But does this mean that ECDHE isn't supported by Squid?
I had a related question as the original poster. Some U.S. federal security standards (e.g. NSA Suite B) require ECDH and ECDHE adds perfect forward secrecy.
Can squid bump TLS 1.2 traffic that uses ECDHE and that use certificates signed using ECDSA?
Marcus Kool ---08/12/2015 05:10:45 PM--->> Does anyone see something missing in my https_port configuration that >> is causing it to not use
From: Marcus Kool <marcus.kool@xxxxxxxxxxxxxxx>
To: dweimer@xxxxxxxxxxx, Squid Users <squid-users@xxxxxxxxxxxxxxx>
Date: 08/12/2015 05:10 PM
Subject: Re: Squid 3.5 Forward Secrecy on https_port
Sent by: "squid-users" <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx>
>> Does anyone see something missing in my https_port configuration that
>> is causing it to not use the ECDHE keys?
>
> I made some updates above, the dh.params file wasn't being found, changed that line to use full path, and its now use DHE ciphers, but not ECDHE ciphers.
FWIW:
ECDHE is not considered safe by a group of cryptologists since the EC implementation is based on secret parameters that only the author of the algorithm has.
See also http://safecurves.cr.yp.to/rigid.html
Marcus
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
