On 19/01/2017 12:53 p.m., Sameh Onaissi wrote: > Hello, Amos… all > > Yuri, thanks for the reply. > > > Amos, > > I added: Thanks to Eliezer) > sslproxy_cert_error allow all > sslproxy_flags DONT_VERIFY_PEER That is a spot-check config to see if TLS is fully broken or if the fix can be done in Squid. It should never, ever, ever, be used in a production proxy. > to the config file, I am not too worried about the verification since the accessed sites showing problems are government site or local paying services/partners. > The peer verify is not about whether communication to them is safe (it might not be even when verify succeeds). It is about whether you are actually communicating with the right destination or with some hijacker responding to your TCP connections. In other words, to check that the endpoint you are sending those financial details actually is your bank. Not mine. The situation I am trying to get you to is checking the certs actually belong to the right entity. But ignoring some minor(-ish) details like missing CA in their cert chain, their bad choice of cipher etc. > However, some sites are still showing the Handshake problem. https://ibin.co/38uz8akvWayM.png > > You had previously replied to this saying: > > "If you actually read that error message it tells you exactly what the > problem is. > > "Handshake with SSL server failed: [blah blah codes]: dh key too small" > > The server is trying to use a Diffi-Helman cipher with a too-short key. > DH cipher with short keys has recently been broken. By recently I mean > about a whole year ago.” > > However, I still wonder what the solution is? is it possible to fix this? and who needs to fix it? is it a squid side error? is it an OS level error? > The only solution for that one is for the server admin to change/fix their DH key settings to make it longer. You are unlikely to be the only one having such problem, so with any luck they will fix it soon. You can try to contact their admin and tell them about the problem. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users