transparent proxy upgrade 3.5 to 4.12, Error parsing SSL Server Hello Message on FD XX

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

transparent proxy upgrade 3.5 to 4.12, Error parsing SSL Server Hello Message on FD XX

tannmann
I have squid set up as a transparent outbound proxy using version 3.5. When upgrading to 4.12, I am seeing an error "Error parsing SSL Server Hello Message on FD XX" that did not happen before. Here is my config:

http_port 3129 intercept
cache_effective_user squid
cache_effective_group squid
workers 1
acl CONNECT method CONNECT
acl allowed_http_sites dstdom_regex "/etc/squid/outbound_whitelist.txt"
http_access allow allowed_http_sites
acl allowed_networks src 10.0.0.0/8
acl allowed_networks src 172.0.0.0/8
https_port 3130 intercept ssl-bump cert=/etc/squid/ssl/squid.pem
acl SSL_port port 443
http_access allow SSL_port
acl allowed_https_sites ssl::server_name_regex "/etc/squid/outbound_whitelist.txt"
acl step3 at_step SslBump3
ssl_bump peek all
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate all
cache deny all
http_access deny all
shutdown_lifetime 0
pid_filename /var/run/squid.pid
log_mime_hdrs on
logfile_rotate 2
access_log stdio:/dev/stdout
cache_log stdio:/dev/stderr

Previous to 4.12, if I tried to upgrade to any v4 or v5 of squid, I would get an issue with "inappropriateĀ fallback" when going to some sites supporting TLS 1.3 (but not all). This appears to have been resolved, but this "Error parsing SSL Server Hello Message" is new. Is there something that should change in my config? Can anyone tell me what this error means?

Thanks,

Tanner



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: transparent proxy upgrade 3.5 to 4.12, Error parsing SSL Server Hello Message on FD XX

Amos Jeffries
Administrator
On 23/06/20 2:50 am, Tanner wrote:
> I have squid set up as a transparent outbound proxy using version 3.5.
> When upgrading to 4.12, I am seeing an error "Error parsing SSL Server
> Hello Message on FD XX" that did not happen before. Here is my config:
>
...

>
> Previous to 4.12, if I tried to upgrade to any v4 or v5 of squid, I
> would get an issue with "inappropriateĀ fallback" when going to some
> sites supporting TLS 1.3 (but not all). This appears to have been
> resolved, but this "Error parsing SSL Server Hello Message" is new. Is
> there something that should change in my config? Can anyone tell me what
> this error means?

It may be resolved with this patch:
 <http://www.squid-cache.org/Versions/v5/changesets/squid-5-8f80586b2137cd6eaacef4e5908d03a0f7f9c7eb.patch>

Otherwise you could try the latest Squid-5.

If neither of those work, v5 should have better debugging to help track
down what the issue actually is.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users