[squid-users] SSL errors with Squid 3.5.27

Julian Perconti vh1988 at yahoo.com.ar
Sat Jun 9 15:46:06 UTC 2018


>> https_port 3130 intercept ssl-bump \
>>   cert=/etc/squid/ssl_cert/squidCA.pem \
>>   key=/etc/squid/ssl_cert/squidCA.pem \
>>   generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 
>> tls-dh=/etc/squid/ssl_cert/dhparam.pem
>
>These DH parameters are for old DH not for ECDHE (missing curve name).
>So this may be restricting what your Squid can do to match up the client and server crypto requirements.

Hi Amos,

I have commented the line: "tls-dh=/etc/squid/ssl_cert/dhparam.pem"

And, it seems that many errors (SSL errors) in cache.log have disappeared.
I will confirm later if WhatsApp works from iOS/Android.

Thank You!

PS: I used this option (tls-dh, dhparam, etc..) following the official documentation of squid-cache.org for the "hardening" ... or "improve security", etc.



More information about the squid-users mailing list