Re: [squid-users] Re: Bug: version= & option= tag failure

From: <JSiergiej@dont-contact.us>
Date: Fri, 25 Jan 2008 09:00:05 -0500

Henrik,

I used the options=NO_SSLv2 tag and I can still access the website with
SSLv2. I tested this with openssl and a firefox browser with tsl1 and
sslv3 disabled and I get connected everytime.

If I use the version=3 tag, I get the error below multiple times in the
squid terminal window and my browser tells me that my access to the
webpage has been interrupted. I am not sure how to fix this issue and
allow just SSLv3.

clientNegotiateSSL: Error negotiating SSL connection on FD 22: error
1408A09F: SSL routines: SSL3_Get_Client_Hello: length mismatch (1/-1)

Any help is appreciated. Thanks,

Jack Siergiej

Henrik Nordström <henrik@henriknordstrom.net>
01/16/2008 08:34 AM

To
JSiergiej@pennsoftware.com, Squid Users <squid-users@squid-cache.org>
cc

Subject
[squid-users] Re: Bug: version= & option= tag failure

ons 2008-01-16 klockan 07:06 -0500 skrev JSiergiej@pennsoftware.com:

> I posted this to the users group and they said to file a bug with you.
> Please review and let me know if you have any ideas. I tried the
> version=3 as well as the option=NO_SSLv2,NO_SSLv3 tags at the end of the

> https_port line. When I use the option= tag, I get a fatal error and I
> have to remove it. When I use the version= tag, I can't view the https
> page because it says the connection was interrupted and I get the
> following in the squid terminal window after attempting to view the
https
> page:

The options flag is spelled options= with an s

I don't think you want to disable SSLv3 as well, so just use
options=NO_SSLv2

> clientNegotiateSSL: Error negotiating SSL connection on FD 22: error
> 1408A09F: SSL routines: SSL3_Get_Client_Hello: length mismatch (1/-1)
> clientNegotiateSSL: Error negotiating SSL connection on FD 22:
> error:1408F10B: SSL routines: SSL3_Get_Record: wrong version number
(1/-1

Most likely the client is senting a SSLv2 hello message, not SSLv3/TLS.
All known browsers do this unless manually configured otherwise. This in
order to keep compatibility with SSLv2 servers, then upgrading the
connection to SSLv3/TLS after the initial handshake if the server
indicates it supports upgrading..

So you should use the options=NO_SSLv2 flag. The version= flag is only
for very controlled environments where you have control over the
clients. In this mode both SSLv2,3 & TLS hello messages is accepted, but
if a SSLv2 hello message is used the connection must be upgraded to
SSLv3/TLS before the request is accepted.

If version=X is used then only that exact version of SSL/TLS is
understood, and the hello message sent by the client must be of the
correct version.

Regards
Henrik
Received on Fri Jan 25 2008 - 07:03:43 MST

This archive was generated by hypermail pre-2.1.9 : Fri Feb 01 2008 - 12:00:05 MST