Search squid archive

Re: Transition from squid3.5 to squid4; ciphers don't work anymore, ERROR: Unknown TLS option SINGLE_DH_USE

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Am Samstag, 17. Februar 2018, 14:28:04 CET schrieb chiasa.men:

> Am Montag, 12. Februar 2018, 14:29:09 CET schrieb chiasa.men:

> > Hi I tried squid4.

> >

> > Squid Cache: Version 4.0.23

> > This binary uses OpenSSL 1.1.1-dev xx XXX xxxx

> >

> > Before, I used:

> > Squid Cache: Version 3.5.27

> > This binary uses OpenSSL 1.0.2g 1 Mar 2016

> >

> > Some of the config directives changed:

> > E.g.

> > sslproxy_options SINGLE_DH_USE,SINGLE_ECDH_USE

> > ->

> > tls_tls_outgoing_options options=SINGLE_DH_USE,SINGLE_ECDH_USE

> >

> > But that results in version 4 in the follwing errors (cache.log)

> > ERROR: Unknown TLS option SINGLE_DH_USE

> > ERROR: Unknown TLS option SINGLE_ECDH_USE

> >

> > (same error with the same options in https_proxy)

> >

> > Is that a problem related to the openssl version change?

> >

> >

> > In cache_peer I also have now to configure tls-cafile=/etc/ssl/certs/ca-

> > certificates.crt explicitly (I used some self signed certificates for

> > testing - but in Squid3 I didn't need to configure that)

> > Otherwise I get:

> > (71) Protocol error (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)

> >

> > In the reference it's stated that:

> > tls-default-ca[=off]

> >

> > Whether to use the system Trusted CAs. Default is ON.

> >

> > Shouldn't the tls-cafile option be unnecessary since it's trusted by

> > default?

> >

> >

> >

> > Furthermore I set Apache (the peer) to "SSLCipherSuite

> > ECDHE-ECDSA-AES256-

> > GCM-SHA384"

> > as well as cache_peer sslcipher=ECDHE-ECDSA-AES256-GCM-SHA384

> >

> > ERROR: negotiating TLS on FD 20: error:141A90B5:SSL

> > routines:ssl_cipher_list_to_bytes:no ciphers available (1/-1/0)

> >

> > How can that be?

> >

> >

> >

> >

> > _______________________________________________

> > squid-users mailing list

> > squid-users@xxxxxxxxxxxxxxxxxxxxx

> > http://lists.squid-cache.org/listinfo/squid-users

>

> Any idea?

 

I could solve the "no ciphers available" by appending "TLS13-AES-256-GCM-SHA384" to the ciphers.

But the log shows the use of "ECDHE-ECDSA-AES256-GCM-SHA384"

Why is that cipher relevant if its not used?

 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux