Hi David, I'm battling with similar problems at the moment. One thing that I've found is that the system seems happier when you don't peek prior to a bump, my current config is: acl nobumpserver ssl::server_name "/etc/squid/nobump" acl ignoreclients src "/etc/squid/nobumpclients" acl step1 at_step SslBump1 ssl_bump peek nobumpserver step1 ssl_bump peek ignoreclients step1 ssl_bump splice nobumpserver ssl_bump splice ignoreclients ssl_bump stare step1 !nobumpserver !ignoreclients ssl_bump bump !nobumpserver !ignoreclients where nobump is a list of regex domains (like .apple.com) and nobumpclients is a list of IPs I never want to bump. I'm still battling with errors and sites not always working but of all the configurations I've tried this one seems to work for the majority of sites Cheers, oliver@xxxxxxxxxxxx lennox-it.uk tel: 07900 648 252 ________________________________ From: David Touzeau <david@xxxxxxxxxxxxxx> To: squid-users@xxxxxxxxxxxxxxxxxxxxx Sent: Thursday, 27 April 2017, 17:48 Subject: 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) Hi, I'm unable to access to https://www.boutique.afnor.org website. I would like to know if this issue cannot be fixed and must deny bump website to fix it. Without Squid the website is correctly displayed Squid claim an error page with "(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)" In cache.log: "Error negotiating SSL on FD 17: error:00000000:lib(0):func(0):reason(0) (5/0/0)" Using the following configuration: http_port 0.0.0.0:3128 name=MyPortNameID20 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl/0c451f46b4d05031560d8195f30165cb.dyn sslproxy_foreign_intermediate_certs /etc/squid3/intermediate_ca.pem sslcrtd_program /lib/squid3/ssl_crtd -s /var/lib/squid/session/ssl/ssl_db -M 8MB sslcrtd_children 16 startup=5 idle=1 acl FakeCert ssl::server_name .apple.com acl FakeCert ssl::server_name .icloud.com acl FakeCert ssl::server_name .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl ssl_step1 at_step SslBump1 acl ssl_step2 at_step SslBump2 acl ssl_step3 at_step SslBump3 ssl_bump peek ssl_step1 ssl_bump splice FakeCert ssl_bump bump ssl_step2 all ssl_bump splice all sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression sslproxy_cipher ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL :!eNULL sslproxy_flags DONT_VERIFY_PEER sslproxy_cert_error allow all Openssl info ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- --- openssl s_client -connect 195.115.26.58:443 -showcerts CONNECTED(00000003) depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4 verify return:1 depth=0 C = FR, ST = Seine Saint Denis, L = ST DENIS, O = ASSOCIATION FRANCAISE DE NORMALISATION, OU = ASSOCIATION FRANCAISE DE NORMALISATION, CN = www.boutique.afnor.org verify return:1 --- Certificate chain 0 s:/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE DE NORMALISATION/OU=ASSOCIATION FRANCAISE DE NORMALISATION/CN=www.boutique.afnor.org i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4 -----BEGIN CERTIFICATE----- ../.. -----END CERTIFICATE----- 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 -----BEGIN CERTIFICATE----- ../.. -----END CERTIFICATE----- --- Server certificate subject=/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE DE NORMALISATION/OU=ASSOCIATION FRANCAISE DE NORMALISATION/CN=www.boutique.afnor.org issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4 --- No client certificate CA names sent --- SSL handshake has read 3105 bytes and written 616 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES128-SHA Session-ID: 833B0000A2346F50C5AAFC6B5188B4EBD9304CD25411BECFF0713F8D76C65D9D Session-ID-ctx: Master-Key: D2DF6C62264D03D7D44AF44EB8C0B1B7AD0E650D34DF6EBEB1CBEBFE4F30CB9C6F5080AA94F5 D6B5955DD8DF06608416 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1493311275 Timeout : 300 (sec) Verify return code: 0 (ok) --- read:errno=0 _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users