Project

General

Profile

Actions

Bug #6592

closed

squid does NOT use EDH and EECDH cipher suites because "tls-dh" is not configured and so these ciphers are silently dropped - see squid documentation

Added by Alexander Wilke over 8 years ago. Updated almost 8 years ago.

Status:
Resolved
Priority:
Normal
Category:
-
Target version:
Start date:
07/09/2016
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
All
Affected Plus Version:
Affected Architecture:
All

Description

Here it is documented how "http_port" can be configured:
http://www.squid-cache.org/Doc/config/http_port/

EDH and EECDH ciphers are silently disabled because there is no tls-dh parameter file configured and enabled. This chapter discribes this:

#####
tls-dh=[curve:]file
File containing DH parameters for temporary/ephemeral DH key
exchanges, optionally prefixed by a curve for ephemeral ECDH
key exchanges.
See OpenSSL documentation for details on how to create the
DH parameter file. Supported curves for ECDH can be listed
using the "openssl ecparam -list_curves" command.
WARNING: EDH and EECDH ciphers will be silently disabled if
this option is not set. #####

Further there is "SINGLE_DH_USE" configured which is good but it is not configured for "SINGLE_ECDH_USE"

#####
SINGLE_ECDH_USE
Enable ephemeral ECDH key exchange.
The adopted curve should be specified
using the tls-dh option. #####

So the first part of this ticket looks like a bug because EECDH ciphers are configured but they will never be used because of the missing "tls-dh=[curve:]file".

Actions #1

Updated by Kill Bill over 8 years ago

Already covered by https://github.com/pfsense/FreeBSD-ports/pull/110 when someone gets to it.

Actions #2

Updated by Alexander Wilke over 8 years ago

Seems to focus oon reverse proxy only.

Actions #4

Updated by Renato Botelho almost 8 years ago

  • Status changed from New to Feedback
  • Assignee set to Renato Botelho
  • Target version set to 2.4.0
  • % Done changed from 0 to 100

PR has been merged, thanks!

Actions #5

Updated by Jim Pingle almost 8 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF