On 7/27/21 11:45 AM, Vieri wrote: > Just recently I've noticed that LAN clients going through Squid with sslbump are all of a sudden unable to access certain HTTPS sites such as login.yahoo.com. > The squid log has lines like: > > kid1| 4,3| Error.cc(22) update: recent: ERR_SECURE_CONNECT_FAIL/SQUID_ERR_SSL_HANDSHAKE+TLS_LIB_ERR=1423506E+TLS_IO_ERR=1 > > and the client error page shows a line like this: > > SQUID_TLS_ERR_CONNECT+TLS_LIB_ERR=14094410+TLS_IO_ERR=1 > > I'm not sure why the lib error code is different. I might not have tracked down the right connection in the log. > > I have not changed anything in the OS so it might be because of change in the remote web service. > It might be that my openssl version is already too old (1.1.1g), and that the web site forces the use of an unsupported cypher? FWIW, I get the following additional info from my OpenSSL 1.1.1f (your values may differ -- do check): $ openssl errstr 1423506E error:1423506E:SSL routines:ssl_next_proto_validate:bad extension $ openssl errstr 14094410 error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure The former looks like an NPN negotiation failure. More detailed analysis is needed to confirm and get to the root cause. I doubt it is an OpenSSL version issue though. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
