[squid-users] SSL errors with Squid 3.5.27
Amos Jeffries
squid3 at treenet.co.nz
Sun Jun 10 06:49:56 UTC 2018
On 10/06/18 03:46, Julian Perconti wrote:
>>> https_port 3130 intercept ssl-bump \
>>> cert=/etc/squid/ssl_cert/squidCA.pem \
>>> key=/etc/squid/ssl_cert/squidCA.pem \
>>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>>> tls-dh=/etc/squid/ssl_cert/dhparam.pem
>>
>> These DH parameters are for old DH not for ECDHE (missing curve name).
>> So this may be restricting what your Squid can do to match up the client and server crypto requirements.
>
> Hi Amos,
>
> I have commented the line: "tls-dh=/etc/squid/ssl_cert/dhparam.pem"
>
> And, it seems that many errors (SSL errors) in cache.log have disappeared.
> I will confirm later if WhatsApp works from iOS/Android.
>
> Thank You!
>
> PS: I used this option (tls-dh, dhparam, etc..) following the official documentation of squid-cache.org for the "hardening" ... or "improve security", etc.
Interesting.
The main issue was that you configured only params for the Diffi-Helman
(DH and DHE) ciphers - no curve name. That meant your specified EEC*
ciphers were disabled since they require a curve name as well.
Removing this option completely disables both DH and ECDH cipher types.
Leaving your proxy with only the RSA based ciphers.
Amos
More information about the squid-users
mailing list