[squid-users] Squid 3.5 Forward Secrecy on https_port
Julianne Bielski
bielsk at us.ibm.com
Thu Aug 13 14:40:40 UTC 2015
But does this mean that ECDHE isn't supported by Squid?
I had a related question as the original poster. Some U.S. federal security
standards (e.g. NSA Suite B) require ECDH and ECDHE adds perfect forward
secrecy.
Can squid bump TLS 1.2 traffic that uses ECDHE and that use certificates
signed using ECDSA?
From: Marcus Kool <marcus.kool at urlfilterdb.com>
To: dweimer at dweimer.net, Squid Users <squid-users at squid-cache.org>
Date: 08/12/2015 05:10 PM
Subject: Re: [squid-users] Squid 3.5 Forward Secrecy on https_port
Sent by: "squid-users" <squid-users-bounces at lists.squid-cache.org>
>> Does anyone see something missing in my https_port configuration that
>> is causing it to not use the ECDHE keys?
>
> I made some updates above, the dh.params file wasn't being found, changed
that line to use full path, and its now use DHE ciphers, but not ECDHE
ciphers.
FWIW:
ECDHE is not considered safe by a group of cryptologists since the EC
implementation is based on secret parameters that only the author of the
algorithm has.
See also http://safecurves.cr.yp.to/rigid.html
Marcus
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150813/acbc3655/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150813/acbc3655/attachment.gif>
More information about the squid-users
mailing list