<div dir="ltr"><div>Hi team,</div><div><br></div><div>Any update on this? <br><br></div><div>Regards,</div><div>Nikhil</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 14, 2023 at 6:05 PM Shyam varun <<a href="mailto:shyam3898@gmail.com">shyam3898@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Dear Squid Mailing List Community,<br><br>I hope this email finds you well. I am currently working on configuring SSL bump in Squid proxy server to support ECDSA ciphers, and I am seeking assistance with a particular issue I've encountered.<br><br>To provide some context:<br><br>- <b>Squid Version:</b> Squid 5.2<br>- <b>OpenSSL Version</b>: OpenSSL 1.1.1l<br>- <b>OS:</b> Alpine Linux v3.16 <br>- <b><u>Squid Configuration: </u><br></b><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><b><i> sslproxy_cert_error allow all</i></b></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><b><i> sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB</i></b></blockquote></blockquote><b><i><br></i></b><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><b><i> http_port 3129 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/ssl/intermediate_certificate.pem key=/opt/ssl/intermediate_key.pem options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=/opt/dhparam.pem</i></b></blockquote></blockquote><b><i><br></i></b><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><b><i> tls_outgoing_options min-version=1.1 options=NO_SSLv3</i></b></blockquote></blockquote><b><i><br></i></b><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><b><i> acl step1 at_step SslBump1</i></b></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><b><i> ssl_bump peek step1</i></b></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><b><i> ssl_bump bump all</i></b></blockquote></blockquote><br>The goal of my configuration is to enable SSL bump for ECDSA ciphers, specifically the "ECDHE-ECDSA-AES256-GCM-SHA384" and "ECDHE-ECDSA-AES128-GCM-SHA256" cipher suites. However, I've run into challenges and issues while trying to achieve this.<br><br><b>Things I tried:</b><br><ol><li>I created an ECDSA-based certificate chain using OpenSSL.</li><li>I configured the ECDSA-based certificate certs in squid as shown in above snippet but still not able to make it work.</li></ol><br>I've thoroughly reviewed the Squid documentation and online resources, but I haven't been able to resolve these issues on my own.<br><br>I would greatly appreciate any guidance, insights, or assistance from the Squid community regarding the proper configuration for SSL bump with ECDSA ciphers. If you have successfully configured Squid to support ECDSA ciphers or if you have expertise in this area, your input would be invaluable.<br><br>Thank you in advance for your time and support. I look forward to your responses and insights.<br></div>
</blockquote></div></div>