On 2023-09-25 05:31, nikhil deshpande wrote:
Any update on this?
This is not really an "update" because this mailing list has not
received or has not posted the original email quoted below:
https://lists.squid-cache.org/pipermail/squid-users/2023-September/thread.html
On Thu, Sep 14, 2023 at 6:05 PM Shyam varun <shyam3898@xxxxxxxxx
<mailto:shyam3898@xxxxxxxxx>> wrote:
Dear Squid Mailing List Community,
I hope this email finds you well. I am currently working on
configuring SSL bump in Squid proxy server to support ECDSA ciphers,
and I am seeking assistance with a particular issue I've encountered.
To provide some context:
- *Squid Version:* Squid 5.2
Please note that Squid v5 is not officially supported by the Squid
Project. Please consider upgrading to Squid v6.
- *OpenSSL Version*: OpenSSL 1.1.1l
- *OS:* Alpine Linux v3.16
- *_Squid Configuration: _
*
*/sslproxy_cert_error allow all/*
*/sslcrtd_program /usr/lib/squid/security_file_certgen -s
/var/lib/ssl_db -M 4MB/*
*/
/*
*/http_port 3129 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB
cert=/opt/ssl/intermediate_certificate.pem
key=/opt/ssl/intermediate_key.pem
options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=/opt/dhparam.pem/*
*/
/*
*/tls_outgoing_options min-version=1.1 options=NO_SSLv3/*
*/
/*
*/acl step1 at_step SslBump1/*
*/ssl_bump peek step1/*
*/ssl_bump bump all/*
The goal of my configuration is to enable SSL bump for ECDSA
ciphers, specifically the "ECDHE-ECDSA-AES256-GCM-SHA384" and
"ECDHE-ECDSA-AES128-GCM-SHA256" cipher suites. However, I've run
into challenges and issues while trying to achieve this.
Are you trying to bump TLS client connections when and only when the TLS
client is offering to use one of those ciphers in its ClientHello
message? Or do you want Squid to use one of those ciphers when bumping
all TLS client connections? Or something else? Please clarify.
If Squid logs ERRORs or WARNINGs to cache.log at startup, especially
messages that are seemingly related to TLS and http_port configuration,
please share them.
FWIW, to restrict Squid use of ciphers on accepted TLS client
connections, use the http_port (or https_port) "cipher" option. For
example,
https_port 3129 ssl-bump ... \
cipher=DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
If you tried that, and it did not work, please detail what did not work.
Providing a pointer to raw TLS ClientHello/ServerHello messages (in
libpcap format that Wireshark can grok) exchanged by the TLS client and
Squid may be helpful. These packets should show ciphers offered by TLS
client and ciphers offered by Squid.
Providing a pointer to compressed Squid cache.log with debug_options set
to ALL,9 collected while reproducing the issue using a dedicated
transaction may also help:
https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction
Thank you,
Alex.
*Things I tried:*
1. I created an ECDSA-based certificate chain using OpenSSL.
2. I configured the ECDSA-based certificate certs in squid as shown
in above snippet but still not able to make it work.
I've thoroughly reviewed the Squid documentation and online
resources, but I haven't been able to resolve these issues on my own.
I would greatly appreciate any guidance, insights, or assistance
from the Squid community regarding the proper configuration for SSL
bump with ECDSA ciphers. If you have successfully configured Squid
to support ECDSA ciphers or if you have expertise in this area, your
input would be invaluable.
Thank you in advance for your time and support. I look forward to
your responses and insights.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
