On 25/06/20 2:57 am, Vieri wrote: > Hi, > > Today I just migrated from Squid 3 to Squid 4, and I found that a reverse proxy that was working fine before is now failing. The client browser sees this message: > > [No Error] (TLS code: SQUID_ERR_SSL_HANDSHAKE) > Handshake with SSL server failed: [No Error] > > This is how I configured the backend: > > cache_peer 10.215.144.16 parent 443 0 no-query originserver login=PASS ssl sslcert=/etc/ssl/MY-CA/certs/W1_cert.cer sslkey=/etc/ssl/MY-CA/certs/W1_key_nopassphrase.pem sslcafile=/etc/ssl/MY-CA/cacert.pem ssloptions=NO_SSLv3,NO_SSLv2,NO_TLSv1_2,NO_TLSv1_1 sslflags=DONT_VERIFY_PEER front-end-https=on name=MyServer > All options relating to SSLv2 are no longer supported in Squid-4+: <http://www.squid-cache.org/Versions/v4/RELEASENOTES.html#ss2.3> > The NO_TLSv* options are because the backend server is an old Windows 2003 (which hasn't changed either). Does it obey TLS/1.0 properly? If so you should only need to configure these for Squid-4+ tls-options=NO_SSLv3,NO_TLSv1_3 tls-min-version=1.0 If it is so broken that is cannot handle TLS 1.1 or 1.2 numbers in the handshake (TLSv1.0 requires that it does). Then you will need: tls_options=NO_SSLv3,NO_TLSv1_1,NO_TLSv1_2,NO_TLSv1_3 > > How can I debug this? > Start with removing the "sslflags=DONT_VERIFY_PEER" so TLS information gets checked instead of silently ignored. Then reduce the ssloptions= as much as you can. Remove if possible. A packet trace of what is being attempted will be useful then. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
