[squid-users] Re: https for one site doesn't work over squid

From: Dmitry Melekhov <dm_at_belkam.com>
Date: Fri, 14 Feb 2014 14:35:02 +0400

OK, finally, I found that problem is it tls.

As I see in firefox 27.0 tls 1.1 and 1.2 are enabled by default.

So if I change security.tls.version.max from default 3 ( I guess this
means 1.2 ) to 1 ( 1.0 ? ) site works.
2 (1.1? ) doesn't work too.

Just because firefox 27.0 works without proxy, I guess there is problem
with tls 1.1/1.2 in squid.
I'm right? :-) If yes- is there any way to fix squid?

Thank you!

14.02.2014 14:15, Dmitry Melekhov пишет:
> 14.02.2014 14:00, Dmitry Melekhov пишет:
>> Hello!
>>
>> I run squid 3.4.3.
>>
>> Users complained they can't connect to following url:
>>
>> https://kz.grfc.ru/portal/faces/app/materials/active.jspx
>>
>> I tried to reproduce this and it is always reproducable.
>>
>> I get - connection was terminated ( back translation from russian )
>> in firefox 27.0.
>>
>> This is what I see in squid log:
>>
>> 1392371365.469 47 192.168.22.229 TCP_MISS/200 7 CONNECT
>> kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 -
>>
>> If I connect site directly (i.e. just over nat, no proxy) - it works
>> with the same firefox version.
>>
>>
>> Surprisingly ( I tried this on windows) it works with IE:
>> 1392371835.532 130 192.168.22.111 TCP_MISS/200 26597 CONNECT
>> kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 -
>> 1392371835.620 76 192.168.22.111 TCP_MISS/200 602 CONNECT
>> kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 -
>> 1392371835.645 102 192.168.22.111 TCP_MISS/200 10543 CONNECT
>> kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 -
>> 1392371835.724 78 192.168.22.111 TCP_MISS/200 3354 CONNECT
>> kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 -
>> 1392371835.752 129 192.168.22.111 TCP_MISS/200 17145 CONNECT
>> kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 -
>> 1392371835.805 78 192.168.22.111 TCP_MISS/200 655 CONNECT
>> kz.grfc.ru:443 dm HIER_DIRECT/194.165.22.130 -
>>
>>
>> Just because it works on firefox 27.0 directly I guess this is some
>> incompatibilty between squid and firefox.
>>
>> Could you tell what can I do to solve this?
>>
>> Thank you!
>>
> btw, just tested firefox 24.3.0.
> It works. Just curious, what can prevent 27.0 to work over proxy....
>
> Thank you!
Received on Fri Feb 14 2014 - 10:35:16 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 14 2014 - 12:00:04 MST