@joeg wrote:
I have a squid 4.1 instance and am troubleshooting a strange issue. I have a client that when it communicates with squid appears as a tls/1.0 in the logs although looking at wireshark shows 1.2. Additionally it appears that the client is only requesting elliptic curve ciphers (TLS_ECDHE_ECDSA_WITH_AES_128_GCN_256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECRSA_WITH_AES_128_GCN_256, & TLS_ECDHE_ECRSA_WITH_AES_256_GCN_384) between the the client and the squid server. The squid server then offers many more to the destination server including those presented by the client. The squid and destination server settle on TLS_ECDHE_ECDSA_WITH_AES_128_GCN_256 but the connection fails. It appears that the squid server returns to the client an Alert (Handshake failure (40)) message. The client gets an SSLv3 error message. I have played with various tls-dh and options settings under http_port with no success.
Here is extract of my logs:
src_ssl_negotiated_version=- dst_ssl_negotiated_version=TLS/1.2 src_tls_hello_version=TLS/1.0 dst_tls_hello_version=TLS/1.2 src_tls_max_version=TLS/1.2 dst_tls_max_version=TLS/1.2 src_tls_cipher=- dst_tls_cipher=ECDHE-ECDSA-AES128-GCM-SHA256 ssl_bump=- ssl_bump_mode=bump ssl_sni=bigtable.googleapis.com src_cert_subject="-" src_cert_issuer="-" dst_cert_subject="/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.googleapis.com" dst_cert_issuer="/C=US/O=Google Trust Services/CN=Google Internet Authority G3" cert_errors="-"
Posts: 3
Participants: 2