Bug #6592
closed
squid does NOT use EDH and EECDH cipher suites because "tls-dh" is not configured and so these ciphers are silently dropped - see squid documentation
100%
Description
Here it is documented how "http_port" can be configured:
http://www.squid-cache.org/Doc/config/http_port/
EDH and EECDH ciphers are silently disabled because there is no tls-dh parameter file configured and enabled. This chapter discribes this:
#####
tls-dh=[curve:]file
File containing DH parameters for temporary/ephemeral DH key
exchanges, optionally prefixed by a curve for ephemeral ECDH
key exchanges.
See OpenSSL documentation for details on how to create the
DH parameter file. Supported curves for ECDH can be listed
using the "openssl ecparam -list_curves" command.
WARNING: EDH and EECDH ciphers will be silently disabled if
this option is not set.
#####
Further there is "SINGLE_DH_USE" configured which is good but it is not configured for "SINGLE_ECDH_USE"
#####
SINGLE_ECDH_USE
Enable ephemeral ECDH key exchange.
The adopted curve should be specified
using the tls-dh option.
#####
So the first part of this ticket looks like a bug because EECDH ciphers are configured but they will never be used because of the missing "tls-dh=[curve:]file".
Updated by Kill Bill almost 8 years ago
Already covered by https://github.com/pfsense/FreeBSD-ports/pull/110 when someone gets to it.
Updated by Alexander Wilke almost 8 years ago
Seems to focus oon reverse proxy only.
Updated by Kill Bill over 7 years ago
Updated by Renato Botelho over 7 years ago
- Status changed from New to Feedback
- Assignee set to Renato Botelho
- Target version set to 2.4.0
- % Done changed from 0 to 100
PR has been merged, thanks!
Updated by