[squid-users] Squid 3.5 Forward Secrecy on https_port
dweimer
dweimer at dweimer.net
Fri Aug 14 14:03:14 UTC 2015
On 2015-08-13 10:18 am, Amos Jeffries wrote:
> On 14/08/2015 2:40 a.m., Julianne Bielski wrote:
>>
>> But does this mean that ECDHE isn't supported by Squid?
>>
>
> Correct. ECDHE is not supported by 3.5 and older.
>
> EECDHE and ECDHE are coming in Squid-4.
>
> If you really need it you are welcome to download and use Squid-4. Some
> of us already are. Just be aware that it is still under development so
> anything can change without notice, and there are probably a bunch of
> bugs not yet found in those features and other new code.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
Thanks for all the info on this guys, I have no actual requirement to
have ECDHE implemented on the servers I maintain. I was just trying to
improve security by enabling the Forward Secrecy options where possible.
As some of the browsers support ECDHE and not DHE, IE8-10 for example. I
will do some more research on the issue mentioned by a previous poster
between now and when version 4 comes out, then decide if I do want to
enable it or not at that time.
After some playing around on the test system, testing results using the
ssllabs test tools with various options and dhparam key sizes, along
with the input from this thread. I have enabled the DHE ciphers on the
production reverse proxy server that I maintain at work last night.
--
Thanks,
Dean E. Weimer
http://www.dweimer.net/
More information about the squid-users
mailing list