On 05/09/17 20:55, chiasa.men wrote> Thanks, that was easy... but:
That does not work:
https_port 3128 accel defaultsite=www.example.com cert=/example/cert.pem key=/
example/key.pem cipher=ECDHE-ECDSA-AES256-GCM-SHA384:!RC4:!MD5
openssl s_client -connect localhost:3128
140048907216536:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:s23_clnt.c:769:
Allowing RC4 and MD5 works:
https_port 3128 accel defaultsite=www.example.com cert=/example/cert.pem key=/
example/key.pem cipher=ECDHE-ECDSA-AES256-GCM-SHA384:RC4:MD5
openssl s_client -connect localhost:3128
Cipher : ECDH-ECDSA-RC4-SHA
But openssl works without allowing RC4 and MD5:
openssl s_server -cert /example/cert.pem -key /example/key.pem -cipher 'ECDHE-
ECDSA-AES256-GCM-SHA384:!RC4:!MD5'
openssl s_client -connect localhost:4433
Cipher : ECDHE-ECDSA-AES256-GCM-SHA384
So I guess the certificate and the openssl part should work.
Maybe you could give another advice?
"
cipher=
Colon separated list of supported ciphers.
NOTE: some ciphers such as EDH ciphers depend on
additional settings. If those settings are
omitted the ciphers may be silently ignored
by the OpenSSL library."
"
For the ECDHE-* ciphers to work the server end needs to be configured
with curve parameters. That is done the tls-dh= option with a curve name
and
"
tls-dh=[curve:]file
File containing DH parameters for temporary/ephemeral DH key
exchanges, optionally prefixed by a curve for ephemeral ECDH
key exchanges.
See OpenSSL documentation for details on how to create the
DH parameter file. Supported curves for ECDH can be listed
using the "openssl ecparam -list_curves" command.
WARNING: EDH and EECDH ciphers will be silently disabled if
this option is not set.
"
btw, the used squid version:
Squid Cache: Version 3.5.12
Service Name: squid
Ubuntu linux
Please upgrade. Somewhat urgently.
* TLS/SSL has had a *lot* of progress in the past few years. There are
many security related issues resolved in the latest releases which exist
in the older ones.
* ECDHE is a good example of the change. It is not supported *at all* by
that old version of Squid.
When using TLS/SSL support Squid-3.5.24 is currently the oldest
acceptable Squid release as it contains extra mitigation for TLS DoS
vulnerabilities. The current 3.5.27 would be best from the 3.5 series.
If you are not already aware there is no official security
support/tracking from Debian and Ubuntu for TLS/SSL vulnerabilities as
their packages do not ship with OpenSSL support. So following their
stable/security package version is of no benefit for TLS/SSL issues, you
need to track upstream releases yourself when custom building software
(that goes for anything, not just Squid).
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
