<div dir="ltr"><div dir="ltr"><div dir="ltr">Hi Team,<div><br></div><div><pre style="color:rgb(0,0,0)">[Question]: Are you trying to bump TLS client connections when and only when the TLS
client is offering to use one of those ciphers in its ClientHello
message? Or do you want Squid to use one of those ciphers when bumping
all TLS client connections? Or something else? Please clarify.</pre><pre style="color:rgb(0,0,0)">[Answer]: <font face="arial, sans-serif">In our case client is offering these two ciphers(<i>ECDHE-ECDSA-AES256-GCM-SHA384 & </i><i>ECDHE-ECDSA-AES128-GCM-SHA256</i>) in Client Hello but squid is failing to complete handshake with client while performing SSL-Bump.</font></pre><pre style="color:rgb(0,0,0)"><font face="arial, sans-serif">We have attached logs and network capture. </font></pre><pre style="color:rgb(0,0,0)"><pre style="text-wrap: wrap;">[Question]: FWIW, to restrict Squid use of ciphers on accepted TLS client </pre><pre style="text-wrap: wrap;">connections, use the http_port (or https_port) "cipher" option. For
example,
https_port 3129 ssl-bump ... \
cipher=DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
</pre><pre style="text-wrap: wrap;"><span style="font-family:arial,sans-serif">[Answer]: We </span>dont<span style="font-family:arial,sans-serif"> want to restrict </span>to use<span style="font-family:arial,sans-serif"> </span>this<span style="font-family:arial,sans-serif"> specific ciphers only. We </span><font face="arial, sans-serif">wanted that Squid should use strong ciphers. </font></pre><pre style="text-wrap: wrap;"><font face="arial, sans-serif">One more point I wanted to add here is that this issue is getting reproduced with latest squid also. </font></pre></pre></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Sep 25, 2023 at 5:30 PM <<a href="mailto:squid-users-request@lists.squid-cache.org">squid-users-request@lists.squid-cache.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Send squid-users mailing list submissions to<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:squid-users-request@lists.squid-cache.org" target="_blank">squid-users-request@lists.squid-cache.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:squid-users-owner@lists.squid-cache.org" target="_blank">squid-users-owner@lists.squid-cache.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of squid-users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: A few things about Squid-cache (Jason Long)<br>
2. Re: A few things about Squid-cache (Amos Jeffries)<br>
3. Re: Seeking Help with SSL Bump Configuration for ECDSA<br>
Ciphers in Squid (nikhil deshpande)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Sun, 24 Sep 2023 18:49:06 +0000 (UTC)<br>
From: Jason Long <<a href="mailto:hack3rcon@yahoo.com" target="_blank">hack3rcon@yahoo.com</a>><br>
To: <a href="mailto:gkinkie@gmail.com" target="_blank">gkinkie@gmail.com</a><br>
Cc: Squid Users <<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>><br>
Subject: Re: [squid-users] A few things about Squid-cache<br>
Message-ID: <<a href="mailto:575071616.3138479.1695581346718@mail.yahoo.com" target="_blank">575071616.3138479.1695581346718@mail.yahoo.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hello,Thank you so much for your reply.1- Regarding security, what parameters should be changed or added in the configuration file?<br>
<br>
2- How to configure Squid-cache?service for 1000 clients?<br>
<br>
<br>
<br>
On Sat, Sep 23, 2023 at 12:26 AM, Francesco Chemolli<<a href="mailto:gkinkie@gmail.com" target="_blank">gkinkie@gmail.com</a>> wrote: Hi Jason!<br>
Squid is a complex piece of software, which is deployed in a vast number of scenarios, some are simpler and some are intensely adversarial and trickier.Securing squid is similar to any other public-facing complex service; it's unfortunately not something?that can be explained with a few tips.<br>
Regarding how many users Squid can support at the same time, it really depends, mostly on the hardware, services configuration, and user behaviour. On modern hardware, Squid can generally support many users, in the order of several thousands<br>
Squid is not a firewall, on most modern Unix-like operating systems, including Linux, FreeBSD, and OpenBSD, that role can be fulfilled by the underlying operating system<br>
On Thu, Sep 21, 2023 at 7:59?PM Jason Long <<a href="mailto:hack3rcon@yahoo.com" target="_blank">hack3rcon@yahoo.com</a>> wrote:<br>
<br>
Hello,I have some questions:1- What tips should be considered to keep Squid-cache safe?<br>
<br>
2-?How strong is Squid-cache? How many users can use it at the same time?<br>
3-?Can Squid-cache?also play the role of a firewall? Something like the Microsoft ForeFront TMG Replacement or the Kemp LoadMaster.<br>
<br>
Thank you._______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
<br>
<br>
<br>
-- <br>
? ? Francesco <br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.squid-cache.org/pipermail/squid-users/attachments/20230924/2ef15d28/attachment-0001.htm" rel="noreferrer" target="_blank">http://lists.squid-cache.org/pipermail/squid-users/attachments/20230924/2ef15d28/attachment-0001.htm</a>><br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Mon, 25 Sep 2023 17:51:45 +1300<br>
From: Amos Jeffries <<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>><br>
To: <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
Subject: Re: [squid-users] A few things about Squid-cache<br>
Message-ID: <<a href="mailto:8ffe5581-d731-4f43-be7f-72c00e5a7a9e@treenet.co.nz" target="_blank">8ffe5581-d731-4f43-be7f-72c00e5a7a9e@treenet.co.nz</a>><br>
Content-Type: text/plain; charset=UTF-8; format=flowed<br>
<br>
On 25/09/23 07:49, Jason Long wrote:<br>
> Hello,<br>
> Thank you so much for your reply.<br>
> 1- Regarding security, what parameters should be changed or added in the <br>
> configuration file?<br>
> <br>
<br>
First steps with a new Squid install are to check in squid.conf for the <br>
"acl localnet" lines and adjust so it lists your LAN ranges. The common <br>
ones are listed there by default.<br>
<br>
Then look for the "http_access" directive. That is the primary means of <br>
telling Squid what the network policy needs are.<br>
<br>
<br>
> 2- How to configure Squid-cache?service for 1000 clients?<br>
> <br>
<br>
Apart from the above (1) answer, Squid does not care about number of <br>
clients it will serve as many as your machine can handle. Until the <br>
hardware overloads the CPU, RAM or disks capacity limits.<br>
<br>
<br>
For good advise we will need details...<br>
<br>
Forward or Reverse proxy installation?<br>
LAN or WAN clients?<br>
<br>
What policies do you need to comply with regarding client use of the <br>
proxy, or access to any special websites?<br>
<br>
<br>
Cheers<br>
Amos<br>
<br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Mon, 25 Sep 2023 15:01:05 +0530<br>
From: nikhil deshpande <<a href="mailto:nikhildeshpande18@gmail.com" target="_blank">nikhildeshpande18@gmail.com</a>><br>
To: Shyam varun <<a href="mailto:shyam3898@gmail.com" target="_blank">shyam3898@gmail.com</a>><br>
Cc: <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>, <a href="mailto:jrose@qualys.com" target="_blank">jrose@qualys.com</a><br>
Subject: Re: [squid-users] Seeking Help with SSL Bump Configuration<br>
for ECDSA Ciphers in Squid<br>
Message-ID:<br>
<CALO-o=<a href="mailto:xTe18tuGww-gsr-vAVKMJqRai1ZvNR-hRqaToWXp1NGQ@mail.gmail.com" target="_blank">xTe18tuGww-gsr-vAVKMJqRai1ZvNR-hRqaToWXp1NGQ@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hi team,<br>
<br>
Any update on this?<br>
<br>
Regards,<br>
Nikhil<br>
<br>
On Thu, Sep 14, 2023 at 6:05?PM Shyam varun <<a href="mailto:shyam3898@gmail.com" target="_blank">shyam3898@gmail.com</a>> wrote:<br>
<br>
> Dear Squid Mailing List Community,<br>
><br>
> I hope this email finds you well. I am currently working on configuring<br>
> SSL bump in Squid proxy server to support ECDSA ciphers, and I am seeking<br>
> assistance with a particular issue I've encountered.<br>
><br>
> To provide some context:<br>
><br>
> - *Squid Version:* Squid 5.2<br>
> - *OpenSSL Version*: OpenSSL 1.1.1l<br>
> - *OS:* Alpine Linux v3.16<br>
> -<br>
> *Squid Configuration: *<br>
><br>
> * sslproxy_cert_error allow all*<br>
><br>
> * sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db<br>
> -M 4MB*<br>
><br>
><br>
> * http_port 3129 ssl-bump generate-host-certificates=on<br>
> dynamic_cert_mem_cache_size=4MB cert=/opt/ssl/intermediate_certificate.pem<br>
> key=/opt/ssl/intermediate_key.pem options=SINGLE_DH_USE,SINGLE_ECDH_USE<br>
> tls-dh=/opt/dhparam.pem*<br>
><br>
><br>
> * tls_outgoing_options min-version=1.1 options=NO_SSLv3*<br>
><br>
><br>
> * acl step1 at_step SslBump1*<br>
><br>
> * ssl_bump peek step1*<br>
><br>
> * ssl_bump bump all*<br>
><br>
><br>
> The goal of my configuration is to enable SSL bump for ECDSA ciphers,<br>
> specifically the "ECDHE-ECDSA-AES256-GCM-SHA384" and<br>
> "ECDHE-ECDSA-AES128-GCM-SHA256" cipher suites. However, I've run into<br>
> challenges and issues while trying to achieve this.<br>
><br>
> *Things I tried:*<br>
><br>
> 1. I created an ECDSA-based certificate chain using OpenSSL.<br>
> 2. I configured the ECDSA-based certificate certs in squid as shown in<br>
> above snippet but still not able to make it work.<br>
><br>
><br>
> I've thoroughly reviewed the Squid documentation and online resources, but<br>
> I haven't been able to resolve these issues on my own.<br>
><br>
> I would greatly appreciate any guidance, insights, or assistance from the<br>
> Squid community regarding the proper configuration for SSL bump with ECDSA<br>
> ciphers. If you have successfully configured Squid to support ECDSA ciphers<br>
> or if you have expertise in this area, your input would be invaluable.<br>
><br>
> Thank you in advance for your time and support. I look forward to your<br>
> responses and insights.<br>
><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.squid-cache.org/pipermail/squid-users/attachments/20230925/9e18cf96/attachment-0001.htm" rel="noreferrer" target="_blank">http://lists.squid-cache.org/pipermail/squid-users/attachments/20230925/9e18cf96/attachment-0001.htm</a>><br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
<br>
<br>
------------------------------<br>
<br>
End of squid-users Digest, Vol 109, Issue 19<br>
********************************************<br>
</blockquote></div>