[squid-users] ERROR: Unsupported TLS option SINGLE_ECDH_USE

Jonathan Lee jonathanlee571 at gmail.com
Fri Jul 5 16:11:36 UTC 2024 

Wireshark shows Cipher Suite: TLS_AES_128_GCM_SHA256 is being used
How would I append the TLS13-AES-256-CGM-SHA384 cipher suite for use with TLSv1.3 as it states change cipher spec on wireshark

> On Jul 5, 2024, at 08:46, Jonathan Lee <jonathanlee571 at gmail.com> wrote:
> 
> More details for Unsupported TLS option
> 
> When running squid -k parse
> 
> 2024/07/05 08:40:43| Processing: http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
> 2024/07/05 08:40:43| UPGRADE WARNING: 'cafile=/usr/local/share/certs/ca-root-nss.crt' is deprecated in http_port. Use 'tls-cafile=' instead.
> 2024/07/05 08:40:47| ERROR: Unsupported TLS option SINGLE_DH_USE
> 2024/07/05 08:40:47| ERROR: Unsupported TLS option SINGLE_ECDH_USE
> 2024/07/05 08:40:47| Processing: http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
> 2024/07/05 08:40:47| Starting Authentication on port 127.0.0.1:3128
> 2024/07/05 08:40:47| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
> 2024/07/05 08:40:47| UPGRADE WARNING: 'cafile=/usr/local/share/certs/ca-root-nss.crt' is deprecated in http_port. Use 'tls-cafile=' instead.
> 2024/07/05 08:40:51| ERROR: Unsupported TLS option SINGLE_DH_USE
> 2024/07/05 08:40:51| ERROR: Unsupported TLS option SINGLE_ECDH_USE
> 2024/07/05 08:40:51| Processing: https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
> 2024/07/05 08:40:51| Starting Authentication on port 127.0.0.1:3129
> 2024/07/05 08:40:51| Disabling Authentication on port 127.0.0.1:3129 (interception enabled)
> 2024/07/05 08:40:51| UPGRADE WARNING: 'cafile=/usr/local/share/certs/ca-root-nss.crt' is deprecated in https_port. Use 'tls-cafile=' instead.
> 2024/07/05 08:40:55| ERROR: Unsupported TLS option SINGLE_DH_USE
> 2024/07/05 08:40:55| ERROR: Unsupported TLS option SINGLE_ECDH_USE
> elliptic curve options are set below and I have inspected the file it is present. 
> 
>  tls-dh=prime256v1:/etc/dh-parameters.2048 
> 
>> On Jul 5, 2024, at 08:35, Jonathan Lee <jonathanlee571 at gmail.com> wrote:
>> 
>> tls_outgoing_options cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>> tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
>> Different thread for ciphers issues
>> 
>> ERROR: Unsupported TLS option SINGLE_ECDH_USE
>> 
>> I found researching in lists-squid-cache.org <http://lists-squid-cache.org/> that someone solved this error with appending TLS13-AES-256-CGM-SHA384 to the ciphers. 
>> 
>> I am thinking this is my issue also.
>> 
>> I see that error over and over when I run "squid -k parse”
>> 
>> Do I append this to the options cipher list?
>> 
>> Does anyone know how to fix the 2 diffie-hellman key exchange algorithm errors?
>> 
>> 
>> 
>> Jonathan Lee
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240705/32360cfb/attachment.htm>

More information about the squid-users mailing list