[squid-users] SSL errors with Squid 3.5.27

Amos Jeffries squid3 at treenet.co.nz
Sun Jun 10 06:49:56 UTC 2018


On 10/06/18 03:46, Julian Perconti wrote:
>>> https_port 3130 intercept ssl-bump \
>>>   cert=/etc/squid/ssl_cert/squidCA.pem \
>>>   key=/etc/squid/ssl_cert/squidCA.pem \
>>>   generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 
>>> tls-dh=/etc/squid/ssl_cert/dhparam.pem
>>
>> These DH parameters are for old DH not for ECDHE (missing curve name).
>> So this may be restricting what your Squid can do to match up the client and server crypto requirements.
> 
> Hi Amos,
> 
> I have commented the line: "tls-dh=/etc/squid/ssl_cert/dhparam.pem"
> 
> And, it seems that many errors (SSL errors) in cache.log have disappeared.
> I will confirm later if WhatsApp works from iOS/Android.
> 
> Thank You!
> 
> PS: I used this option (tls-dh, dhparam, etc..) following the official documentation of squid-cache.org for the "hardening" ... or "improve security", etc.

Interesting.

The main issue was that you configured only params for the Diffi-Helman
(DH and DHE) ciphers - no curve name. That meant your specified EEC*
ciphers were disabled since they require a curve name as well.

Removing this option completely disables both DH and ECDH cipher types.
Leaving your proxy with only the RSA based ciphers.

Amos


More information about the squid-users mailing list