[squid-users] ECDH not working with Squid 4. ERROR: Unable to set Ephemeral ECDH: error:00000000:lib(0):func(0):reason(0)

tylerd at tuta.io tylerd at tuta.io
Mon Dec 21 14:07:14 UTC 2015 

Hello, 
I'm having a hard time trying to use ECDH support in Squid and I tried a few 
different releases since v. 4 is out. Squid version:

Squid Cache: Version 4.0.3-20151216-r14446Service Name: squidconfigure 
options:  '--with-openssl' '--enable-basic-auth-helpers=squid_radius_auth' 
'--enable-auth' --enable-ltdl-convenience
OpenSSL is 1.0.1q
Relevant https_port settings line in my squid.conf:
https_port 443 cert=/root/ssl/squid.crt key=/root/ssl/squid.key 
tls-cafile=/root/ssl/ca.crt 
cipher=ECDH+AESGCM:DH+AESGCM:ECDH+AES:DH+AES:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS 
tls-dh=secp384r1:/usr/local/squid/etc/dhparam.pem
When I try to run it, I get the following error: 2015/12/21 09:01:05| ERROR: 
Unable to set Ephemeral ECDH: error:00000000:lib(0):func(0):reason(0)
Full https_port part from the debug when rynning squid -X:
2015/12/21 09:02:24.000| Initializing https_port [::]:443 TLS 
context2015/12/21 09:02:24.001| 24,7| SBuf.cc(180) rawSpace: reserving 1 for 
SBuf1352015/12/21 09:02:24.001| 24,7| SBuf.cc(187) rawSpace: SBuf135 not 
growing2015/12/21 09:02:24.001| 24,7| SBuf.cc(180) rawSpace: reserving 1 for 
SBuf1342015/12/21 09:02:24.001| 24,7| SBuf.cc(187) rawSpace: SBuf134 not 
growing2015/12/21 09:02:24.001| Using certificate in 
/root/ssl/squid.crt2015/12/21 09:02:24.027| 83,5| support.cc(512) 
configureSslContext: Using chiper suite 
ECDH+AESGCM:DH+AESGCM:ECDH+AES:DH+AES:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS.2015/12/21 
09:02:24.027| 24,7| SBuf.cc(180) rawSpace: reserving 1 for SBuf1242015/12/21 
09:02:24.027| 24,7| SBuf.cc(187) rawSpace: SBuf124 not growing2015/12/21 
09:02:24.027| 83,9| support.cc(521) configureSslContext: Setting RSA key 
generation callback.2015/12/21 09:02:24.027| 83,9| ServerOptions.cc(164) 
updateContextEecdh: Setting Ephemeral ECDH curve to secp384r1.2015/12/21 
09:02:24.027| 24,7| SBuf.cc(180) rawSpace: reserving 1 for SBuf1302015/12/21 
09:02:24.027| 24,8| SBuf.cc(1000) cow: SBuf130 new size:102015/12/21 
09:02:24.027| 24,8| SBuf.cc(970) reAlloc: SBuf130 new size: 102015/12/21 
09:02:24.027| 24,9| MemBlob.cc(56) MemBlob: constructed, this=0x1f94670 
id=blob125 reserveSize=102015/12/21 09:02:24.027| 24,8| MemBlob.cc(101) 
memAlloc: blob125 memAlloc: requested=10, received=402015/12/21 09:02:24.027| 
24,7| SBuf.cc(979) reAlloc: SBuf130 new store capacity: 402015/12/21 
09:02:24.027| ERROR: Unable to set Ephemeral ECDH: 
error:00000000:lib(0):func(0):reason(0)2015/12/21 09:02:24.034| 83,8| 
PeerOptions.cc(534) updateContextCa: Setting CA certificate 
locations.2015/12/21 09:02:24.034| 24,8| SBuf.cc(89) SBuf: SBuf149 created 
from id SBuf1382015/12/21 09:02:24.034| 24,7| SBuf.cc(180) rawSpace: 
reserving 1 for SBuf1222015/12/21 09:02:24.034| 24,8| SBuf.cc(1000) cow: 
SBuf122 new size:12015/12/21 09:02:24.034| 24,8| SBuf.cc(970) reAlloc: 
SBuf122 new size: 12015/12/21 09:02:24.034| 24,9| MemBlob.cc(56) MemBlob: 
constructed, this=0x1f96070 id=blob126 reserveSize=12015/12/21 09:02:24.034| 
24,8| MemBlob.cc(101) memAlloc: blob126 memAlloc: requested=1, 
received=402015/12/21 09:02:24.034| 24,7| SBuf.cc(979) reAlloc: SBuf122 new 
store capacity: 402015/12/21 09:02:24.034| 24,7| SBuf.cc(180) rawSpace: 
reserving 1 for SBuf1492015/12/21 09:02:24.034| 24,7| SBuf.cc(187) rawSpace: 
SBuf149 not growing2015/12/21 09:02:24.034| WARNING: Ignoring error setting 
CA certificate locations: error:0B064071:x509 certificate 
routines:ADD_CERT_DIR:invalid directory2015/12/21 09:02:24.035| 24,8| 
SBuf.cc(135) ~SBuf: SBuf149 destructed2015/12/21 09:02:24.035| 83,9| 
support.cc(548) configureSslContext: Not requiring any client 
certificates2015/12/21 09:02:24.035| 21,3| tools.cc(499) leave_suid: 
leave_suid: PID 13102 called2015/12/21 09:02:24.035| 21,3| tools.cc(521) 
leave_suid: leave_suid: PID 13102 giving up root, becoming 'nobody'2015/12/21 
09:02:24.035| 0,9| debug.cc(403) parseOptions: command-line -X overrides: 
ALL,1

Is there anybody running it successfully with ECDH support willing to share 
some insights and a config sample? Thanks in advance. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151221/c80fd9dd/attachment.html>

More information about the squid-users mailing list