[squid-users] fallback to TLS1.0 if server closes TLS1.2?

From: Amm <ammdispose-squid_at_yahoo.com>
Date: Sat, 12 Apr 2014 10:31:01 +0530

Hello,

I recently upgraded OpenSSL from 1.0.0 to 1.0.1 (which supports TLS1.2)

I also recompiled squid against new OpenSSL.

Now there is this (BROKEN) bank site:

https://www.mahaconnect.in

This site closes connection if you try TLS1.2 or TLS1.1

When squid tries to connect, it says:

Failed to establish a secure connection to 125.16.24.200

The system returned: (71) Protocol error (TLS code:
SQUID_ERR_SSL_HANDSHAKE) Handshake with SSL server failed:
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure

The site works, if I specify:
sslproxy_options NO_TLSv1_1

But then it stops using TLS1.2 for sites supporting it.

When I try in Chrome or Firefox without proxy settings, they auto detect
this and fallback to TLS1.0/SSLv3.

So my question is shouldn't squid fallback to TLS1.0 when TLS1.2/1.1
fails? Just like Chrome/Firefox does?

(PS: I can not tell bank to upgrade)

Amm.
Received on Sat Apr 12 2014 - 05:01:12 MDT

This archive was generated by hypermail 2.2.0 : Sat Apr 12 2014 - 12:00:04 MDT