Re: [squid-users] SQUID_ERR_SSL_HANDSHAKE

Walter H. Fri, 28 Jun 2019 08:04:02 -0700

this is in my squid.conf


acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

acl nobumpsites ssl::server_name "/etc/squid/sslnobumpsites-acl.squid" <-- e.g. www.google.com


ssl_bump stare step1 all
ssl_bump splice nobumpsites
ssl_bump bump all

acl brokenButTrusted dstdomain "/etc/squid/brokenbuttrustedsites-acl.squid" <-- contains e.g. download.microsoft.com


acl certSelfSigned ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
...
acl squidSslHandshake ssl_error SQUID_ERR_SSL_HANDSHAKE

sslproxy_cert_sign_hash sha256

sslproxy_cert_error allow brokenButTrusted
sslproxy_cert_error deny all

sslproxy_cafile /etc/squid/ca-bundle.trust.crt

sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!RSA:!SRP

sslproxy_options NO_SSLv2 NO_SSLv3 TLSv1 TLSv1_1 TLSv1_2

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/local/squid/ssl_db -M 16MB
sslcrtd_children 8




On 28.06.2019 16:34, L.P.H. van Belle wrote:

the SSL3_GET_MESSAGE?
Maybe because the only support TLSv1.2 ?

Its long ago i seen a site good configured for ones with its TLS settings. So most probely, your downgrading the connection within the proxy settings to sslv3

And sharing you config might help to see that.
Greetz,
Louis

    *Van:* squid-users
    [mailto:squid-users-boun...@lists.squid-cache.org] *Namens *Walter H.
    *Verzonden:* vrijdag 28 juni 2019 16:21
    *Aan:* squid-users@lists.squid-cache.org
    *Onderwerp:* [squid-users] SQUID_ERR_SSL_HANDSHAKE

    Hello,

    at some specific hosts
    this is shown in cache.log
    2019/06/28 16:11:12 kid1| Error negotiating SSL on FD 17:
    error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message
    (1/-1/0)

    and this is the error page I get

    Failed to establish a secure connection to .../

     (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)/
     Handshake with SSL server failed: error:1408E0F4:SSL
    routines:SSL3_GET_MESSAGE:unexpected message

    what is causing this?

    in case some want to try: https://www.3bg.at/
    (when disabling SSL-bump no problem)

    Thanks,
    Walter

smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SQUID_ERR_SSL_HANDSHAKE

Reply via email to