[squid-users] Seeking Help with SSL Bump Configuration for ECDSA Ciphers in Squid

Alex Rousskov rousskov at measurement-factory.com
Mon Sep 25 18:30:01 UTC 2023


On 2023-09-25 05:31, nikhil deshpande wrote:

> Any update on this?

This is not really an "update" because this mailing list has not 
received or has not posted the original email quoted below:
https://lists.squid-cache.org/pipermail/squid-users/2023-September/thread.html


> On Thu, Sep 14, 2023 at 6:05 PM Shyam varun <shyam3898 at gmail.com 
> <mailto:shyam3898 at gmail.com>> wrote:
> 
>     Dear Squid Mailing List Community,
> 
>     I hope this email finds you well. I am currently working on
>     configuring SSL bump in Squid proxy server to support ECDSA ciphers,
>     and I am seeking assistance with a particular issue I've encountered.
> 
>     To provide some context:
> 
>     - *Squid Version:* Squid 5.2

Please note that Squid v5 is not officially supported by the Squid 
Project. Please consider upgrading to Squid v6.


>     - *OpenSSL Version*: OpenSSL 1.1.1l
>     - *OS:* Alpine Linux v3.16
>     - *_Squid Configuration: _
>     *
> 
>             */sslproxy_cert_error allow all/*
> 
>             */sslcrtd_program /usr/lib/squid/security_file_certgen -s
>             /var/lib/ssl_db -M 4MB/*
> 
>     */
>     /*
> 
>             */http_port 3129 ssl-bump generate-host-certificates=on
>             dynamic_cert_mem_cache_size=4MB
>             cert=/opt/ssl/intermediate_certificate.pem
>             key=/opt/ssl/intermediate_key.pem
>             options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=/opt/dhparam.pem/*
> 
>     */
>     /*
> 
>             */tls_outgoing_options min-version=1.1  options=NO_SSLv3/*
> 
>     */
>     /*
> 
>             */acl step1 at_step SslBump1/*
> 
>             */ssl_bump peek step1/*
> 
>             */ssl_bump bump all/*
> 
> 
>     The goal of my configuration is to enable SSL bump for ECDSA
>     ciphers, specifically the "ECDHE-ECDSA-AES256-GCM-SHA384" and
>     "ECDHE-ECDSA-AES128-GCM-SHA256" cipher suites. However, I've run
>     into challenges and issues while trying to achieve this.

Are you trying to bump TLS client connections when and only when the TLS 
client is offering to use one of those ciphers in its ClientHello 
message? Or do you want Squid to use one of those ciphers when bumping 
all TLS client connections? Or something else? Please clarify.

If Squid logs ERRORs or WARNINGs to cache.log at startup, especially 
messages that are seemingly related to TLS and http_port configuration, 
please share them.


FWIW, to restrict Squid use of ciphers on accepted TLS client 
connections, use the http_port (or https_port) "cipher" option. For 
example,

     https_port 3129 ssl-bump ... \
         cipher=DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

If you tried that, and it did not work, please detail what did not work. 
Providing a pointer to raw TLS ClientHello/ServerHello messages (in 
libpcap format that Wireshark can grok) exchanged by the TLS client and 
Squid may be helpful. These packets should show ciphers offered by TLS 
client and ciphers offered by Squid.

Providing a pointer to compressed Squid cache.log with debug_options set 
to ALL,9 collected while reproducing the issue using a dedicated 
transaction may also help: 
https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction


Thank you,

Alex.



>     *Things I tried:*
> 
>      1. I created an ECDSA-based certificate chain using OpenSSL.
>      2. I configured the ECDSA-based certificate certs in squid as shown
>         in above snippet but still not able to make it work.
> 
> 
>     I've thoroughly reviewed the Squid documentation and online
>     resources, but I haven't been able to resolve these issues on my own.
> 
>     I would greatly appreciate any guidance, insights, or assistance
>     from the Squid community regarding the proper configuration for SSL
>     bump with ECDSA ciphers. If you have successfully configured Squid
>     to support ECDSA ciphers or if you have expertise in this area, your
>     input would be invaluable.
> 
>     Thank you in advance for your time and support. I look forward to
>     your responses and insights.
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list