I am using Squid 3.5.27 and recently started having issues when I upgraded from openssl 1.0.1 to 1.0.2 which I believe introduced support for h2/ALPN. I have narrowed down the issue to a request that fails but succeeds with curl's --no-alpn flag. Here is the error message from Squid for the failure, though the request ends up timing out with an EOF error. Handshake with SSL server failed: error:140920E3:SSL routines:ssl3_get_server_hello:parse tlsext A tcpdump of the failure when curl sends ALPN which contains http/1.1 and h2 as its client protocols, of which the Server Hello replies and chooses h2. A tcpdump of successful request with the --no-alpn flag verifies that no ALPN TLS extension data is present. If I understand the docs and this thread correctly, Squid should be removing h2 from the ALPN in the Client Hello since Squid does not support it. But it appears to be passing it through and failing when the server chooses it. The relavent lines from my squid.conf: http_port 3130 ssl-bump cert=/etc/squid/squid.pem follow_x_forwarded_for allow localnet cache deny all acl SSL_Port port 443 acl Proxy_port port 3130 http_access allow Proxy_port http_access allow SSL_Port acl allowed_http_sites dstdom_regex '/etc/squid/trusted_http_sites.lst' acl allowed_https_sites ssl::server_name_regex '/etc/squid/trusted_https_sites.lst' acl allowed_https_ips dst '/etc/squid/trusted_https_ips.lst' http_access allow allowed_http_sites acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump peek step1 ssl_bump peek step2 allowed_https_sites ssl_bump peek step2 allowed_https_ips ssl_bump splice step3 allowed_https_sites ssl_bump splice step3 allowed_https_ips ssl_bump terminate step2 all http_access deny all -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
