[squid-users] SSL errors with Squid 3.5.27
Amos Jeffries
squid3 at treenet.co.nz
Mon Jun 11 06:02:49 UTC 2018
On 10/06/18 20:42, Walter H. wrote:
> On 10.06.2018 08:49, Amos Jeffries wrote:
>>
>> Interesting.
>>
>> The main issue was that you configured only params for the Diffi-Helman
>> (DH and DHE) ciphers - no curve name. That meant your specified EEC*
>> ciphers were disabled since they require a curve name as well.
>>
>> Removing this option completely disables both DH and ECDH cipher types.
>> Leaving your proxy with only the RSA based ciphers.
>>
> can you please tell, how to configure this correct
>
> I mean how to specify the curve name ...
> and which curves are possible
The documentation covers that.
<http://www.squid-cache.org/Doc/config/http_port/>
"
tls-dh=[curve:]file
File containing DH parameters for temporary/ephemeral DH key
exchanges, optionally prefixed by a curve for ephemeral ECDH
key exchanges.
See OpenSSL documentation for details on how to create the
DH parameter file. Supported curves for ECDH can be listed
using the "openssl ecparam -list_curves" command.
WARNING: EDH and EECDH ciphers will be silently disabled if
this option is not set.
"
Curve names depend on library, so you have to check your own library for
them as described above.
Amos
More information about the squid-users
mailing list