[squid-users] squid-users Digest, Vol 109, Issue 19

nikhil deshpande nikhildeshpande18 at gmail.com
Wed Sep 27 12:22:57 UTC 2023 

Hi Team,

[Question]: Are you trying to bump TLS client connections when and
only when the TLS
client is offering to use one of those ciphers in its ClientHello
message? Or do you want Squid to use one of those ciphers when bumping
all TLS client connections? Or something else? Please clarify.

[Answer]: In our case client is offering these two
ciphers(*ECDHE-ECDSA-AES256-GCM-SHA384 &
**ECDHE-ECDSA-AES128-GCM-SHA256*) in Client Hello but squid is failing
to complete handshake with client while performing SSL-Bump.

We have attached logs and network capture.

[Question]: FWIW, to restrict Squid use of ciphers on accepted TLS client

connections, use the http_port (or https_port) "cipher" option. For
example,

     https_port 3129 ssl-bump ... \
         cipher=DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

[Answer]: We dont want to restrict to use this specific ciphers only.
We wanted that Squid should use strong ciphers.

One more point I wanted to add here is that this issue is getting
reproduced with latest squid also.


On Mon, Sep 25, 2023 at 5:30 PM <squid-users-request at lists.squid-cache.org>
wrote:

> Send squid-users mailing list submissions to
>         squid-users at lists.squid-cache.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.squid-cache.org/listinfo/squid-users
> or, via email, send a message with subject or body 'help' to
>         squid-users-request at lists.squid-cache.org
>
> You can reach the person managing the list at
>         squid-users-owner at lists.squid-cache.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of squid-users digest..."
>
>
> Today's Topics:
>
>    1. Re: A few things about Squid-cache (Jason Long)
>    2. Re: A few things about Squid-cache (Amos Jeffries)
>    3. Re: Seeking Help with SSL Bump Configuration for ECDSA
>       Ciphers in Squid (nikhil deshpande)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 24 Sep 2023 18:49:06 +0000 (UTC)
> From: Jason Long <hack3rcon at yahoo.com>
> To: gkinkie at gmail.com
> Cc: Squid Users <squid-users at lists.squid-cache.org>
> Subject: Re: [squid-users] A few things about Squid-cache
> Message-ID: <575071616.3138479.1695581346718 at mail.yahoo.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hello,Thank you so much for your reply.1- Regarding security, what
> parameters should be changed or added in the configuration file?
>
>  2- How to configure Squid-cache?service for 1000 clients?
>
>
>
>   On Sat, Sep 23, 2023 at 12:26 AM, Francesco Chemolli<gkinkie at gmail.com>
> wrote:   Hi Jason!
> Squid is a complex piece of software, which is deployed in a vast number
> of scenarios, some are simpler and some are intensely adversarial and
> trickier.Securing squid is similar to any other public-facing complex
> service; it's unfortunately not something?that can be explained with a few
> tips.
> Regarding how many users Squid can support at the same time, it really
> depends, mostly on the hardware, services configuration, and user
> behaviour. On modern hardware, Squid can generally support many users, in
> the order of several thousands
> Squid is not a firewall, on most modern Unix-like operating systems,
> including Linux, FreeBSD, and OpenBSD, that role can be fulfilled by the
> underlying operating system
> On Thu, Sep 21, 2023 at 7:59?PM Jason Long <hack3rcon at yahoo.com> wrote:
>
> Hello,I have some questions:1- What tips should be considered to keep
> Squid-cache safe?
>
> 2-?How strong is Squid-cache? How many users can use it at the same time?
> 3-?Can Squid-cache?also play the role of a firewall? Something like the
> Microsoft ForeFront TMG Replacement or the Kemp LoadMaster.
>
> Thank you._______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>
>
>
> --
> ? ? Francesco
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.squid-cache.org/pipermail/squid-users/attachments/20230924/2ef15d28/attachment-0001.htm
> >
>
> ------------------------------
>
> Message: 2
> Date: Mon, 25 Sep 2023 17:51:45 +1300
> From: Amos Jeffries <squid3 at treenet.co.nz>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] A few things about Squid-cache
> Message-ID: <8ffe5581-d731-4f43-be7f-72c00e5a7a9e at treenet.co.nz>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> On 25/09/23 07:49, Jason Long wrote:
> > Hello,
> > Thank you so much for your reply.
> > 1- Regarding security, what parameters should be changed or added in the
> > configuration file?
> >
>
> First steps with a new Squid install are to check in squid.conf for the
> "acl localnet" lines and adjust so it lists your LAN ranges. The common
> ones are listed there by default.
>
> Then look for the "http_access" directive. That is the primary means of
> telling Squid what the network policy needs are.
>
>
> > 2- How to configure Squid-cache?service for 1000 clients?
> >
>
> Apart from the above (1) answer, Squid does not care about number of
> clients it will serve as many as your machine can handle. Until the
> hardware overloads the CPU, RAM or disks capacity limits.
>
>
> For good advise we will need details...
>
>   Forward or Reverse proxy installation?
>   LAN or WAN clients?
>
>   What policies do you need to comply with regarding client use of the
> proxy, or access to any special websites?
>
>
> Cheers
> Amos
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 25 Sep 2023 15:01:05 +0530
> From: nikhil deshpande <nikhildeshpande18 at gmail.com>
> To: Shyam varun <shyam3898 at gmail.com>
> Cc: squid-users at lists.squid-cache.org, jrose at qualys.com
> Subject: Re: [squid-users] Seeking Help with SSL Bump Configuration
>         for ECDSA Ciphers in Squid
> Message-ID:
>         <CALO-o=
> xTe18tuGww-gsr-vAVKMJqRai1ZvNR-hRqaToWXp1NGQ at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi team,
>
> Any update on this?
>
> Regards,
> Nikhil
>
> On Thu, Sep 14, 2023 at 6:05?PM Shyam varun <shyam3898 at gmail.com> wrote:
>
> > Dear Squid Mailing List Community,
> >
> > I hope this email finds you well. I am currently working on configuring
> > SSL bump in Squid proxy server to support ECDSA ciphers, and I am seeking
> > assistance with a particular issue I've encountered.
> >
> > To provide some context:
> >
> > - *Squid Version:* Squid 5.2
> > - *OpenSSL Version*: OpenSSL 1.1.1l
> > - *OS:* Alpine Linux v3.16
> > -
> > *Squid Configuration: *
> >
> > * sslproxy_cert_error allow all*
> >
> > * sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db
> > -M 4MB*
> >
> >
> > * http_port 3129 ssl-bump generate-host-certificates=on
> > dynamic_cert_mem_cache_size=4MB
> cert=/opt/ssl/intermediate_certificate.pem
> > key=/opt/ssl/intermediate_key.pem options=SINGLE_DH_USE,SINGLE_ECDH_USE
> > tls-dh=/opt/dhparam.pem*
> >
> >
> > * tls_outgoing_options min-version=1.1  options=NO_SSLv3*
> >
> >
> > * acl step1 at_step SslBump1*
> >
> > * ssl_bump peek step1*
> >
> > * ssl_bump bump all*
> >
> >
> > The goal of my configuration is to enable SSL bump for ECDSA ciphers,
> > specifically the "ECDHE-ECDSA-AES256-GCM-SHA384" and
> > "ECDHE-ECDSA-AES128-GCM-SHA256" cipher suites. However, I've run into
> > challenges and issues while trying to achieve this.
> >
> > *Things I tried:*
> >
> >    1. I created an ECDSA-based certificate chain using OpenSSL.
> >    2. I configured the ECDSA-based certificate certs in squid as shown in
> >    above snippet but still not able to make it work.
> >
> >
> > I've thoroughly reviewed the Squid documentation and online resources,
> but
> > I haven't been able to resolve these issues on my own.
> >
> > I would greatly appreciate any guidance, insights, or assistance from the
> > Squid community regarding the proper configuration for SSL bump with
> ECDSA
> > ciphers. If you have successfully configured Squid to support ECDSA
> ciphers
> > or if you have expertise in this area, your input would be invaluable.
> >
> > Thank you in advance for your time and support. I look forward to your
> > responses and insights.
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.squid-cache.org/pipermail/squid-users/attachments/20230925/9e18cf96/attachment-0001.htm
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>
>
> ------------------------------
>
> End of squid-users Digest, Vol 109, Issue 19
> ********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230927/04095cdc/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: squid-pcap-and-cache-log.zip
Type: application/x-zip-compressed
Size: 58034 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230927/04095cdc/attachment-0001.bin>

More information about the squid-users mailing list