Thanks for your time Alex! I modified my original config based on Amos recommendations, so I think now I have a more consistent peek & splice config: acl TF ssl::server_name_regex -i facebook fbcdn twitter reddit ssl_bump peek all ssl_bump terminate TF ssl_bump splice all As you mentioned, terminate closes the connection, it doesn't serve an error page (when it works, i.e. with reddit and twitter). I've compiled Squid 3.5.22 using OpenSSL 1.0.2j and I'm having the same exact issue, even with this new config. Based on what you explained, I think it's a OpenSSL problem and Squid can't do anything about it. I have two reasons to believe that: 1) The "unknown cipher returned" error get's triggered on terminated and non terminated (e.g. microsoft.com) sites, which makes me think it has nothing to do with Squid ACLs. 2) All problematic sites use a new cipher called "ChaCha20" (E.g. TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256....according to Qualys online analyzer and TestSSLServer tool) A lot of sites are using this new cipher. I'm back at the beginning, I will continue trying to compile Squid with patched versions of OpenSSL or LibreSSL. Thanks! On 20 October 2016 at 01:01, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > On 10/19/2016 12:44 AM, Leandro Barragan wrote: > >>> error:140920F8:SSL routines:SSL3_GET_SERVER_HELLO:unknown cipher returned (1/-1/0) > >> I fail to see why is this happening. I only need to peek on the >> connection and make a decision based on SNI, > > Please note that "peek and make a decision based on SNI" is not what > your configuration tells Squid to do. Your configuration tells Squid to > peek during step2, which means making a decision based on server > certificates (and SNI). > > >> I'm not Bumping, so I >> don't understand why ciphers matter in my situation. > > The ciphers matter because Squid v3 uses OpenSSL parsers during step1, > step2, and step3. FWIW, Squid v4 uses OpenSSL parsers during step2 (a > little) and step3. It is possible to completely remove OpenSSL from > step2 but there is currently no project to do that AFAIK. > > >>> ssl_bump peek all step1 >>> ssl_bump peek all step2 >>> ssl_bump terminate face step3 >>> ssl_bump terminate twitter step3 >>> ssl_bump splice all step3 > > BTW, "step1", "step2", and "step3" ACLs do nothing useful in the above > config. You can safely remove them to arrive at the equivalent ssl_bump > configuration. > > > On 10/19/2016 07:42 AM, Amos Jeffries wrote: >> Terminate means impersonating the server and responding to the client >> with an HTTPS error page. > > Terminate means "close client and server connections immediately". The > problem is not with the terminate action but with peeking (which relies > on OpenSSL, especially during step2, especially in Squid v3). > > > HTH, > > Alex. > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users