On 4/29/20 2:16 PM, Walter H. wrote: > It is very probable that the following has the same reason - but I don't > know what's causing it ... While your symptoms are a bit different, you might be suffering from the problem fixed by https://github.com/squid-cache/squid/pull/588 > Handshake with SSL server failed: error:1407742E:SSL > routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version > I thought that the SSL connection between browser and squid is different > from the one between squid and server; When staring or bumping, it is. However, "different" does not imply "unrelated" (as discussed below). > how can there be a SSL handshake problem between squid and server when > using an old browser? Depending on the conditions, Squid relays parts of the browser handshake when talking to the server. For more (incomplete/stale) details, please see the "Mimicking TLS Client Hello properties when staring" section at https://wiki.squid-cache.org/Features/SslPeekAndSplice IIRC, Squid mimics at least some properties because we wanted Squid to "represent" the client to the server as faithfylly as possible (i.e., minimize Squid-introduced changes to the TLS-negotiated parameters). In retrospect, I am not sure that was the right decision. Perhaps the choice should be the opposite or configurable. Please note that I am not trying to justify Squid actions. I am only explaining why what you observe may be possible. One could argue that Squid should not mimic the TLS client at all (when staring). I do not recall whether anybody has tried to make that argument. HTH, Alex. > On 29.04.2020 19:26, Walter H. wrote: >> I have two squids, >> >> one does SSL bump (3.5latest CentOS 6) >> the other doesn't SSL bump (3.4latest CentOS 6) >> >> everything works, >> >> I have a site that uses SSL/TLS, and two different browsers (one in a >> VM with old windows), >> >> when I use the squid without SSL bump, the site works with both browsers, >> >> but when I use the squid with SSL bump, with the old browser I get a >> "Gateway Proxy failure" >> >> the log shows this: >> >> host - - [29/Apr/2020:19:04:11 +0200] "CONNECT >> ssl.mathemainzel.info:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows; >> U; WinNT4.0; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20" >> TAG_NONE:HIER_DIRECT SNI:ssl.mathemainzel.info >> host - - [29/Apr/2020:19:04:11 +0200] "GET >> https://ssl.mathemainzel.info/sslinfo/ HTTP/1.1" 500 1679 "-" >> "Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.8.1.20) Gecko/20081217 >> Firefox/2.0.0.20" TAG_NONE:HIER_NONE SNI:ssl.mathemainzel.info >> >> in compare to the log when using the other browser ... >> >> host - - [29/Apr/2020:19:05:53 +0200] "CONNECT >> ssl.mathemainzel.info:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT >> 10.0; Win64; x64; rv:68.9) Goanna/4.5 PaleMoon/28.9.1" >> TAG_NONE:HIER_DIRECT SNI:ssl.mathemainzel.info >> host - - [29/Apr/2020:19:05:53 +0200] "GET >> https://ssl.mathemainzel.info/sslinfo/ HTTP/1.1" 200 1977 >> "https://ssl.mathemainzel.info/"; "Mozilla/5.0 (Windows NT 10.0; Win64; >> x64; rv:68.9) Goanna/4.5 PaleMoon/28.9.1" TCP_MISS:HIER_DIRECT >> SNI:ssl.mathemainzel.info >> >> is this caused by the browser on old OS itself? >> >> squid.conf (of squid with SSL bump) >> >> reply_header_access Public-Key-Pins deny all >> >> reply_header_access Strict-Transport-Security deny all >> reply_header_replace Strict-Transport-Security max-age=0; >> includeSubDomains >> >> acl step1 at_step SslBump1 >> acl step2 at_step SslBump2 >> acl step3 at_step SslBump3 >> acl nobumpsites ssl::server_name "/etc/squid/sslnobumpsites-acl.squid" >> >> ssl_bump peek step1 >> ssl_bump splice nobumpsites >> ssl_bump stare step2 >> ssl_bump bump all >> >> sslproxy_cafile /etc/squid/ca-bundle.trust.crt >> sslproxy_cipher >> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!RSA:!SRP >> >> sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA >> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE >> >> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/local/squid/ssl_db >> -M 16MB >> sslcrtd_children 8 >> >> http_port 3128 ssl-bump generate-host-certificates=on >> dynamic_cert_mem_cache_size=16MB cert=/etc/squid/cert/squidCA.pem >> options=NO_SSLv2,NO_SSLv3 >> >> >> Thanks, >> Walter > > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
