cipher RC4-MD5 which is reported >>> "insecure" and unsupported by the google web site?> Because your >>> antique client request it. XP desupported years ago. > > [...] >> Throw out XP and IE8 and set up W7 as minimum with IE10. I see no >> other > >> way. I am afraid that in this case, the cactus is too large and >> inedible. > > I agree that XP clients shouldn't be used anymore but it's easier > said than done in corporate environments. > > In any case, on a purely technical level, I don't know the internals > of Squid and standard proxying protocols but if a Windows XP+IE8 > client has no problem whatsoever connecting directly (no proxy) to > https://www.google.com but fails with Squid in the middle (ssl-bump) > then that makes me think that it could be either a Squid bug or a > missing feature TLS/SSL was designed to prevent MITM being done on the encrypted traffic. When used properly that is exactly what it does. SSL-Bump is an MITM process. So the behaviour you see of "working" when no proxy bumping and "not working" when proxy attempts to bump is exactly the way HTTPS was designed to behave. It is unreasonable to believe that working TLS behaviour is a bug in Squid... > Whatever the reason, > for an end-user like me it seems that the XP client is able to > negotiate TLS correctly with Google and presumably using the cipher > DES-CBC3-SHA (maybe after failing with RC4-MD5 on a first attempt), > whereas Squid immediately fails with RC4-MD5. It doesn't ever seem to > try DES-CBC3-SHA even though it's available in openssl. ... in this case it might be. But not for the reasons stated. The problem known so far is that RC4-MD5 cipher. Why it is not being used by your OpenSSL library. That could bear some further investigation. There may be things you need to enable in the config passed to OpenSSL, or a different build of the library needed. Something along those lines - Im just guessing here. > > > So I guess I'll start forcing users to use Firefox on WinXP or any > other sane OS. I just wanted to point out though that I'm still > confused as to why the client connection is failing. That sounds like a potentially workable option or at least workaround. I hope the above explanations can alleviate your confusion a bit despite not providing any answer to the problem. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
