Search squid archive

Re: Gateway Proxy failure - but only with one browser ...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 30/04/20 6:16 am, Walter H. wrote:
> It is very probable that the following has the same reason - but I don't
> know what's causing it ...
> 
> the old browser on old OS gives this
> 
> <errorpage>
> While trying to retrieve the URL: https://mein.elba.hypo.at/*
> 
> The following error was encountered:
> 
>     * Failed to establish a secure connection to 217.13.188.204
> 
> The system returned:
> 
>     (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
> 
>     Handshake with SSL server failed: error:1407742E:SSL
> routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
> ...
> </errorpage>
> 
> the  new browser works ...
> 
> I thought that the SSL connection between browser and squid is different
> from the one between squid and server;
> how can there be a SSL handshake problem between squid and server when
> using an old browser?
> 

For transparency and because TLS requirements are embedded in the
certificates Squid makes the connection to the server as close as
possible to the same properties the client connection uses.
 The change in browser thus affects both what Squid can pass on to the
server, and what can be passed back from the server to the client.

...

>> sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA

This is a misconfiguration. Please drop the DONT_VERIFY_PEER.

If the server is not validating using the CA certs you told Squid were
the *only* acceptible CAs:

  sslproxy_cafile /etc/squid/ca-bundle.trust.crt

... then either the contents of that file are wrong, or the server
connection is compromised. Determining the latter is the whole point of TLS.


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux