[squid-users] Default ssl-bump that works with chrome/opera

Xen xen at dds.nl
Sat Sep 5 11:58:08 UTC 2015


Hey,

Might I perhaps ask.

Currently with the default minimum configuration for ssl-bump that is 
advocated everywhere, my Firefox bumping works but Chrome and Opera are 
more strict and will say my certificate is invalid.

The certificate was simply generated (self-signed) with openssl x509 
with no additional options for cipher or message digest or whatever. 
Browsers typically complain that the certificate was signed using an 
insecure hash (sha1). I don't know if this is the result of my own 
certificate or whether it is the result of what Squid does to it using 
the regen it does.

Actually Chromium works fine now, I don't know why that change. I had so 
many problems with it.

In fact, I don't know what happened. Both Chromium and Opera now work.

I did upgrade to 3.5.7 but I tested after.

All browsers mostly complain about using obsolete cipher suites though.

So that is the question I wanted to ask: Is there a default SSL 
configuration for Squid that will limit or reduce or do away with those 
obsolete cipher questions and remarks?

I have been trying to find configs on the web, but they go into great 
technical detail about those ciphers and also require you to make 
difficult choices you can't make until and unless you are a security expert.

I believe going from RSA to ECDHE_ECDSA (or something similar) will do 
the trick. But I also read here about Squid supporting something only in 
version 4.

Even typing that word makes me sick. ECDHE_ECDSA buh.

Does it have to be anything more difficult :P.

Is there a smallest subset SSL configuration for Squid that will simply 
reduce those messages and allow the level of security of the original 
site not to go down as much? I would think that Squid doesn't 
communicate with that server any different than it does with me. So the 
whole chain is now using something less than it did before.

So that is my question: give me 3 lines of code (or configuration) that 
will allow this?

I beg of you :p :).

Regards, X.


More information about the squid-users mailing list