On 30/04/20 6:16 am, Walter H. wrote: > It is very probable that the following has the same reason - but I don't > know what's causing it ... > > the old browser on old OS gives this > > <errorpage> > While trying to retrieve the URL: https://mein.elba.hypo.at/* > > The following error was encountered: > > * Failed to establish a secure connection to 217.13.188.204 > > The system returned: > > (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) > > Handshake with SSL server failed: error:1407742E:SSL > routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version > ... > </errorpage> > > the new browser works ... > > I thought that the SSL connection between browser and squid is different > from the one between squid and server; > how can there be a SSL handshake problem between squid and server when > using an old browser? > For transparency and because TLS requirements are embedded in the certificates Squid makes the connection to the server as close as possible to the same properties the client connection uses. The change in browser thus affects both what Squid can pass on to the server, and what can be passed back from the server to the client. ... >> sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA This is a misconfiguration. Please drop the DONT_VERIFY_PEER. If the server is not validating using the CA certs you told Squid were the *only* acceptible CAs: sslproxy_cafile /etc/squid/ca-bundle.trust.crt ... then either the contents of that file are wrong, or the server connection is compromised. Determining the latter is the whole point of TLS. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
