On 10/19/2016 12:44 AM, Leandro Barragan wrote: >> error:140920F8:SSL routines:SSL3_GET_SERVER_HELLO:unknown cipher returned (1/-1/0) > I fail to see why is this happening. I only need to peek on the > connection and make a decision based on SNI, Please note that "peek and make a decision based on SNI" is not what your configuration tells Squid to do. Your configuration tells Squid to peek during step2, which means making a decision based on server certificates (and SNI). > I'm not Bumping, so I > don't understand why ciphers matter in my situation. The ciphers matter because Squid v3 uses OpenSSL parsers during step1, step2, and step3. FWIW, Squid v4 uses OpenSSL parsers during step2 (a little) and step3. It is possible to completely remove OpenSSL from step2 but there is currently no project to do that AFAIK. >> ssl_bump peek all step1 >> ssl_bump peek all step2 >> ssl_bump terminate face step3 >> ssl_bump terminate twitter step3 >> ssl_bump splice all step3 BTW, "step1", "step2", and "step3" ACLs do nothing useful in the above config. You can safely remove them to arrive at the equivalent ssl_bump configuration. On 10/19/2016 07:42 AM, Amos Jeffries wrote: > Terminate means impersonating the server and responding to the client > with an HTTPS error page. Terminate means "close client and server connections immediately". The problem is not with the terminate action but with peeking (which relies on OpenSSL, especially during step2, especially in Squid v3). HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
