On 15/09/19 10:41 pm, John Sweet-Escott wrote: > Hi All > > We are trying to run Squid 4.8, compiled with OpenSSL 1.1.1 (see [1]) on > Ubuntu 18.04 as a transparent proxy for the purpose of egress filtering > of HTTPS traffic using SNI (see config in [2]). It it works correctly > when contacting some addresses (e.g. https://www.ubuntu.com) but not > others (e.g. https://www.google.com). When we contact > https://www.google.com using TLS1.2 we get the error in the logs: > 2019/09/15 10:33:09 kid1| ERROR: negotiating TLS on FD 19: > error:1425F175:SSL routines:ssl_choose_client_version:inappropriate > fallback (1/-1/0) ... > Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) I suspect it might have something to do with these ECDSA keys. You do not have Elliptic-Curves enabled on the https_port client-facing connection. So the TLS extensions associated are likely not to be compatible between the client and the server connections Squid is attempting to bridge between. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
