git.ipfire.org Git - thirdparty/squid.git/commit

author	Christos Tsantilas <christos@chtsanti.net>
	Fri, 24 Apr 2020 22:08:23 +0000 (22:08 +0000)
committer	Squid Anubis <squid-anubis@squid-cache.org>
	Fri, 24 Apr 2020 23:05:00 +0000 (23:05 +0000)
commit	cd29a4210f38e2e3a77ad7b0b83a5348d56ea5ff
tree	f7cf4d074e55b21032905e84ccab5ca57eaa52b1	tree
parent	245314010d602178b273b9681050769755ab6f6f	commit \| diff

SslBump: Disable OpenSSL TLSv1.3 support for older TLS traffic (#588)

This change fixes stalled peeked-at during step2 connections from IE11
and FireFox v56 running on Windows 10 (at least), producing "Handshake
with SSL server failed" cache.log errors with this OpenSSL detail:

`SSL routines:ssl_choose_client_version:inappropriate fallback`

Disabling TLS v1.3 support for older TLS connections is required
because, in the affected environments, OpenSSL detects and, for some
unknown reason, blocks a "downgrade" when a server claims support for
TLS v1.3 but then accepts a TLS v1.2 connection from an older client.

This is a Measurement Factory project

src/anyp/ProtocolVersion.h		diff \| blob \| blame \| history
src/client_side.cc		diff \| blob \| blame \| history
src/security/Handshake.cc		diff \| blob \| blame \| history
src/security/Handshake.h		diff \| blob \| blame \| history
src/security/NegotiationHistory.cc		diff \| blob \| blame \| history
src/ssl/PeekingPeerConnector.cc		diff \| blob \| blame \| history
src/ssl/PeekingPeerConnector.h		diff \| blob \| blame \| history
src/ssl/bio.cc		diff \| blob \| blame \| history
src/ssl/bio.h		diff \| blob \| blame \| history
src/tests/stub_libsecurity.cc		diff \| blob \| blame \| history