tls12_check_peer_sigalg:wrong signature type

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

tls12_check_peer_sigalg:wrong signature type

Edouard Gaulué-2
Hi Community,

We moved from 3.4.8 to 4.10 two days ago (and more generally to Buster).

Some users complain today about HTTPS sites that are not reachable while
it was before (we bump). They are reachable from browsers without proxy.

An example is : www.marches-securises.fr.

In the log I get :

ERROR: negotiating TLS on FD 57: error:1414D172:SSL
routines:tls12_check_peer_sigalg:wrong signature type (1/-1/0)

openssl s_client -connect www.marches-securises.fr:443 is OK

I believed in the beginning, it was an intermediate certificate trouble,
but it doesn't look so. I read this :
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934453

I'm not sure squid is involved, but maybe some of you have already
overcome this kind of trouble through squid or openssl configuration.

If ever, please share,

Best regards, Edouard

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: tls12_check_peer_sigalg:wrong signature type

Amos Jeffries
Administrator
On 12/03/20 4:59 am, Edouard Gaulué wrote:

> Hi Community,
>
> We moved from 3.4.8 to 4.10 two days ago (and more generally to Buster).
>
> Some users complain today about HTTPS sites that are not reachable while
> it was before (we bump). They are reachable from browsers without proxy.
>
> An example is : www.marches-securises.fr.
>
> In the log I get :
>
> ERROR: negotiating TLS on FD 57: error:1414D172:SSL
> routines:tls12_check_peer_sigalg:wrong signature type (1/-1/0)
>

This is an error from your Squid machines OpenSSL library.


> openssl s_client -connect www.marches-securises.fr:443 is OK
>
> I believed in the beginning, it was an intermediate certificate trouble,
> but it doesn't look so. I read this :
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934453
>
> I'm not sure squid is involved, but maybe some of you have already
> overcome this kind of trouble through squid or openssl configuration.
>

If you can get a packet trace and inspect the TLS messages with
wireshark you should be able to determine what is actually happening.

If you can find for certain what the cause of problem is we might be
able to help with solutions (if not obvious to you by then).

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: tls12_check_peer_sigalg:wrong signature type

Edouard Gaulué-2

>> ERROR: negotiating TLS on FD 57: error:1414D172:SSL
>> routines:tls12_check_peer_sigalg:wrong signature type (1/-1/0)
>>
> This is an error from your Squid machines OpenSSL library.
That's what I thought. I also have: tls_process_ske_dhe:dh_key_too_small
for ssl server using SHA1.

>> openssl s_client -connect www.marches-securises.fr:443 is OK
>>
>> I believed in the beginning, it was an intermediate certificate trouble,
>> but it doesn't look so. I read this :
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934453
>>
>> I'm not sure squid is involved, but maybe some of you have already
>> overcome this kind of trouble through squid or openssl configuration.
>>
> If you can get a packet trace and inspect the TLS messages with
> wireshark you should be able to determine what is actually happening.
>
> If you can find for certain what the cause of problem is we might be
> able to help with solutions (if not obvious to you by then).
>
Yes, that's a way. But as the provided link mentioned (and also some
issues on SSLLabs), it often looks to be a trouble with SSL server
configuration and even on big or prestigious sites.

I've set the "sslproxy_cert_error" option to "allow all", but despite
this I still get SQUID_ERR_SSL_HANDSHAKE.

Maybe there is a configuration to tell squid to allow (better than the
one above) or to splice in case of such trouble with handshake?

Best regards, Edouard

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users