I wrote the next "helping/helper/testing scripts": https://github.com/elico/tls-check-script/blob/master/tls-check.rb https://github.com/elico/tls-check-script/blob/master/check-dns-san.sh Now I am trying to verify what issues exists that causes squid to this result: 2021/01/18 18:54:47 kid1| Error negotiating SSL connection on FD 46: error:00000001:lib(0):func(0):reason(1) (1/-1) connection: conn407043 local=161.117.96.220:443 remote=192.16.XYZ flags=33 So the output of: bash check-dns-san.sh 161.117.96.220 443 is: ## START Can't use SSL_get_servername depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL RSA CA 2018 verify return:1 depth=0 CN = data.mistat.intl.xiaomi.com verify return:1 DONE X509v3 Subject Alternative Name: DNS:data.mistat.intl.xiaomi.com ## END And then I am testing with the next command: ruby tls-check.rb 161.117.96.220 443 and the output is: ## START ### Number of Ciphers to be tested: 66 ### Timeout per test: 3 ### Delay between tests: 1 Testing TLS_AES_256_GCM_SHA384... NO, SSL_CTX_set_cipher_list Testing TLS_CHACHA20_POLY1305_SHA256... NO, SSL_CTX_set_cipher_list Testing TLS_AES_128_GCM_SHA256... NO, SSL_CTX_set_cipher_list Testing TLS_AES_128_CCM_SHA256... NO, SSL_CTX_set_cipher_list Testing ECDHE-ECDSA-AES256-GCM-SHA384... NO, sslv3 alert handshake failure Testing ECDHE-RSA-AES256-GCM-SHA384... CONNECTED: ECDHE-RSA-AES256-GCM-SHA384, YES, Secure Renegotiation IS supported Testing DHE-RSA-AES256-GCM-SHA384... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-CHACHA20-POLY1305... NO, sslv3 alert handshake failure Testing ECDHE-RSA-CHACHA20-POLY1305... NO, sslv3 alert handshake failure Testing DHE-RSA-CHACHA20-POLY1305... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-AES256-CCM8... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-AES256-CCM... NO, sslv3 alert handshake failure Testing DHE-RSA-AES256-CCM8... NO, sslv3 alert handshake failure Testing DHE-RSA-AES256-CCM... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-ARIA256-GCM-SHA384... NO, sslv3 alert handshake failure Testing ECDHE-ARIA256-GCM-SHA384... NO, sslv3 alert handshake failure Testing DHE-RSA-ARIA256-GCM-SHA384... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-AES128-GCM-SHA256... NO, sslv3 alert handshake failure Testing ECDHE-RSA-AES128-GCM-SHA256... CONNECTED: ECDHE-RSA-AES128-GCM-SHA256, YES, Secure Renegotiation IS supported Testing DHE-RSA-AES128-GCM-SHA256... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-AES128-CCM8... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-AES128-CCM... NO, sslv3 alert handshake failure Testing DHE-RSA-AES128-CCM8... NO, sslv3 alert handshake failure Testing DHE-RSA-AES128-CCM... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-ARIA128-GCM-SHA256... NO, sslv3 alert handshake failure Testing ECDHE-ARIA128-GCM-SHA256... NO, sslv3 alert handshake failure Testing DHE-RSA-ARIA128-GCM-SHA256... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-AES256-SHA384... NO, sslv3 alert handshake failure Testing ECDHE-RSA-AES256-SHA384... CONNECTED: ECDHE-RSA-AES256-SHA384, YES, Secure Renegotiation IS supported Testing DHE-RSA-AES256-SHA256... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-CAMELLIA256-SHA384... NO, sslv3 alert handshake failure Testing ECDHE-RSA-CAMELLIA256-SHA384... NO, sslv3 alert handshake failure Testing DHE-RSA-CAMELLIA256-SHA256... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-AES128-SHA256... NO, sslv3 alert handshake failure Testing ECDHE-RSA-AES128-SHA256... CONNECTED: ECDHE-RSA-AES128-SHA256, YES, Secure Renegotiation IS supported Testing DHE-RSA-AES128-SHA256... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-CAMELLIA128-SHA256... NO, sslv3 alert handshake failure Testing ECDHE-RSA-CAMELLIA128-SHA256... NO, sslv3 alert handshake failure Testing DHE-RSA-CAMELLIA128-SHA256... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-AES256-SHA... NO, sslv3 alert handshake failure Testing ECDHE-RSA-AES256-SHA... CONNECTED: ECDHE-RSA-AES256-SHA, YES, Secure Renegotiation IS supported Testing DHE-RSA-AES256-SHA... NO, sslv3 alert handshake failure Testing DHE-RSA-CAMELLIA256-SHA... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-AES128-SHA... NO, sslv3 alert handshake failure Testing ECDHE-RSA-AES128-SHA... CONNECTED: ECDHE-RSA-AES128-SHA, YES, Secure Renegotiation IS supported Testing DHE-RSA-AES128-SHA... NO, sslv3 alert handshake failure Testing DHE-RSA-CAMELLIA128-SHA... NO, sslv3 alert handshake failure Testing AES256-GCM-SHA384... CONNECTED: AES256-GCM-SHA384, YES, Secure Renegotiation IS supported Testing AES256-CCM8... NO, sslv3 alert handshake failure Testing AES256-CCM... NO, sslv3 alert handshake failure Testing ARIA256-GCM-SHA384... NO, sslv3 alert handshake failure Testing AES128-GCM-SHA256... CONNECTED: AES128-GCM-SHA256, YES, Secure Renegotiation IS supported Testing AES128-CCM8... NO, sslv3 alert handshake failure Testing AES128-CCM... NO, sslv3 alert handshake failure Testing ARIA128-GCM-SHA256... NO, sslv3 alert handshake failure Testing AES256-SHA256... CONNECTED: AES256-SHA256, YES, Secure Renegotiation IS supported Testing CAMELLIA256-SHA256... NO, sslv3 alert handshake failure Testing AES128-SHA256... CONNECTED: AES128-SHA256, YES, Secure Renegotiation IS supported Testing CAMELLIA128-SHA256... NO, sslv3 alert handshake failure Testing AES256-SHA... CONNECTED: AES256-SHA, YES, Secure Renegotiation IS supported Testing CAMELLIA256-SHA... NO, sslv3 alert handshake failure Testing AES128-SHA... CONNECTED: AES128-SHA, YES, Secure Renegotiation IS supported Testing CAMELLIA128-SHA... NO, sslv3 alert handshake failure Testing DHE-RSA-SEED-SHA... NO, sslv3 alert handshake failure Testing SEED-SHA... NO, sslv3 alert handshake failure Testing IDEA-CBC-SHA... NO, ssl_cipher_process_rulestr ## END I assume that the above results might give a clue why mentioned error line: 2021/01/18 18:54:47 kid1| Error negotiating SSL connection on FD 46: error:00000001:lib(0):func(0):reason(1) (1/-1) connection: conn407043 local=161.117.96.220:443 remote=192.16.XYZ flags=33 happens. However I am not sure. Are there any config that might affect this negotiation in squid? Thanks, Eliezer ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1ltd@xxxxxxxxx Zoom: Coming soon _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users