[squid-users] Squid as reverse proxy with EC private key

Johannes Engel jcnengel at gmail.com
Mon Sep 21 20:18:43 UTC 2015


Thanks a lot for the swift reply, Amos! Much appreciated.

Best regards,
Johannes

2015-09-21 19:36 GMT+02:00 Amos Jeffries <squid3 at treenet.co.nz>:

> On 22/09/2015 2:09 a.m., Johannes Engel wrote:
> > Dear all,
> >
> > I would like to run squid 3.5.8 as a reverse proxy for our webserver. I
> > already have a certificate which is currently in use by the Apache
> > Webserver 2.4 itself. It is based upon an EC (elliptic curve) private key
> > of length 384.
> > Until now I have not managed to fire up squid with by specifying
> https_port
> > with private key and certificate. It will run, but all connection
> attempts
> > (e.g. using openssl s_client or gnutls-cli) will break down with the
> > following server-side error:
> >
> > Error negotiating SSL connection on FD 14: error:1408A0C1:SSL
> > routines:SSL3_GET_CLIENT_HELLO:no shared cipher (1/-1)
> >
> > The https_port line looks like this:
> > https_port 443 accel cert=/etc/squid/test.pem key=/etc/squid/test.key
> > cafile=/etc/squid/globalsign.pem dhparams=/etc/squid/dhparams.pem
> > defaultsite=my.web.site
> >
> > Does Squid simply not support elliptic curvers for primary keys? OpenSSL
> > 1.0.1k is installed which works fine with the Apache...
>
> Squid-3.x do not support Curves. Only the older DH ciphers.
>
> For ECDH support you need to use Squid-4.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150921/0465862b/attachment.html>


More information about the squid-users mailing list