Hi, Thanks for the replies. I've figured out more details. First, my assumption that sslproxy_cipher was ignored in my setup was incorrect. I confused it with what I've read about sslproxy_options on http://bazaar.launchpad.net/~yadi/squid/warnings/revision/13928 . Thanks Yuri for making me come to that conclusion. So I've put in 'sslproxy_cipher ALL' (just for troubleshooting purposes..). After that, previously mentioned test 1 works on the linux client, however, the iphone app still does not. So I went on and did more tests. First, the iphone uses more then one cipher. I'll start with curl, using TLS1.0 like the app. 3) curl --insecure --tlsv1.0 https://www.google.com SQUID_ERR_SSL_HANDSHAKE. So with the default ciphers curl using tls 1.0 also breaks. 4) curl --insecure --tlsv1.0 --ciphers rsa_3des_sha https://www.google.com Works. So using one cipher 'fixes' it.. just like we saw using openssl s_client. Back to openssl s_client, default ciphers. 5) echo -e "GET / HTTP/1.1\nHost: www.google.com\n\n" | openssl s_client -quiet -connect www.google.com:443 -tls1 SQUID_ERR_SSL_HANDSHAKE. Also here, using more ciphers generates an error. 6) echo -e "GET / HTTP/1.1\nHost: www.google.com\n\n" | openssl s_client -quiet -connect www.google.com:443 -tls1_1 SQUID_ERR_SSL_HANDSHAKE. TLS 1.1 does not help. 7) echo -e "GET / HTTP/1.1\nHost: www.google.com\n\n" | openssl s_client -quiet -connect www.google.com:443 -tls1_2 This works! When using TLS 1.2, we do not have this problem. Note that compared to the previous 2 tests we have an extra TLS security extension in the Client Hello, signature_algorithms. Now more tests with TLS 1.0. 8) Firefox with TLS 1.0 (security.tls.version.max = 1). Works. But.. Firefox is also using multiple ciphers. Hmm. Firefox also uses a whole bunch of TLS Extensions with TLS 1.0. Back to openssl and focus on extensions. 9) echo -e "GET / HTTP/1.1\nHost: www.google.com\n\n" | openssl s_client -quiet -connect www.google.com:443 -tls1 -servername www.google.com SQUID_ERR_SSL_HANDSHAKE. Adding the server_name extension doesn't help. Now let's try to add other TLS extensions. Since openssl didn't want to play along I started with a fake one, 33554. 10) echo -e "GET / HTTP/1.1\nHost: www.google.com\n\n" | openssl s_client -quiet -connect www.google.com:443 -tls1 -servername www.google.com -serverinfo 33554 This works! Removing SNI, keeping the fake extension: 11) echo -e "GET / HTTP/1.1\nHost: www.google.com\n\n" | openssl s_client -quiet -connect www.google.com:443 -tls1 -serverinfo 33554 Also works. Adding other extensions instead of the fake one also works. So yeah.. I'm still confused. - If TLS v1.0 or TLS v1.1, and more then one cipher, and not some seemingly random extension then error. TLS v1.2 seems to work, maybe just because the extra extension signature_algorithms, no idea. - Squid forwards ciphers in the Client Hello to the webserver, except for some CHACHA20 ones that are filtered out. Squid should make it's own decision though when using stare right ? Squid does upgrade the TLS version. Should I report 2 bugs and/or attach debug logging ? I'll try test with squid4 later this week. It doesn't want to compile on FC24 for some reason.. while my gcc has c11 support. Have to dive into it.. unless someone has tips. ####### # /usr/bin/g++ -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib -I../../src -I../../include -I../../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Woverloaded-virtual -Werror -Wno-deprecated-register -pipe -D_REENTRANT -g -O2 -march=native -MT Handshake.lo -MD -MP -MF .deps/Handshake.Tpo -c Handshake.cc -o Handshake.o Handshake.cc: In member function ‘void Security::HandshakeParser::parseServerCertificates(const SBuf&)’: Handshake.cc:560:31: error: ‘cert’ may be used uninitialized in this function [-Werror=maybe-uninitialized] Security::CertPointer cert; ^~~~ At global scope: cc1plus: error: unrecognized command line option ‘-Wno-deprecated-register’ [-Werror] cc1plus: all warnings being treated as errors # g++ --version g++ (GCC) 6.2.1 20160916 (Red Hat 6.2.1-2) Copyright (C) 2016 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # gcc -v Using built-in specs. COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-redhat-linux/6.2.1/lto-wrapper Target: x86_64-redhat-linux Configured with: ../configure --enable-bootstrap --enable-languages=c,c++,objc,obj-c++,fortran,ada,go,lto --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-shared --enable-threads=posix --enable-checking=release --enable-multilib --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --disable-libgcj --with-isl --enable-libmpx --enable-gnu-indirect-function --with-tune=generic --with-arch_32=i686 --build=x86_64-redhat-linux Thread model: posix gcc version 6.2.1 20160916 (Red Hat 6.2.1-2) (GCC) ####### Regards, Marc _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
