[squid-users] Squid 3.5 Forward Secrecy on https_port

Julianne Bielski bielsk at us.ibm.com
Thu Aug 13 14:40:40 UTC 2015

But does this mean that ECDHE isn't supported by Squid?

I had a related question as the original poster. Some U.S. federal security
standards (e.g. NSA Suite B) require ECDH and ECDHE adds perfect forward

Can squid bump TLS 1.2 traffic that uses ECDHE and that use certificates
signed using ECDSA?

From:	Marcus Kool <marcus.kool at urlfilterdb.com>
To:	dweimer at dweimer.net, Squid Users <squid-users at squid-cache.org>
Date:	08/12/2015 05:10 PM
Subject:	Re: [squid-users] Squid 3.5 Forward Secrecy on https_port
Sent by:	"squid-users" <squid-users-bounces at lists.squid-cache.org>

>> Does anyone see something missing in my https_port configuration that
>> is causing it to not use the ECDHE keys?
> I made some updates above, the dh.params file wasn't being found, changed
that line to use full path, and its now use DHE ciphers, but not ECDHE

ECDHE is not considered safe by a group of cryptologists since the EC
implementation is based on secret parameters that only the author of the
algorithm has.
See also http://safecurves.cr.yp.to/rigid.html

squid-users mailing list
squid-users at lists.squid-cache.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150813/acbc3655/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150813/acbc3655/attachment.gif>

More information about the squid-users mailing list