[squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

Amos Jeffries squid3 at treenet.co.nz
Wed Dec 11 12:05:15 UTC 2019


On 11/12/19 4:00 pm, GeorgeShen wrote:
> I'm running the squid latest from download site. 4.9
> Ok, i suspect that was related to my ^C running the process in foreground,
> but I also see before that there are warning messages in the log:
> 2019/12/09 19:23:12.116 kid1| WARNING:
> /usr/local/squid/libexec/security_file_certgen -s
> /usr/local/squid/var/logs/ssl_db -M 4MB #Hlpr5 exited
> 2019/12/09 19:23:12.118 kid1| WARNING:
> /usr/local/squid/libexec/security_file_certgen -s
> /usr/local/squid/var/logs/ssl_db -M 4MB #Hlpr1 exited
> 2019/12/09 19:23:12.123 kid1| WARNING:
> /usr/local/squid/libexec/security_file_certgen -s
> /usr/local/squid/var/logs/ssl_db -M 4MB #Hlpr3 exited
> 
> it could be related also to my ^C, but not sure.
> 
> the other program, I have found it is related to my golang program set the
> ciphersuite to some more secured cipher algorithm:
> tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, and
> tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. After removed those cipher
> restrictions, the ssl-bump does work.

That implies that your proxy is configured in such a way that these
ciphers are not usable - and/or that the origin servers being contacted
cannot handle them.

You may want to fix that for at least Squid. To do so set the tls-dh=
option with a preference EC curve name and DHE parameters file.


Amos


More information about the squid-users mailing list