Project

General

Profile

Actions
Copy link

Bug #6592

closed

squid does NOT use EDH and EECDH cipher suites because "tls-dh" is not configured and so these ciphers are silently dropped - see squid documentation

Added by Alexander Wilke almost 8 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Renato Botelho
Category:
-
Target version:
pfSense - 2.4.0
Start date:
07/09/2016
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
All
Affected Plus Version:
Affected Architecture:
All

Description

Here it is documented how "http_port" can be configured:
http://www.squid-cache.org/Doc/config/http_port/

EDH and EECDH ciphers are silently disabled because there is no tls-dh parameter file configured and enabled. This chapter discribes this:

#####
tls-dh=[curve:]file
File containing DH parameters for temporary/ephemeral DH key
exchanges, optionally prefixed by a curve for ephemeral ECDH
key exchanges.
See OpenSSL documentation for details on how to create the
DH parameter file. Supported curves for ECDH can be listed
using the "openssl ecparam -list_curves" command.
WARNING: EDH and EECDH ciphers will be silently disabled if
this option is not set. #####

Further there is "SINGLE_DH_USE" configured which is good but it is not configured for "SINGLE_ECDH_USE"

#####
SINGLE_ECDH_USE
Enable ephemeral ECDH key exchange.
The adopted curve should be specified
using the tls-dh option. #####

So the first part of this ticket looks like a bug because EECDH ciphers are configured but they will never be used because of the missing "tls-dh=[curve:]file".

Actions
Copy link

Also available in: Atom PDF