Search squid archive

Re: Squid as reverse proxy with EC private key

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 22/09/2015 2:09 a.m., Johannes Engel wrote:
> Dear all,
> 
> I would like to run squid 3.5.8 as a reverse proxy for our webserver. I
> already have a certificate which is currently in use by the Apache
> Webserver 2.4 itself. It is based upon an EC (elliptic curve) private key
> of length 384.
> Until now I have not managed to fire up squid with by specifying https_port
> with private key and certificate. It will run, but all connection attempts
> (e.g. using openssl s_client or gnutls-cli) will break down with the
> following server-side error:
> 
> Error negotiating SSL connection on FD 14: error:1408A0C1:SSL
> routines:SSL3_GET_CLIENT_HELLO:no shared cipher (1/-1)
> 
> The https_port line looks like this:
> https_port 443 accel cert=/etc/squid/test.pem key=/etc/squid/test.key
> cafile=/etc/squid/globalsign.pem dhparams=/etc/squid/dhparams.pem
> defaultsite=my.web.site
> 
> Does Squid simply not support elliptic curvers for primary keys? OpenSSL
> 1.0.1k is installed which works fine with the Apache...

Squid-3.x do not support Curves. Only the older DH ciphers.

For ECDH support you need to use Squid-4.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux