I'm having a hard time trying to use ECDH support in Squid and I tried a few different releases since v. 4 is out.
Squid version:
Squid Cache: Version 4.0.3-20151216-r14446
Service Name: squid
configure options: '--with-openssl' '--enable-basic-auth-helpers=squid_radius_auth' '--enable-auth' --enable-ltdl-convenience
OpenSSL is 1.0.1q
Relevant https_port settings line in my squid.conf:
https_port 443 cert=/root/ssl/squid.crt key=/root/ssl/squid.key tls-cafile=/root/ssl/ca.crt cipher=ECDH+AESGCM:DH+AESGCM:ECDH+AES:DH+AES:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS tls-dh=secp384r1:/usr/local/squid/etc/dhparam.pem
When I try to run it, I get the following error:
2015/12/21 09:01:05| ERROR: Unable to set Ephemeral ECDH: error:00000000:lib(0):func(0):reason(0)
Full https_port part from the debug when rynning squid -X:
2015/12/21 09:02:24.000| Initializing https_port [::]:443 TLS context
2015/12/21 09:02:24.001| 24,7| SBuf.cc(180) rawSpace: reserving 1 for SBuf135
2015/12/21 09:02:24.001| 24,7| SBuf.cc(187) rawSpace: SBuf135 not growing
2015/12/21 09:02:24.001| 24,7| SBuf.cc(180) rawSpace: reserving 1 for SBuf134
2015/12/21 09:02:24.001| 24,7| SBuf.cc(187) rawSpace: SBuf134 not growing
2015/12/21 09:02:24.001| Using certificate in /root/ssl/squid.crt
2015/12/21 09:02:24.027| 83,5| support.cc(512) configureSslContext: Using chiper suite ECDH+AESGCM:DH+AESGCM:ECDH+AES:DH+AES:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS.
2015/12/21 09:02:24.027| 24,7| SBuf.cc(180) rawSpace: reserving 1 for SBuf124
2015/12/21 09:02:24.027| 24,7| SBuf.cc(187) rawSpace: SBuf124 not growing
2015/12/21 09:02:24.027| 83,9| support.cc(521) configureSslContext: Setting RSA key generation callback.
2015/12/21 09:02:24.027| 83,9| ServerOptions.cc(164) updateContextEecdh: Setting Ephemeral ECDH curve to secp384r1.
2015/12/21 09:02:24.027| 24,7| SBuf.cc(180) rawSpace: reserving 1 for SBuf130
2015/12/21 09:02:24.027| 24,8| SBuf.cc(1000) cow: SBuf130 new size:10
2015/12/21 09:02:24.027| 24,8| SBuf.cc(970) reAlloc: SBuf130 new size: 10
2015/12/21 09:02:24.027| 24,9| MemBlob.cc(56) MemBlob: constructed, this=0x1f94670 id=blob125 reserveSize=10
2015/12/21 09:02:24.027| 24,8| MemBlob.cc(101) memAlloc: blob125 memAlloc: requested=10, received=40
2015/12/21 09:02:24.027| 24,7| SBuf.cc(979) reAlloc: SBuf130 new store capacity: 40
2015/12/21 09:02:24.027| ERROR: Unable to set Ephemeral ECDH: error:00000000:lib(0):func(0):reason(0)
2015/12/21 09:02:24.034| 83,8| PeerOptions.cc(534) updateContextCa: Setting CA certificate locations.
2015/12/21 09:02:24.034| 24,8| SBuf.cc(89) SBuf: SBuf149 created from id SBuf138
2015/12/21 09:02:24.034| 24,7| SBuf.cc(180) rawSpace: reserving 1 for SBuf122
2015/12/21 09:02:24.034| 24,8| SBuf.cc(1000) cow: SBuf122 new size:1
2015/12/21 09:02:24.034| 24,8| SBuf.cc(970) reAlloc: SBuf122 new size: 1
2015/12/21 09:02:24.034| 24,9| MemBlob.cc(56) MemBlob: constructed, this=0x1f96070 id=blob126 reserveSize=1
2015/12/21 09:02:24.034| 24,8| MemBlob.cc(101) memAlloc: blob126 memAlloc: requested=1, received=40
2015/12/21 09:02:24.034| 24,7| SBuf.cc(979) reAlloc: SBuf122 new store capacity: 40
2015/12/21 09:02:24.034| 24,7| SBuf.cc(180) rawSpace: reserving 1 for SBuf149
2015/12/21 09:02:24.034| 24,7| SBuf.cc(187) rawSpace: SBuf149 not growing
2015/12/21 09:02:24.034| WARNING: Ignoring error setting CA certificate locations: error:0B064071:x509 certificate routines:ADD_CERT_DIR:invalid directory
2015/12/21 09:02:24.035| 24,8| SBuf.cc(135) ~SBuf: SBuf149 destructed
2015/12/21 09:02:24.035| 83,9| support.cc(548) configureSslContext: Not requiring any client certificates
2015/12/21 09:02:24.035| 21,3| tools.cc(499) leave_suid: leave_suid: PID 13102 called
2015/12/21 09:02:24.035| 21,3| tools.cc(521) leave_suid: leave_suid: PID 13102 giving up root, becoming 'nobody'
2015/12/21 09:02:24.035| 0,9| debug.cc(403) parseOptions: command-line -X overrides: ALL,1
Is there anybody running it successfully with ECDH support willing to share some insights and a config sample?
Thanks in advance.
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
