[squid-users] tls_outgoing_options, cipher list not parseable

L A Walsh squid-user at tlinx.org
Thu Oct 11 23:34:04 UTC 2018 

I seem to have a problem specifying the cipher list in the tls_outgoing 
options.
The line I have:
tls_outgoing_options 
options=NOSSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE,cipher=EECDH+ECDSA+AESGCM:\
EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:\
EECDH+aRSA+SHA256:EECDH+aRSA+RC4:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

Of note, I split the line here in email with '\', but in the config
file, it is one long line (w/o the '\').

The error I get from squid 4.0.25 is: (using check)

# /usr/sbin/squid -k check
2018/10/11 16:14:31| FATAL: Unknown TLS option 
'=EECDH-ECDSA-AESGCM:EECDH-aRSA-AESGCM:EECDH-ECDSA-SHA384:EECDH-ECDSA-SHA256:\
EECDH-aRSA-SHA384:EECDH-aRSA-SHA256:EECDH-aRSA-RC4:!RC4:!aNULL:!eNULL:!LOW:!3DES:\
!MD5:!EXP:!PSK:!SRP:!DSS'

(w/o the splits).

I can't tell what it is objecting to.

To give it a rootcert, can I re-use the same rootcert
I had in 3.x?


Below is my config w/o comment lines.  This is a private proxy.


acl msdata dstdomain \.data\.microsoft\.com
acl localnet  src 127.0.0.0/8
acl localnet  src 192.168.3.0/24
acl sc_subnet src 192.168.3.0/24
acl robot_txt url_regex -i ^http.*/robots.txt$
acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 81        # http
acl Safe_ports port 82        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1024-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl Allowed_Connect port 1024-65535    #allowed non-SSL Connects to 
non-reserved ports
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny msdata
http_access allow CONNECT Safe_Ports
http_access allow localhost manager
http_access allow localnet manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access allow all
http_port ishtar.sc.tlinx.org:8118 ignore-cc ssl-bump 
generate-host-certificates=on dynamic_cert_mem_cache_size=64MB
http_port ishtar.sc.tlinx.org:8080 ignore-cc
http_port 127.0.0.1:8118 ignore-cc
http_port 127.0.0.1:8080 ignore-cc
http_port wpad.sc.tlinx.org:80
acl WPAD urlpath_regex ^/wpad.dat$
deny_info 200:wpad.dat WPAD
http_access deny WPAD
reply_header_access Content-Type deny WPAD
reply_header_replace Content-Type application/x-ns-proxy-autoconfig
acl internal_net src 192.168.3.0/24
clientside_tos 0x54
tls_outgoing_options 
options=NOSSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE,cipher=EECDH-ECDSA-AESGCM:EECDH-aRSA-AESGCM:EECDH-ECDSA-SHA384:EECDH-ECDSA-SHA256:EECDH-aRSA-SHA384:EECDH-aRSA-SHA256:EECDH-aRSA-RC4:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslproxy_session_ttl 900
sslproxy_session_cache_size 16 MB
sslcrtd_program /usr/lib64/squid/security_file_certgen -s 
/var/cache/squid/lib/ssl_db -M 128MB
maximum_object_size 2 GB
cache_dir aufs /var/cache/squid 98304 64 64
workers 1
log_mime_hdrs on
strip_query_terms off
buffered_logs on
cache_log /var/log/squid/cache.log squid
debug_options ALL,1,11,2 rotate=10
coredump_dir /var/cache/squid rotate=10
url_rewrite_host_header off
url_rewrite_access deny all
max_stale 60 days
refresh_pattern -i /robots.txt$  600 90% 3600 ignore-reload 
ignore-no-store ignore-must-revalidate ignore-private ignore-auth 
override-lastmod store-stale
refresh_pattern -i download 10 50% 100800 override-expire ignore-private 
ignore-must-revalidate
refresh_pattern -i \.flv 10080 90% 10080 override-expire ignore-private
refresh_pattern -i \.pdf 3600 90% 10080 ignore-no-store ignore-private 
override-expire
refresh_pattern -i \.(ico|gif|jpg|png)   600 20%   4320    
ignore-private override-expire
refresh_pattern ^http(s)?://bakabt.me   1200 30%   14320    
ignore-private override-expire ignore-no-store ignore-no-cache 
ignore-must-revalidate
refresh_pattern ^http(s)?://*.bakashots.me   1200 30%   14320    
ignore-private override-expire ignore-no-store ignore-no-cache 
ignore-must-revalidate
refresh_pattern -i \.html   0 20%   4320    ignore-private  ignore-no-store
refresh_pattern -i (/cgi-bin/|\?) 0    10%    1    ignore-private
refresh_pattern ^(http|https):   0 20%   4320    ignore-private
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern .        0    20%    4320
quick_abort_min 16 MB
quick_abort_max 24 MB
quick_abort_pct 75
read_ahead_gap 768 MB
negative_ttl 2 seconds
range_offset_limit 1 MB
store_avg_object_size 256 KB
store_objects_per_bucket 32
request_header_max_size 1 MB
client_request_buffer_max_size 2 MB
vary_ignore_expire on
request_header_access Strict-Transport-Security deny all
request_header_replace Strict-Transport-Security max-age=0; 
includeSubDomains
reply_header_access Strict-Transport-Security deny all
reply_header_replace Strict-Transport-Security max-age=0; includeSubDomains
collapsed_forwarding on
forward_timeout 10 seconds
request_timeout 45 seconds
request_timeout 45 seconds
ident_timeout 1 seconds
shutdown_lifetime 8 seconds
visible_hostname    web-proxy
hostname_aliases ishtar ishtar.sc.tlinx.org web-proxy ns1.sc.tlinx.org  
webproxy
umask 002
always_direct allow all
dns_packet_max 1400 bytes
dns_defnames on
dns_v4_first on
memory_pools_limit 2 GB
forwarded_for transparent
reload_into_ims on
connect_retries 2
retry_on_error on
pipeline_prefetch 8
high_response_time_warning 15000
high_page_fault_warning 512

More information about the squid-users mailing list