[squid-users] Transition from squid3.5 to squid4; ciphers don't work anymore, ERROR: Unknown TLS option SINGLE_DH_USE

chiasa.men chiasa.men at web.de
Sat Feb 17 13:39:39 UTC 2018


Am Samstag, 17. Februar 2018, 14:28:04 CET schrieb chiasa.men:
> Am Montag, 12. Februar 2018, 14:29:09 CET schrieb chiasa.men:
> > Hi I tried squid4.
> > 
> > Squid Cache: Version 4.0.23
> > This binary uses OpenSSL 1.1.1-dev  xx XXX xxxx
> > 
> > Before, I used:
> > Squid Cache: Version 3.5.27
> > This binary uses OpenSSL 1.0.2g  1 Mar 2016
> > 
> > Some of the config directives changed:
> > E.g.
> > sslproxy_options SINGLE_DH_USE,SINGLE_ECDH_USE
> > ->
> > tls_tls_outgoing_options options=SINGLE_DH_USE,SINGLE_ECDH_USE
> > 
> > But that results in version 4 in the follwing errors (cache.log)
> > ERROR: Unknown TLS option SINGLE_DH_USE
> > ERROR: Unknown TLS option SINGLE_ECDH_USE
> > 
> > (same error with the same options in https_proxy)
> > 
> > Is that a problem related to the openssl version change?
> > 
> > 
> > In cache_peer I also have now to configure tls-cafile=/etc/ssl/certs/ca-
> > certificates.crt explicitly (I used some self signed certificates for
> > testing - but in Squid3 I didn't need to configure that)
> > Otherwise I get:
> > (71) Protocol error (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
> > 
> > In the reference it's stated that:
> > 	tls-default-ca[=off]
> > 	
> > 			Whether to use the system Trusted CAs. Default is ON.
> > 
> > Shouldn't the tls-cafile option be unnecessary since it's trusted by
> > default?
> > 
> > 
> > 
> > Furthermore I set Apache (the peer) to "SSLCipherSuite 
> > ECDHE-ECDSA-AES256-
> > GCM-SHA384"
> > as well as cache_peer sslcipher=ECDHE-ECDSA-AES256-GCM-SHA384
> > 
> > ERROR: negotiating TLS on FD 20: error:141A90B5:SSL
> > routines:ssl_cipher_list_to_bytes:no ciphers available (1/-1/0)
> > 
> > How can that be?
> > 
> > 
> > 
> > 
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> 
> Any idea?

I could solve the "no ciphers available" by appending "TLS13-AES-256-GCM-
SHA384" to the ciphers.
But the log shows the use of "ECDHE-ECDSA-AES256-GCM-SHA384"
Why is that cipher relevant if its not used?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180217/301e25a3/attachment.html>


More information about the squid-users mailing list