On 10/19/2016 08:51 PM, Leandro Barragan wrote: > I get the unknown cipher error on Squid > but on the client I see a certificate error. When I look at the > certificate info, it is signed by Squid. It makes no sense at all.
When Squid v3 encounters an OpenSSL error (such as an unsupported cipher), it tries to serve the corresponding error page to the user. This happens before your "terminate" rules are reached and requires impersonating the server, which explains why you see a Squid-signed error page. Squid v4 works better in this situation because: * v4 does not rely on OpenSSL during step1. This will help if you are willing to make decisions based on SNI/host alone (requires changing your config). * v4 can be configured to tunnel unexpected non-SSL traffic (via on_unsupported_protocol). I am not sure whether this helps with the ciphers issue during step2 (if you leave your configuration unchanged) -- I do not remember whether Squid treats that kind of failure as an unsupported protocol issue (but I doubt it does). HTH, Alex. _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
