Squid error with TLS SSL after upgrade

Jdwind · Dec 29, 2016, 9:58 AM

Hi, after upgrade squid package I have error like this:

Handshake with SSL server failed: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol

(92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request.

When I change squid ssl compatibility mode from modern to intermediate it works (squid in non transparent mode, without wpad). PfSense v. 2.3.2_1.

doktornotor · Dec 29, 2016, 10:36 AM

Only shitty protocols being supported by the server is not an issue in Squid.

Jdwind · Dec 29, 2016, 11:38 AM

Would You explain what You mean? That was when I upgraded squid package to newest version, before works fine.

10665912 · Dec 29, 2016, 11:41 AM

@Jdwind:

Hi, after upgrade squid package I have error like this:
Handshake with SSL server failed: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol

(92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request.
When I change squid ssl compatibility mode from modern to intermediate it works (squid in non transparent mode, without wpad). PfSense v. 2.3.2_1.

This occurs with sites that have digital certificate with SNI … add the desired address in bypass and take the test.

doktornotor · Dec 29, 2016, 12:34 PM

@Jdwind:

That was when I upgraded squid package to newest version, before works fine.

I mean that is not Squid problem, do not set the compatibility to modern if in need of dealing with HTTPS sites that can at best handle TLSv1.0 and/or require HIGH cipher suites to work.

@Milton:

This occurs with sites that have digital certificate with SNI … add the desired address in bypass and take the test.

SNI is just unrelated to the behavior described here. If you are having issues with SNI and SSL interception, perhaps you could test this fix as requested 2 days ago with absolutely zero response so far from anyone.

Jdwind · Dec 29, 2016, 12:51 PM

…add the desired address in bypass and take the test

I have non-transparent mode squid, bypass - if I don't wrong - that is option with tansparent mode?

doktornotor · Dec 29, 2016, 12:57 PM

Geeez. There's no need to add anything to bypass since it already works for you with "intermediate" settings in place - which proves that this has just nothing to do with SNI.

Jdwind · Dec 29, 2016, 1:15 PM

Thank You, Doktornotor, very much - but is that safe let use TLS v1.0 protocol?

doktornotor · Dec 29, 2016, 1:23 PM

Shrug; depends on your level of paranoia / compliance requirements. TLSv1.0 is no longer considered acceptable for DSS [1], e.g. Then again, if you care about that compliance, you should disable TLSv1.0 in your corporate browsers, and at that point, you will just see the same issue as described in the OP here even without any proxy - you just won't be able to connect to those webservers.

[1] https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss_summary_of_changes

Jdwind · Dec 29, 2016, 2:11 PM

Again thank you for that explain of my problem. So that is fault that webservers, not mine or squid, as You said. Best regards Doktornotor.

doktornotor · Dec 29, 2016, 2:23 PM

Yup, exactly - there's nothing that could be done on your side with that – either you accept the inherently insecure TLSv1.0, or you cannot talk HTTPS to those servers.

A Former User · Oct 6, 2020, 8:51 AM

Can anyone give transparent recommendation what is better to use via squid proxy TLS or SSL ??? and how to set up firefox browser act accordingly? if squid settings tab telling me that squid uses SSL why should I keep TLS active then?