Re: [squid-users] SSLBump SSL error

From: Alex Crow <alex_at_nanogherkin.com>
Date: Tue, 07 Feb 2012 12:58:13 +0000

> that's a broken server the initial client hello handshake to be SSL2
> compatible, but then requires immediate protocol upgrade to SSL3 or
> TLSv1, but fails if the initial handshake is SSL3 or TLSv1. OpenSSL in
> somewhat current versions by default disable all use pf SSLv2 due to
> numerous weaknesses in the SSLv2 protocol and is as result normally
> sending an SSL3 client hello handshake.
>
> It's likely to hit problems some newer browsers as well, as SSL/TLS
> security is being tightened up.
>
> A workaround is to set ciphers to 'ALL:!COMPLEMENTOFDEFAULT' which
> somehow magically enables SSLv2 again. But it's not a very good idea as
> it may also enable some SSLv2 related attacks.
>
> Regards
> Henrik
>

Henrik,

I now have this http_port line in place.

http_port 3128 sslBump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB
cert=/etc/squid3/ssl_cert/www.sample.com.pem cipher=ALL:!COMPLEMENTOFDEFAULT

However it has made no difference to this site or the others. I even
wiped my generated certs before restarting squid.

Any more ideas?

Cheers

Alex
Received on Tue Feb 07 2012 - 12:58:18 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 09 2012 - 12:00:02 MST