On 10/06/18 03:46, Julian Perconti wrote: >>> https_port 3130 intercept ssl-bump \ >>> cert=/etc/squid/ssl_cert/squidCA.pem \ >>> key=/etc/squid/ssl_cert/squidCA.pem \ >>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >>> tls-dh=/etc/squid/ssl_cert/dhparam.pem >> >> These DH parameters are for old DH not for ECDHE (missing curve name). >> So this may be restricting what your Squid can do to match up the client and >> server crypto requirements. > > Hi Amos, > > I have commented the line: "tls-dh=/etc/squid/ssl_cert/dhparam.pem" > > And, it seems that many errors (SSL errors) in cache.log have disappeared. > I will confirm later if WhatsApp works from iOS/Android. > > Thank You! > > PS: I used this option (tls-dh, dhparam, etc..) following the official > documentation of squid-cache.org for the "hardening" ... or "improve > security", etc.
Interesting. The main issue was that you configured only params for the Diffi-Helman (DH and DHE) ciphers - no curve name. That meant your specified EEC* ciphers were disabled since they require a curve name as well. Removing this option completely disables both DH and ECDH cipher types. Leaving your proxy with only the RSA based ciphers. Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
