<div dir="ltr">Amos answered in another post [1]<br>[1]
<a href="http://lists.squid-cache.org/pipermail/squid-users/2018-February/017640.html">http://lists.squid-cache.org/pipermail/squid-users/2018-February/017640.html</a><br><br>More information:<br><a href="https://wiki.openssl.org/index.php/List_of_SSL_OP_Flags#SSL_OP_SINGLE_DH_USE">https://wiki.openssl.org/index.php/List_of_SSL_OP_Flags#SSL_OP_SINGLE_DH_USE</a><br>
As of 1.0.2f single-DH key use is always on, and this option does nothing, and is retained for compatibility.
<br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 14, 2018 at 2:31 PM, Peter Viskup <span dir="ltr"><<a href="mailto:skupko.sk@gmail.com" target="_blank">skupko.sk@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Crypto part of the configure log:<br>
<br>
checking for nettle_md5_init in -lnettle... yes<br>
checking nettle/md5.h usability... yes<br>
checking nettle/md5.h presence... yes<br>
checking for nettle/md5.h... yes<br>
checking nettle/base64.h usability... yes<br>
checking nettle/base64.h presence... yes<br>
checking for nettle/base64.h... yes<br>
checking for Nettle 3.4 API compatibility... no<br>
configure: Using Nettle cryptographic library: yes<br>
checking for crypt in -lcrypt... yes<br>
checking for MD5Init in -lmd5... no<br>
checking for LIBGNUTLS... yes<br>
checking gnutls/gnutls.h usability... yes<br>
checking gnutls/gnutls.h presence... yes<br>
checking for gnutls/gnutls.h... yes<br>
checking gnutls/x509.h usability... yes<br>
checking gnutls/x509.h presence... yes<br>
checking for gnutls/x509.h... yes<br>
configure: GnuTLS library support: auto -lgnutls<br>
checking openssl/bio.h usability... yes<br>
checking openssl/bio.h presence... yes<br>
checking for openssl/bio.h... yes<br>
checking openssl/crypto.h usability... yes<br>
checking openssl/crypto.h presence... yes<br>
checking for openssl/crypto.h... yes<br>
checking openssl/err.h usability... yes<br>
checking openssl/err.h presence... yes<br>
checking for openssl/err.h... yes<br>
checking openssl/md5.h usability... yes<br>
checking openssl/md5.h presence... yes<br>
checking for openssl/md5.h... yes<br>
checking openssl/opensslv.h usability... yes<br>
checking openssl/opensslv.h presence... yes<br>
checking for openssl/opensslv.h... yes<br>
checking openssl/ssl.h usability... yes<br>
checking openssl/ssl.h presence... yes<br>
checking for openssl/ssl.h... yes<br>
checking openssl/x509v3.h usability... yes<br>
checking openssl/x509v3.h presence... yes<br>
checking for openssl/x509v3.h... yes<br>
checking openssl/engine.h usability... yes<br>
checking openssl/engine.h presence... yes<br>
checking for openssl/engine.h... yes<br>
checking openssl/txt_db.h usability... yes<br>
checking openssl/txt_db.h presence... yes<br>
checking for openssl/txt_db.h... yes<br>
checking for LIBOPENSSL... yes<br>
checking for EVP_PKEY_get0_RSA in -lcrypto... yes<br>
checking for BIO_meth_new in -lcrypto... yes<br>
checking for BIO_get_init in -lcrypto... yes<br>
checking for ASN1_STRING_get0_data in -lcrypto... yes<br>
checking for X509_STORE_CTX_get0_cert in -lcrypto... yes<br>
checking for X509_VERIFY_PARAM_get_depth in -lcrypto... yes<br>
checking for X509_STORE_CTX_get0_untrusted in -lcrypto... yes<br>
checking for X509_STORE_CTX_set0_untrusted in -lcrypto... yes<br>
checking for X509_up_ref in -lcrypto... yes<br>
checking for X509_CRL_up_ref in -lcrypto... yes<br>
checking for DH_up_ref in -lcrypto... yes<br>
checking for X509_get0_signature in -lcrypto... yes<br>
checking for SSL_CIPHER_find in -lssl... yes<br>
checking for SSL_CTX_set_tmp_rsa_callback in -lssl... no<br>
checking for SSL_SESSION_get_id in -lssl... yes<br>
checking for TLS_method in -lssl... yes<br>
checking for TLS_client_method in -lssl... yes<br>
checking for TLS_server_method in -lssl... yes<br>
checking for SSL_CTX_get0_certificate in -lssl... yes<br>
checking whether SSL_CTX_new and similar openSSL API functions require<br>
'const SSL_METHOD *'"... yes<br>
checking whether SSL_get_new_ex_index() dup callback accepts 'const<br>
CRYPTO_EX_DATA *'"... yes<br>
checking whether SSL_CTX_sess_set_get_cb() callback accepts a const ID<br>
argument"... yes<br>
checking "whether X509_get0_signature() accepts const parameters"... yes<br>
checking whether the TXT_DB use OPENSSL_PSTRING data member... yes<br>
checking whether the squid workaround for buggy versions of<br>
sk_OPENSSL_PSTRING_value should used... no<br>
checking whether the workaround for OpenSSL IMPLEMENT_LHASH_ macros<br>
should used... yes<br>
checking whether hello message can be overwritten in SSL struct... no<br>
configure: OpenSSL library support: yes -lssl -lcrypto<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
On Wed, Feb 14, 2018 at 2:02 PM, Peter Viskup <<a href="mailto:skupko.sk@gmail.com">skupko.sk@gmail.com</a>> wrote:<br>
> Build of squid 4.0.23 on current Debian 9 report the single_dh_use as not known.<br>
> Older build of squid 3.5.21 on Debian 8 doesn't report it.<br>
> According the documentation [1] it should be known and supported.<br>
><br>
> [1] <a href="http://www.squid-cache.org/Doc/config/http_port/" rel="noreferrer" target="_blank">http://www.squid-cache.org/<wbr>Doc/config/http_port/</a><br>
><br>
> Is it a bug?<br>
><br>
> Peter<br>
><br>
> $ /usr/sbin/squid -v<br>
> Squid Cache: Version 4.0.23<br>
> Service Name: squid<br>
> Squid built with SSLBump<br>
><br>
> This binary uses OpenSSL 1.1.0f 25 May 2017. For legal restrictions<br>
> on distribution see <a href="https://www.openssl.org/source/license.html" rel="noreferrer" target="_blank">https://www.openssl.org/<wbr>source/license.html</a><br>
><br>
> configure options: '--build=x86_64-linux-gnu' '--prefix=/usr'<br>
> '--includedir=${prefix}/<wbr>include' '--mandir=${prefix}/share/man'<br>
> '--infodir=${prefix}/share/<wbr>info' '--sysconfdir=/etc'<br>
> '--localstatedir=/var' '--libexecdir=${prefix}/lib/<wbr>squid' '--srcdir=.'<br>
> '--disable-maintainer-mode' '--disable-dependency-<wbr>tracking'<br>
> '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2<br>
> -fdebug-prefix-map=/build/<wbr>squid-4.0.23=. -fstack-protector-strong<br>
> -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2<br>
> -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' '--enable-build-info=Debian<br>
> linux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'<br>
> '--libexecdir=/usr/lib/squid' '--runstatedir=/var/run/squid'<br>
> '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native'<br>
> '--disable-loadable-modules' '--enable-storeio=aufs,rock'<br>
> '--enable-removal-policies=<wbr>lru,heap' '--enable-delay-pools'<br>
> '--enable-cache-digests' '--enable-icap-client'<br>
> '--enable-follow-x-forwarded-<wbr>for' '--enable-auth'<br>
> '--enable-external-acl-<wbr>helpers=file_userip,session,<wbr>SQL_session,time_quota,unix_<wbr>group'<br>
> '--enable-security-cert-<wbr>validators=fake'<br>
> '--enable-storeid-rewrite-<wbr>helpers=file'<br>
> '--enable-url-rewrite-helpers=<wbr>fake' '--enable-eui' '--disable-esi'<br>
> '--enable-icmp' '--enable-zph-qos' '--disable-ecap'<br>
> '--disable-translation' '--disable-ident-lookups'<br>
> '--with-swapdir=/var/spool/<wbr>squid' '--with-logdir=/var/log/squid'<br>
> '--with-pidfile=/var/run/<wbr>squid/squid.pid'<br>
> '--with-filedescriptors=65536' '--with-large-files'<br>
> '--with-default-user=proxy' '--enable-security-cert-<wbr>generators=file'<br>
> '--enable-ssl-crtd' '--with-openssl' '--without-mit-krb5'<br>
> '--without-heimdal-krb5' '--disable-wccp' '--disable-wccpv2'<br>
> '--disable-ipv6' '--enable-build-info=Squid built with SSLBump'<br>
> '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g<br>
> -O2 -fdebug-prefix-map=/build/<wbr>squid-4.0.23=. -fstack-protector-strong<br>
> -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-z,relro<br>
> -Wl,-z,now -Wl,--as-needed' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'<br>
> 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/build/<wbr>squid-4.0.23=.<br>
> -fstack-protector-strong -Wformat -Werror=format-security'<br>
><br>
> $ /usr/sbin/squid -k parse -d 9 -n test<br>
> 2018/02/14 13:33:41| Startup: Initializing Authentication Schemes ...<br>
> 2018/02/14 13:33:41| Startup: Initialized Authentication Scheme 'basic'<br>
> 2018/02/14 13:33:41| Startup: Initialized Authentication Scheme 'digest'<br>
> 2018/02/14 13:33:41| Startup: Initialized Authentication Scheme 'negotiate'<br>
> 2018/02/14 13:33:41| Startup: Initialized Authentication Scheme 'ntlm'<br>
> 2018/02/14 13:33:41| Startup: Initialized Authentication.<br>
> 2018/02/14 13:33:41| WARNING: BCP 177 violation. IPv6 transport forced<br>
> OFF by build parameters.<br>
> 2018/02/14 13:33:41| Processing Configuration File:<br>
> /etc/squid/squid.conf (depth 0)<br>
> 2018/02/14 13:33:41| Processing: acl localnet src <a href="http://10.0.0.0/8" rel="noreferrer" target="_blank">10.0.0.0/8</a><br>
> # RFC 1918 local private network (LAN)<br>
> 2018/02/14 13:33:41| Processing: acl SSL_ports port 443 990<br>
> 2018/02/14 13:33:41| Processing: acl Safe_ports port 80 # http<br>
> 2018/02/14 13:33:41| Processing: acl Safe_ports port 21 # ftp<br>
> 2018/02/14 13:33:41| Processing: acl Safe_ports port 443 # https<br>
> 2018/02/14 13:33:41| Processing: acl Safe_ports port 70 # gopher<br>
> 2018/02/14 13:33:41| Processing: acl Safe_ports port 210 # wais<br>
> 2018/02/14 13:33:41| Processing: acl Safe_ports port 1025-65535 #<br>
> unregistered ports<br>
> 2018/02/14 13:33:41| Processing: acl Safe_ports port 280<br>
> # http-mgmt<br>
> 2018/02/14 13:33:41| Processing: acl Safe_ports port 488<br>
> # gss-http<br>
> 2018/02/14 13:33:41| Processing: acl Safe_ports port 591<br>
> # filemaker<br>
> 2018/02/14 13:33:41| Processing: acl Safe_ports port 777<br>
> # multiling http<br>
> 2018/02/14 13:33:41| Processing: acl Safe_ports port 990 # ftps<br>
> 2018/02/14 13:33:41| Processing: acl CONNECT method CONNECT<br>
> 2018/02/14 13:33:41| Processing: acl purge method PURGE<br>
> 2018/02/14 13:33:41| Processing: http_access deny !Safe_ports<br>
> 2018/02/14 13:33:41| Processing: http_access deny CONNECT !SSL_ports<br>
> 2018/02/14 13:33:41| Processing: http_access allow localhost manager<br>
> 2018/02/14 13:33:41| Processing: http_access deny manager<br>
> 2018/02/14 13:33:41| Processing: http_access allow localhost purge<br>
> 2018/02/14 13:33:41| Processing: http_access deny purge<br>
> 2018/02/14 13:33:41| Processing: http_access allow localhost<br>
> 2018/02/14 13:33:41| Processing: http_access deny all<br>
> 2018/02/14 13:33:41| Processing: include /etc/squid/conf.d/test-http_<wbr>port.conf<br>
> 2018/02/14 13:33:41| Processing Configuration File:<br>
> /etc/squid/conf.d/test-http_<wbr>port.conf (depth 1)<br>
> 2018/02/14 13:33:41| Processing: http_port 8080 ssl-bump name=test<br>
> options=NO_SSLv3 cert=/etc/squid/cert/<wbr>serverproxyCA.pem<br>
> generate-host-certificates=on tls-default-ca=off<br>
> options=SINGLE_DH_USE:SINGLE_<wbr>ECDH_USE<br>
> tls-dh=/etc/squid/cert/<wbr>dhparam.pem<br>
> sslflags=NO_SESSION_REUSE:<wbr>VERIFY_CRL<br>
> cipher=EDH+aRSA+AESGCM:EDH+<wbr>aRSA+AES:DHE-RSA-AES256-SHA:<wbr>EECDH+aRSA+AESGCM:EECDH+aRSA+<wbr>AES:ECDHE-RSA-AES256-SHA:<wbr>ECDHE-RSA-AES128-SHA:RSA+<wbr>AESGCM:RSA+AES+SHA:DES-CBC3-<wbr>SHA:DHE-RSA-AES128-SHA<br>
> 2018/02/14 13:33:41| ERROR: Unknown TLS option SINGLE_DH_USE<br>
> 2018/02/14 13:33:41| ERROR: Unknown TLS option SINGLE_ECDH_USE<br>
> .....<br>
</div></div></blockquote></div><br></div>