On 16/07/21 4:38 pm, David Mills wrote:
Hi Amos,
sorry for the big delay here - I've had lots of other things to attend
to. It turned on the logging you suggested. For a failed "apt update"
attempt on the client I get the following attached access.log and cache.log.
Are any of the lines
2021/07/16 04:28:01.423 kid1| 83,5| bio.cc(396) adjustSSL: Extension
13 does not supported!
...
20212021/07/16 04:28:32.465 kid1| 83,2| client_side.cc(3749)
Squid_SSL_accept: Error negotiating SSL connection on FD 11: Aborted
by client: 5
...
2021/07/16 04:28:02.452 kid1| Error negotiating SSL on FD 17:
error:140920F8:SSL routines:ssl3_get_server_hello:unknown cipher
returned (1/-1/0)
...
2021/07/16 04:28:01.413 kid1| 83,2| client_side.cc(4293)
clientPeekAndSpliceSSL: SSL_accept failed.
important?
Very. It means the libssl Squid is built with and using is not able to
understand the TLS the server is sending.
Squid-4 should be more tolerant of this particular issue, or at least
able to follow the on_unsupported_protocol directive when it is encountered.
Older Squid depend more directly on the library TLS parsing - which
cannot handle unknown values well.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
