On 29/06/19 3:03 am, Walter H. wrote: > > sslproxy_cipher > EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!RSA:!SRP > sslproxy_options NO_SSLv2 NO_SSLv3 TLSv1 TLSv1_1 TLSv1_2 > I do not see the tls-dh setting necessary for the elliptic curves to work in your displayed config. So that would make the above cipher directive essentially disable everything except SSLv3 with MEDIUM/HIGH level non-RSA ciphers. The value of sslproxy_options directive is colon (:) or comma (,) delimited. When multiple values like the above are configured only the first in the list is used. Which forces only TLS/1.2 It is not clear what OpenSSL will do when those conflicting options are handed to it. But it looks like it is down-grading to SSLv3 as L.P.H. said then breaking when something else arrives back. I would start by removing the sslproxy_cipher directive entirely and fixing sslproxy_options to be: sslproxy_options NO_SSLv2:NO_SSLv3 then re-adding the cipher *restrictions* (the ones with '!' prefix) gradually to see what you actually need and where the problem starts. You should not need the additions as secure ciphers are always enabled by default. If you can watch the TLS negotiations with wireshark as you experiment it can help understand which options actually do anything. There are overlaps like "!LOW" should be including the removals that "!RC4" does and such overlaps. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
