<html><body>
<p><font size="2" face="sans-serif">But does this mean that ECDHE isn't supported by Squid?<br>
</font><br>
<font size="2" face="sans-serif">I had a related question as the original poster. Some U.S. federal security standards (e.g. NSA Suite B) require ECDH and ECDHE adds perfect forward secrecy.</font><br>
<br>
<font size="2" face="sans-serif">Can squid bump TLS 1.2 traffic that uses ECDHE and that use certificates signed using ECDSA?</font><br>
<br>
<img width="16" height="16" src="cid:1__=08BBF433DFDC21808f9e8a93df938@us.ibm.com" border="0" alt="Inactive hide details for Marcus Kool ---08/12/2015 05:10:45 PM--->> Does anyone see something missing in my https_port configu"><font size="2" color="#424282" face="sans-serif">Marcus Kool ---08/12/2015 05:10:45 PM--->> Does anyone see something missing in my https_port configuration that >> is causing it to not use</font><br>
<br>
<font size="1" color="#5F5F5F" face="sans-serif">From: </font><font size="1" face="sans-serif">Marcus Kool <marcus.kool@urlfilterdb.com></font><br>
<font size="1" color="#5F5F5F" face="sans-serif">To: </font><font size="1" face="sans-serif">dweimer@dweimer.net, Squid Users <squid-users@squid-cache.org></font><br>
<font size="1" color="#5F5F5F" face="sans-serif">Date: </font><font size="1" face="sans-serif">08/12/2015 05:10 PM</font><br>
<font size="1" color="#5F5F5F" face="sans-serif">Subject: </font><font size="1" face="sans-serif">Re: [squid-users] Squid 3.5 Forward Secrecy on https_port</font><br>
<font size="1" color="#5F5F5F" face="sans-serif">Sent by: </font><font size="1" face="sans-serif">"squid-users" <squid-users-bounces@lists.squid-cache.org></font><br>
<hr width="100%" size="2" align="left" noshade style="color:#8091A5; "><br>
<br>
<br>
<tt><font size="2"><br>
>> Does anyone see something missing in my https_port configuration that<br>
>> is causing it to not use the ECDHE keys?<br>
><br>
> I made some updates above, the dh.params file wasn't being found, changed that line to use full path, and its now use DHE ciphers, but not ECDHE ciphers.<br>
<br>
FWIW:<br>
ECDHE is not considered safe by a group of cryptologists since the EC implementation is based on secret parameters that only the author of the algorithm has.<br>
See also </font></tt><tt><font size="2"><a href="http://safecurves.cr.yp.to/rigid.html">http://safecurves.cr.yp.to/rigid.html</a></font></tt><tt><font size="2"><br>
<br>
Marcus<br>
_______________________________________________<br>
squid-users mailing list<br>
squid-users@lists.squid-cache.org<br>
</font></tt><tt><font size="2"><a href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a></font></tt><tt><font size="2"><br>
</font></tt><br>
</body></html>