[squid-users] Squid 3.5 Forward Secrecy on https_port

dweimer dweimer at dweimer.net
Fri Aug 14 14:03:14 UTC 2015


On 2015-08-13 10:18 am, Amos Jeffries wrote:
> On 14/08/2015 2:40 a.m., Julianne Bielski wrote:
>> 
>> But does this mean that ECDHE isn't supported by Squid?
>> 
> 
> Correct. ECDHE is not supported by 3.5 and older.
> 
> EECDHE and ECDHE are coming in Squid-4.
> 
> If you really need it you are welcome to download and use Squid-4. Some
> of us already are. Just be aware that it is still under development so
> anything can change without notice, and there are probably a bunch of
> bugs not yet found in those features and other new code.
> 
> Amos
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

Thanks for all the info on this guys, I have no actual requirement to 
have ECDHE implemented on the servers I maintain. I was just trying to 
improve security by enabling the Forward Secrecy options where possible. 
As some of the browsers support ECDHE and not DHE, IE8-10 for example. I 
will do some more research on the issue mentioned by a previous poster 
between now and when version 4 comes out, then decide if I do want to 
enable it or not at that time.
After some playing around on the test system, testing results using the 
ssllabs test tools with various options and dhparam key sizes, along 
with the input from this thread. I have enabled the DHE ciphers on the 
production reverse proxy server that I maintain at work last night.

-- 
Thanks,
    Dean E. Weimer
    http://www.dweimer.net/


More information about the squid-users mailing list