On 22/06/20 5:14 pm, Eliezer Croitoru wrote: > I have tested 4.12 and with default settings I am getting an error on > some local common web pages. > > > (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) > Handshake with SSL server failed: error:141A318A:SSL > routines:tls_process_ske_dhe:dh key too small ... > > But yet I am still confused about the subject. > > Can anyone simplify this specific issue for me? > Just like any other key-pair encryption DHE depends on a secret. Over time short secrets become easy for attackers to discover. You may be more familiar with the RSA 1024->2048->4096 migrations. The same thing is going on here but for the DHE key bit-size. IIRC, minimum these days for DHE is 1024-bit with 2048-bit secrets being preferred. Anything under 2048 the clients may warn, under 1024 they are expected to reject with the above error. For public domains you should be able to use the QualSys SSL Labs tests to check a problematic site and see some explanation of the details. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
