[squid-users] Seeking Help with SSL Bump Configuration for ECDSA Ciphers in Squid
Alex Rousskov
rousskov at measurement-factory.com
Mon Sep 25 18:30:01 UTC 2023
On 2023-09-25 05:31, nikhil deshpande wrote:
> Any update on this?
This is not really an "update" because this mailing list has not
received or has not posted the original email quoted below:
https://lists.squid-cache.org/pipermail/squid-users/2023-September/thread.html
> On Thu, Sep 14, 2023 at 6:05 PM Shyam varun <shyam3898 at gmail.com
> <mailto:shyam3898 at gmail.com>> wrote:
>
> Dear Squid Mailing List Community,
>
> I hope this email finds you well. I am currently working on
> configuring SSL bump in Squid proxy server to support ECDSA ciphers,
> and I am seeking assistance with a particular issue I've encountered.
>
> To provide some context:
>
> - *Squid Version:* Squid 5.2
Please note that Squid v5 is not officially supported by the Squid
Project. Please consider upgrading to Squid v6.
> - *OpenSSL Version*: OpenSSL 1.1.1l
> - *OS:* Alpine Linux v3.16
> - *_Squid Configuration: _
> *
>
> */sslproxy_cert_error allow all/*
>
> */sslcrtd_program /usr/lib/squid/security_file_certgen -s
> /var/lib/ssl_db -M 4MB/*
>
> */
> /*
>
> */http_port 3129 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB
> cert=/opt/ssl/intermediate_certificate.pem
> key=/opt/ssl/intermediate_key.pem
> options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=/opt/dhparam.pem/*
>
> */
> /*
>
> */tls_outgoing_options min-version=1.1 options=NO_SSLv3/*
>
> */
> /*
>
> */acl step1 at_step SslBump1/*
>
> */ssl_bump peek step1/*
>
> */ssl_bump bump all/*
>
>
> The goal of my configuration is to enable SSL bump for ECDSA
> ciphers, specifically the "ECDHE-ECDSA-AES256-GCM-SHA384" and
> "ECDHE-ECDSA-AES128-GCM-SHA256" cipher suites. However, I've run
> into challenges and issues while trying to achieve this.
Are you trying to bump TLS client connections when and only when the TLS
client is offering to use one of those ciphers in its ClientHello
message? Or do you want Squid to use one of those ciphers when bumping
all TLS client connections? Or something else? Please clarify.
If Squid logs ERRORs or WARNINGs to cache.log at startup, especially
messages that are seemingly related to TLS and http_port configuration,
please share them.
FWIW, to restrict Squid use of ciphers on accepted TLS client
connections, use the http_port (or https_port) "cipher" option. For
example,
https_port 3129 ssl-bump ... \
cipher=DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
If you tried that, and it did not work, please detail what did not work.
Providing a pointer to raw TLS ClientHello/ServerHello messages (in
libpcap format that Wireshark can grok) exchanged by the TLS client and
Squid may be helpful. These packets should show ciphers offered by TLS
client and ciphers offered by Squid.
Providing a pointer to compressed Squid cache.log with debug_options set
to ALL,9 collected while reproducing the issue using a dedicated
transaction may also help:
https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction
Thank you,
Alex.
> *Things I tried:*
>
> 1. I created an ECDSA-based certificate chain using OpenSSL.
> 2. I configured the ECDSA-based certificate certs in squid as shown
> in above snippet but still not able to make it work.
>
>
> I've thoroughly reviewed the Squid documentation and online
> resources, but I haven't been able to resolve these issues on my own.
>
> I would greatly appreciate any guidance, insights, or assistance
> from the Squid community regarding the proper configuration for SSL
> bump with ECDSA ciphers. If you have successfully configured Squid
> to support ECDSA ciphers or if you have expertise in this area, your
> input would be invaluable.
>
> Thank you in advance for your time and support. I look forward to
> your responses and insights.
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list