[squid-users] Transition from squid3.5 to squid4; ciphers don't work anymore, ERROR: Unknown TLS option SINGLE_DH_USE
chiasa.men
chiasa.men at web.de
Mon Feb 12 13:29:09 UTC 2018
Hi I tried squid4.
Squid Cache: Version 4.0.23
This binary uses OpenSSL 1.1.1-dev xx XXX xxxx
Before, I used:
Squid Cache: Version 3.5.27
This binary uses OpenSSL 1.0.2g 1 Mar 2016
Some of the config directives changed:
E.g.
sslproxy_options SINGLE_DH_USE,SINGLE_ECDH_USE
->
tls_tls_outgoing_options options=SINGLE_DH_USE,SINGLE_ECDH_USE
But that results in version 4 in the follwing errors (cache.log)
ERROR: Unknown TLS option SINGLE_DH_USE
ERROR: Unknown TLS option SINGLE_ECDH_USE
(same error with the same options in https_proxy)
Is that a problem related to the openssl version change?
In cache_peer I also have now to configure tls-cafile=/etc/ssl/certs/ca-
certificates.crt explicitly (I used some self signed certificates for testing -
but in Squid3 I didn't need to configure that)
Otherwise I get:
(71) Protocol error (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
In the reference it's stated that:
tls-default-ca[=off]
Whether to use the system Trusted CAs. Default is ON.
Shouldn't the tls-cafile option be unnecessary since it's trusted by default?
Furthermore I set Apache (the peer) to "SSLCipherSuite ECDHE-ECDSA-AES256-
GCM-SHA384"
as well as cache_peer sslcipher=ECDHE-ECDSA-AES256-GCM-SHA384
ERROR: negotiating TLS on FD 20: error:141A90B5:SSL
routines:ssl_cipher_list_to_bytes:no ciphers available (1/-1/0)
How can that be?
More information about the squid-users
mailing list