Re: SQUID_ERR_SSL_HANDSHAKE

"Walter H." <Walter.H@xxxxxxxxxxxxxxxxx> · Fri, 28 Jun 2019 17:03:33 +0200



    this is in my squid.conf

    
    acl step1 at_step SslBump1

    acl step2 at_step SslBump2

    acl step3 at_step SslBump3

    acl nobumpsites ssl::server_name
    "/etc/squid/sslnobumpsites-acl.squid"             <-- e.g.
    www.google.com

    
    ssl_bump stare step1 all

    ssl_bump splice nobumpsites

    ssl_bump bump all

    
    acl brokenButTrusted dstdomain
    "/etc/squid/brokenbuttrustedsites-acl.squid"             <--
    contains e.g.  download.microsoft.com

    
    acl certSelfSigned ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT

    ...

    acl squidSslHandshake ssl_error SQUID_ERR_SSL_HANDSHAKE

    
    sslproxy_cert_sign_hash sha256

    
    sslproxy_cert_error allow brokenButTrusted

    sslproxy_cert_error deny all

    
    sslproxy_cafile /etc/squid/ca-bundle.trust.crt

    sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!RSA:!SRP

    sslproxy_options NO_SSLv2 NO_SSLv3 TLSv1 TLSv1_1 TLSv1_2

    
    sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/local/squid/ssl_db
    -M 16MB

    sslcrtd_children 8

    
    On 28.06.2019 16:34, L.P.H. van Belle wrote:
    
      
      the SSL3_GET_MESSAGE ? 
        
       Maybe because the only support TLSv1.2 ? 
       Its long ago i seen a site good configured for ones
          with its TLS settings. 
        
       So most probely, your downgrading the connection
          within the proxy settings to sslv3 
        
       And sharing you config might help to see that. 
        
       Greetz, 
        
       Louis 
        
      
         Van: squid-users
          [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens
          Walter H.

          Verzonden: vrijdag 28 juni 2019 16:21

          Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx

          Onderwerp:  SQUID_ERR_SSL_HANDSHAKE

          
        Hello,

        
        at some specific hosts

        this is shown in cache.log

        2019/06/28 16:11:12 kid1| Error negotiating SSL on FD 17:
        error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message
        (1/-1/0)

        
        and this is the error page I get

        
        Failed to establish a secure connection to ...

          
           (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

         Handshake with SSL server failed: error:1408E0F4:SSL
        routines:SSL3_GET_MESSAGE:unexpected message

        
        what is causing this?

        
        in case some want to try:   https://www.3bg.at/

        (when disabling SSL-bump no problem)

        
        Thanks,

        Walter

      
<<attachment: smime.p7s>>
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users