Re: [squid-users] NONE/501 in an https:// POST request

From: Ralf Hildebrandt <Ralf.Hildebrandt_at_charite.de>
Date: Fri, 21 Jan 2011 11:43:36 +0100

* Ralf Hildebrandt <Ralf.Hildebrandt_at_charite.de>:

> 2011/01/21 11:25:46| fwdNegotiateSSL: Error negotiating SSL connection on FD 1539: error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter (1/-1/0)
> 2011/01/21 11:25:46| fwdNegotiateSSL: Error negotiating SSL connection on FD 281: error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter (1/-1/0)
> 2011/01/21 11:25:46| fwdNegotiateSSL: Error negotiating SSL connection on FD 281: error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter (1/-1/0)
>
> I enabled
> # START
> acl BrokenServersAtTrustedIP dst 194.151.178.174/32
> sslproxy_cert_error allow BrokenServersAtTrustedIP
> sslproxy_cert_error deny all
> # ENDE
>
> What am I missing?

https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/595415
RAAAH!

% openssl s_client -connect enis.eurotransplant.nl:443
CONNECTED(00000003)
24418:error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter:s23_clnt.c:602:

but:

# openssl s_client -ssl3 -connect enis.eurotransplant.nl:443
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0

---
Certificate chain
...
So, how do I force Squid-3.2 to use SSLv3 for that site?
-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebrandt@charite.de | http://www.charite.de
	    
Received on Fri Jan 21 2011 - 10:43:57 MST

This archive was generated by hypermail 2.2.0 : Fri Jan 21 2011 - 12:00:07 MST