Im trying to setup Squid 4.8 on Ubuntu 18.04 LTS with HTTPS redirecting to squid error page for sites in ACL's. Yesterday i faced major problem HTTPS sites doesnt open normally in IE11/EDGE and show blank page only + squid replace certificate. If i tap F5, sometimes site opens like it should and certificate replacement doesnt happen...and it works not for all sites. I couldn't pinpoint the dependencies. I also can open some sites like rambler.ru, kanobu.ru, alexa.com normally. The most interesting thing is that other browsers like Chrome, FF and even Opera open all sites like it should and spoof cert + redirect to error page only if site persist in ACL. What i already did: - Disabled IPv6 on Squid host - Disabled/Enabled TLS in IE in any variations - Disabled SPDY/3 Bump settings in squid.conf: /http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/squidCA.pem ssl_bump peek all/ I have this errors in /var/log/squid/cache.log /ERROR: negotiating TLS on FD 46: error:1425F175:SSL routines:ssl_choose_client_version:inappropriate fallback (1/-1/0)/ /ERROR: negotiating TLS on FD 104: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure (1/-1/0) / /ERROR: negotiating TLS on FD 27: error:1423406E:SSL routines:tls_parse_stoc_sct:bad extension (1/-1/0)/ Error in access.log /TCP_DENIED/407 4141 CONNECT i.ibb.co:443 - HIER_NONE/- text/html/ Same configuration work well on Squid 4.1. Sorry for complicated description, im new here and its really hard f or me. -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
