Re: [squid-users] Re: Bug: version= & option= tag failure

Henrik,

So I figured out that the SSL errors I was getting were because I still
had Use SSL2 checked in the security settings of Internet Explorer. Once
I unchecked this, leaving only use SSLv3 checked, I no longer received the
errors and was able to access the page.

However, I don't believe this should be how Squid should be handling this
issue. If users have both Use SSLv2 and Use SSLv3 checked in IE then
SSLv3 should be used and let the user in, ignoring the Use SSLv2 option.
The way this is working now, no one will be able to view the https page
unless everyone who browses to the site goes and unchecks the Use SSLv2
option, which will be unacceptable for the client because buisness will be
impacted.

Am I missing something here in my configuration that we need to actually
uncheck the Use SSLv2 option for this to work? You think it would just
failover to Use SSLv3 if v2 didn't work.

Thanks,

Jack

Jack Siergiej/PSTS/PMIC/US
01/25/2008 09:00 AM

To
Henrik Nordström <henrik@henriknordstrom.net>
cc
Squid Users <squid-users@squid-cache.org>
Subject
Re: [squid-users] Re: Bug: version= & option= tag failure

Henrik,

I used the options=NO_SSLv2 tag and I can still access the website with
SSLv2. I tested this with openssl and a firefox browser with tsl1 and
sslv3 disabled and I get connected everytime.

If I use the version=3 tag, I get the error below multiple times in the
squid terminal window and my browser tells me that my access to the
webpage has been interrupted. I am not sure how to fix this issue and
allow just SSLv3.

clientNegotiateSSL: Error negotiating SSL connection on FD 22: error
1408A09F: SSL routines: SSL3_Get_Client_Hello: length mismatch (1/-1)

Any help is appreciated. Thanks,

Jack Siergiej

Henrik Nordström <henrik@henriknordstrom.net>
01/16/2008 08:34 AM

To
JSiergiej@pennsoftware.com, Squid Users <squid-users@squid-cache.org>
cc

Subject
[squid-users] Re: Bug: version= & option= tag failure

ons 2008-01-16 klockan 07:06 -0500 skrev JSiergiej@pennsoftware.com:

> I posted this to the users group and they said to file a bug with you.
> Please review and let me know if you have any ideas. I tried the
> version=3 as well as the option=NO_SSLv2,NO_SSLv3 tags at the end of the

> https_port line. When I use the option= tag, I get a fatal error and I
> have to remove it. When I use the version= tag, I can't view the https
> page because it says the connection was interrupted and I get the
> following in the squid terminal window after attempting to view the
https
> page:

The options flag is spelled options= with an s

I don't think you want to disable SSLv3 as well, so just use
options=NO_SSLv2

> clientNegotiateSSL: Error negotiating SSL connection on FD 22: error
> 1408A09F: SSL routines: SSL3_Get_Client_Hello: length mismatch (1/-1)
> clientNegotiateSSL: Error negotiating SSL connection on FD 22:
> error:1408F10B: SSL routines: SSL3_Get_Record: wrong version number
(1/-1

Most likely the client is senting a SSLv2 hello message, not SSLv3/TLS.
All known browsers do this unless manually configured otherwise. This in
order to keep compatibility with SSLv2 servers, then upgrading the
connection to SSLv3/TLS after the initial handshake if the server
indicates it supports upgrading..

So you should use the options=NO_SSLv2 flag. The version= flag is only
for very controlled environments where you have control over the
clients. In this mode both SSLv2,3 & TLS hello messages is accepted, but
if a SSLv2 hello message is used the connection must be upgraded to
SSLv3/TLS before the request is accepted.

If version=X is used then only that exact version of SSL/TLS is
understood, and the hello message sent by the client must be of the
correct version.

Regards
Henrik
Received on Fri Jan 25 2008 - 08:25:25 MST