[squid-users] Error: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Amos Jeffries
squid3 at treenet.co.nz
Mon Jun 22 09:10:06 UTC 2020
On 22/06/20 5:14 pm, Eliezer Croitoru wrote:
> I have tested 4.12 and with default settings I am getting an error on
> some local common web pages.
>
>
> (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
> Handshake with SSL server failed: error:141A318A:SSL
> routines:tls_process_ske_dhe:dh key too small
...
>
> But yet I am still confused about the subject.
>
> Can anyone simplify this specific issue for me?
>
Just like any other key-pair encryption DHE depends on a secret. Over
time short secrets become easy for attackers to discover.
You may be more familiar with the RSA 1024->2048->4096 migrations. The
same thing is going on here but for the DHE key bit-size.
IIRC, minimum these days for DHE is 1024-bit with 2048-bit secrets being
preferred. Anything under 2048 the clients may warn, under 1024 they are
expected to reject with the above error.
For public domains you should be able to use the QualSys SSL Labs tests
to check a problematic site and see some explanation of the details.
Amos
More information about the squid-users
mailing list