On fre, 2008-01-25 at 10:21 -0500, JSiergiej@pennsoftware.com wrote:
> However, I don't believe this should be how Squid should be handling this
> issue. If users have both Use SSLv2 and Use SSLv3 checked in IE then
> SSLv3 should be used and let the user in, ignoring the Use SSLv2 option.
> The way this is working now, no one will be able to view the https page
> unless everyone who browses to the site goes and unchecks the Use SSLv2
> option, which will be unacceptable for the client because buisness will be
> impacted.
If you have both versions enabled in the browser then the browser begins
by using SSLv2, and then only after a successful SSLv2 handshake
requests an SSL upgradeto SSL version 3 or TLS.
And if you then configure Squid to listen with version=3 to support ONLY
SSLv3 then it won't recognise the SSLv2 handshake at all and aborts the
connection as malformed.
As I said previously the version=X option should only be used in very
controlled environments. In all other cases use options=NO_SSLv2
> I used the options=NO_SSLv2 tag and I can still access the website with
> SSLv2. I tested this with openssl and a firefox browser with tsl1 and
> sslv3 disabled and I get connected everytime.
Works for me.
https_port 1443 cert=/home/henrik/squid/etc/test.pem options=NO_SSLv2
openssl s_client -no_ssl3 -no_tls1 -connect localhost:1443
or
openssl s_client -ssl2 -connect locahost:1443
both result in
CONNECTED(00000003)
write:errno=104
2008/01/25 18:38:21| clientNegotiateSSL: Error negotiating SSL
connection on FD 27: error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol (1/-1)
and leaving either SSLv3 or TLSv1 enabled in openssl makes a successful
connection. And so does telling openssl to use SSLv3 or TLSv1 directly
from start.
openssl s_client -no_ssl3 -connect localhost:1443
openssl s_client -no_tls1 -connect localhost:1443
openssl s_client -ssl3 -connect localhost:1443
openssl s_client -tls1 -connect localhost:1443
I can't test with Firefox as the version of Firefox I have doesn't even
support SSLv2, only SSLv3 and TLSv1..
Regards
Henrik
Received on Fri Jan 25 2008 - 10:53:17 MST
This archive was generated by hypermail pre-2.1.9 : Fri Feb 01 2008 - 12:00:05 MST