Hi Team,
[Question]: Are you trying to bump TLS client connections when and only when the TLS client is offering to use one of those ciphers in its ClientHello message? Or do you want Squid to use one of those ciphers when bumping all TLS client connections? Or something else? Please clarify.
[Answer]: In our case client is offering these two ciphers(ECDHE-ECDSA-AES256-GCM-SHA384 & ECDHE-ECDSA-AES128-GCM-SHA256) in Client Hello but squid is failing to complete handshake with client while performing SSL-Bump.
We have attached logs and network capture.
[Question]: FWIW, to restrict Squid use of ciphers on accepted TLS clientconnections, use the http_port (or https_port) "cipher" option. For example, https_port 3129 ssl-bump ... \ cipher=DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384[Answer]: We dont want to restrict to use this specific ciphers only. We wanted that Squid should use strong ciphers.One more point I wanted to add here is that this issue is getting reproduced with latest squid also.
On Mon, Sep 25, 2023 at 5:30 PM <squid-users-request@xxxxxxxxxxxxxxxxxxxxx> wrote:
Send squid-users mailing list submissions to
squid-users@xxxxxxxxxxxxxxxxxxxxx
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.squid-cache.org/listinfo/squid-users
or, via email, send a message with subject or body 'help' to
squid-users-request@xxxxxxxxxxxxxxxxxxxxx
You can reach the person managing the list at
squid-users-owner@xxxxxxxxxxxxxxxxxxxxx
When replying, please edit your Subject line so it is more specific
than "Re: Contents of squid-users digest..."
Today's Topics:
1. Re: A few things about Squid-cache (Jason Long)
2. Re: A few things about Squid-cache (Amos Jeffries)
3. Re: Seeking Help with SSL Bump Configuration for ECDSA
Ciphers in Squid (nikhil deshpande)
----------------------------------------------------------------------
Message: 1
Date: Sun, 24 Sep 2023 18:49:06 +0000 (UTC)
From: Jason Long <hack3rcon@xxxxxxxxx>
To: gkinkie@xxxxxxxxx
Cc: Squid Users <squid-users@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: A few things about Squid-cache
Message-ID: <575071616.3138479.1695581346718@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="utf-8"
Hello,Thank you so much for your reply.1- Regarding security, what parameters should be changed or added in the configuration file?
2- How to configure Squid-cache?service for 1000 clients?
On Sat, Sep 23, 2023 at 12:26 AM, Francesco Chemolli<gkinkie@xxxxxxxxx> wrote: Hi Jason!
Squid is a complex piece of software, which is deployed in a vast number of scenarios, some are simpler and some are intensely adversarial and trickier.Securing squid is similar to any other public-facing complex service; it's unfortunately not something?that can be explained with a few tips.
Regarding how many users Squid can support at the same time, it really depends, mostly on the hardware, services configuration, and user behaviour. On modern hardware, Squid can generally support many users, in the order of several thousands
Squid is not a firewall, on most modern Unix-like operating systems, including Linux, FreeBSD, and OpenBSD, that role can be fulfilled by the underlying operating system
On Thu, Sep 21, 2023 at 7:59?PM Jason Long <hack3rcon@xxxxxxxxx> wrote:
Hello,I have some questions:1- What tips should be considered to keep Squid-cache safe?
2-?How strong is Squid-cache? How many users can use it at the same time?
3-?Can Squid-cache?also play the role of a firewall? Something like the Microsoft ForeFront TMG Replacement or the Kemp LoadMaster.
Thank you._______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
--
? ? Francesco
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230924/2ef15d28/attachment-0001.htm>
------------------------------
Message: 2
Date: Mon, 25 Sep 2023 17:51:45 +1300
From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: A few things about Squid-cache
Message-ID: <8ffe5581-d731-4f43-be7f-72c00e5a7a9e@xxxxxxxxxxxxx>
Content-Type: text/plain; charset=UTF-8; format=flowed
On 25/09/23 07:49, Jason Long wrote:
> Hello,
> Thank you so much for your reply.
> 1- Regarding security, what parameters should be changed or added in the
> configuration file?
>
First steps with a new Squid install are to check in squid.conf for the
"acl localnet" lines and adjust so it lists your LAN ranges. The common
ones are listed there by default.
Then look for the "http_access" directive. That is the primary means of
telling Squid what the network policy needs are.
> 2- How to configure Squid-cache?service for 1000 clients?
>
Apart from the above (1) answer, Squid does not care about number of
clients it will serve as many as your machine can handle. Until the
hardware overloads the CPU, RAM or disks capacity limits.
For good advise we will need details...
Forward or Reverse proxy installation?
LAN or WAN clients?
What policies do you need to comply with regarding client use of the
proxy, or access to any special websites?
Cheers
Amos
------------------------------
Message: 3
Date: Mon, 25 Sep 2023 15:01:05 +0530
From: nikhil deshpande <nikhildeshpande18@xxxxxxxxx>
To: Shyam varun <shyam3898@xxxxxxxxx>
Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx, jrose@xxxxxxxxxx
Subject: Re: Seeking Help with SSL Bump Configuration
for ECDSA Ciphers in Squid
Message-ID:
<CALO-o=xTe18tuGww-gsr-vAVKMJqRai1ZvNR-hRqaToWXp1NGQ@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="utf-8"
Hi team,
Any update on this?
Regards,
Nikhil
On Thu, Sep 14, 2023 at 6:05?PM Shyam varun <shyam3898@xxxxxxxxx> wrote:
> Dear Squid Mailing List Community,
>
> I hope this email finds you well. I am currently working on configuring
> SSL bump in Squid proxy server to support ECDSA ciphers, and I am seeking
> assistance with a particular issue I've encountered.
>
> To provide some context:
>
> - *Squid Version:* Squid 5.2
> - *OpenSSL Version*: OpenSSL 1.1.1l
> - *OS:* Alpine Linux v3.16
> -
> *Squid Configuration: *
>
> * sslproxy_cert_error allow all*
>
> * sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db
> -M 4MB*
>
>
> * http_port 3129 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/opt/ssl/intermediate_certificate.pem
> key=/opt/ssl/intermediate_key.pem options=SINGLE_DH_USE,SINGLE_ECDH_USE
> tls-dh=/opt/dhparam.pem*
>
>
> * tls_outgoing_options min-version=1.1 options=NO_SSLv3*
>
>
> * acl step1 at_step SslBump1*
>
> * ssl_bump peek step1*
>
> * ssl_bump bump all*
>
>
> The goal of my configuration is to enable SSL bump for ECDSA ciphers,
> specifically the "ECDHE-ECDSA-AES256-GCM-SHA384" and
> "ECDHE-ECDSA-AES128-GCM-SHA256" cipher suites. However, I've run into
> challenges and issues while trying to achieve this.
>
> *Things I tried:*
>
> 1. I created an ECDSA-based certificate chain using OpenSSL.
> 2. I configured the ECDSA-based certificate certs in squid as shown in
> above snippet but still not able to make it work.
>
>
> I've thoroughly reviewed the Squid documentation and online resources, but
> I haven't been able to resolve these issues on my own.
>
> I would greatly appreciate any guidance, insights, or assistance from the
> Squid community regarding the proper configuration for SSL bump with ECDSA
> ciphers. If you have successfully configured Squid to support ECDSA ciphers
> or if you have expertise in this area, your input would be invaluable.
>
> Thank you in advance for your time and support. I look forward to your
> responses and insights.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230925/9e18cf96/attachment-0001.htm>
------------------------------
Subject: Digest Footer
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
------------------------------
End of squid-users Digest, Vol 109, Issue 19
********************************************
<<attachment: squid-pcap-and-cache-log.zip>>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users
