Squid error with TLS SSL after upgrade



  • Hi, after upgrade squid package I have error like this:

    Handshake with SSL server failed: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
    
    (92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
    
    This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request.
    

    When I change squid ssl compatibility mode from modern to intermediate it works (squid in non transparent mode, without wpad). PfSense v. 2.3.2_1.


  • Banned

    Only shitty protocols being supported by the server is not an issue in Squid.



  • Would You explain what You mean? That was when I upgraded squid package to newest version, before works fine.



  • @Jdwind:

    Hi, after upgrade squid package I have error like this:

    Handshake with SSL server failed: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
    
    (92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
    
    This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request.
    

    When I change squid ssl compatibility mode from modern to intermediate it works (squid in non transparent mode, without wpad). PfSense v. 2.3.2_1.

    This occurs with sites that have digital certificate with SNI … add the desired address in bypass and take the test.


  • Banned

    @Jdwind:

    That was when I upgraded squid package to newest version, before works fine.

    I mean that is not Squid problem, do not set the compatibility to modern if in need of dealing with HTTPS sites that can at best handle TLSv1.0 and/or require HIGH cipher suites to work.

    @Milton:

    This occurs with sites that have digital certificate with SNI … add the desired address in bypass and take the test.

    SNI is just unrelated to the behavior described here. If you are having issues with SNI and SSL interception, perhaps you could test this fix as requested 2 days ago with absolutely zero response so far from anyone.



  • …add the desired address in bypass and take the test

    I have non-transparent mode squid, bypass - if I don't wrong - that is option with tansparent mode?


  • Banned

    Geeez. There's no need to add anything to bypass since it already works for you with "intermediate" settings in place - which proves that this has just nothing to do with SNI.



  • Thank You, Doktornotor, very much - but is that safe let use TLS v1.0 protocol?


  • Banned

    Shrug; depends on your level of paranoia / compliance requirements. TLSv1.0 is no longer considered acceptable for DSS [1], e.g. Then again, if you care about that compliance, you should disable TLSv1.0 in your corporate browsers, and at that point, you will just see the same issue as described in the OP here even without any proxy - you just won't be able to connect to those webservers.

    [1] https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss_summary_of_changes



  • Again thank you for that explain of my problem. So that is fault that webservers, not mine or squid, as You said. Best regards Doktornotor.


  • Banned

    Yup, exactly - there's nothing that could be done on your side with that – either you accept the inherently insecure TLSv1.0, or you cannot talk HTTPS to those servers.



  • Can anyone give transparent recommendation what is better to use via squid proxy TLS or SSL ??? and how to set up firefox browser act accordingly? if squid settings tab telling me that squid uses SSL why should I keep TLS active then?


Log in to reply