[squid-users] tls_outgoing_options, cipher list not parseable
Amos Jeffries
squid3 at treenet.co.nz
Fri Oct 12 04:05:24 UTC 2018
On 12/10/18 12:34 PM, L A Walsh wrote:
> I seem to have a problem specifying the cipher list in the tls_outgoing
> options.
> The line I have:
> tls_outgoing_options
> options=NOSSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE,cipher=EECDH+ECDSA+AESGCM:\
Comma .....................................^^^^^
> EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:\
> EECDH+aRSA+SHA256:EECDH+aRSA+RC4:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>
>
> Of note, I split the line here in email with '\', but in the config
> file, it is one long line (w/o the '\').
Squid understands line wrapping in the form of '\' terminators and
whitespace prefix on the next line. So you can make the config easier to
read and fix bugs like above by using the wrapping.
tls_outgoing_options options=... \
cipher=...
>
> The error I get from squid 4.0.25 is: (using check)
>
> # /usr/sbin/squid -k check
> 2018/10/11 16:14:31| FATAL: Unknown TLS option
> '=EECDH-ECDSA-AESGCM:EECDH-aRSA-AESGCM:EECDH-ECDSA-SHA384:EECDH-ECDSA-SHA256:\
>
> EECDH-aRSA-SHA384:EECDH-aRSA-SHA256:EECDH-aRSA-RC4:!RC4:!aNULL:!eNULL:!LOW:!3DES:\
>
> !MD5:!EXP:!PSK:!SRP:!DSS'
>
> (w/o the splits).
>
> I can't tell what it is objecting to.
There is no such "options=" setting as ",cipher=EECDH+..."
>
> To give it a rootcert, can I re-use the same rootcert
> I had in 3.x?
>
Yes.
Amos
More information about the squid-users
mailing list