Re: [squid-users] SQUID_ERR_SSL_HANDSHAKE

Sat, 29 Jun 2019 07:04:09 -0700 

Hello Amos,

On 29.06.2019 14:13, Amos Jeffries wrote:


That is a good sign. That exact combo is in the set supported by the
breaking server so it is unlikely your Squid or its OpenSSL is
contributing to this particular problem.


quite strange only a few sites don't work, https://www.3bg.at is an 
example of such; many others work as expected; 

That is a bit odd. Though looking at the SSL Labs report for this
www.3bg.at site their restricting to only TLS/1.2 and there are many
clients for which the encryption handshake does not work.

<https://www.ssllabs.com/ssltest/analyze.html?d=www.3bg.at>  look to the
list of failures under "Handshake Simulation" and the whole list of "Not
simulated clients" for comparison with UA of any of your clients having
trouble connecting there.

I have my own website and there I did something similar - disabling 
TLSv1 and TLSv1.1,

thus only allowing TLSv1.2
here
https://www.ssllabs.com/ssltest/analyze.html?d=ssl.mathemainzel.info
shows the same; many failures under "Handshake Simulation"
but the weird thing, this works with my Squid :-)



Squid SSL-Bump is limited to negotiating use of TLS versions and
features which are supported by both itself and the client when offering
things to the server. So the problem of some clients agents not
supporting TLS/1.2 or the ciphers the server wants to use can make the
site fail even if your Squid outbound settings support them.


PS. At the technical level that exact error from OpenSSL means that some
data arrived from the server at a time when only TLS alert messages were
supposed to be happening.

there is also something different;   when doing the following:

openssl s_client -connect  HOST:PORT -servername HOST


this lasts about 1 or 2 minutes until a certificate is shown with  
www.3bg.at

but with my site this goes quickly withing seconds;


I suspect it could be a sign that the
Internet between your proxy and that server is being MITM'd by an agent
that corrupts the protocol for some reason. eg someone elses proxy
rejecting the connection but getting its error response syntax wrong.

could this be a proxy on the server side?
but the strange:  without SSL bump or direct without squid this site works;
(even my browser uses an uncommon UA string and is not the original Firefox)

what strange thing is doing this bad on some sites?

Thanks,
Walter




Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users






















					Reply via email to