[squid-users] Seeking Help with SSL Bump Configuration for ECDSA Ciphers in Squid

nikhil deshpande nikhildeshpande18 at gmail.com
Mon Sep 25 09:31:05 UTC 2023


Hi team,

Any update on this?

Regards,
Nikhil

On Thu, Sep 14, 2023 at 6:05 PM Shyam varun <shyam3898 at gmail.com> wrote:

> Dear Squid Mailing List Community,
>
> I hope this email finds you well. I am currently working on configuring
> SSL bump in Squid proxy server to support ECDSA ciphers, and I am seeking
> assistance with a particular issue I've encountered.
>
> To provide some context:
>
> - *Squid Version:* Squid 5.2
> - *OpenSSL Version*: OpenSSL 1.1.1l
> - *OS:* Alpine Linux v3.16
> -
> *Squid Configuration: *
>
> * sslproxy_cert_error allow all*
>
> * sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db
> -M 4MB*
>
>
> * http_port 3129 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/opt/ssl/intermediate_certificate.pem
> key=/opt/ssl/intermediate_key.pem options=SINGLE_DH_USE,SINGLE_ECDH_USE
> tls-dh=/opt/dhparam.pem*
>
>
> * tls_outgoing_options min-version=1.1  options=NO_SSLv3*
>
>
> * acl step1 at_step SslBump1*
>
> * ssl_bump peek step1*
>
> * ssl_bump bump all*
>
>
> The goal of my configuration is to enable SSL bump for ECDSA ciphers,
> specifically the "ECDHE-ECDSA-AES256-GCM-SHA384" and
> "ECDHE-ECDSA-AES128-GCM-SHA256" cipher suites. However, I've run into
> challenges and issues while trying to achieve this.
>
> *Things I tried:*
>
>    1. I created an ECDSA-based certificate chain using OpenSSL.
>    2. I configured the ECDSA-based certificate certs in squid as shown in
>    above snippet but still not able to make it work.
>
>
> I've thoroughly reviewed the Squid documentation and online resources, but
> I haven't been able to resolve these issues on my own.
>
> I would greatly appreciate any guidance, insights, or assistance from the
> Squid community regarding the proper configuration for SSL bump with ECDSA
> ciphers. If you have successfully configured Squid to support ECDSA ciphers
> or if you have expertise in this area, your input would be invaluable.
>
> Thank you in advance for your time and support. I look forward to your
> responses and insights.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230925/9e18cf96/attachment.htm>


More information about the squid-users mailing list