Error: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Error: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Eliezer Croitoru-3

I have tested 4.12 and with default settings I am getting an error on some local common web pages.

 

(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

 

In my search for users who had a similar issue I found this post:

https://qiita.com/bashaway/items/12924c8c62b5b48eaef1

 

I have tried to understand the solution but I am unable to understand it right now.


My next step was to read:

https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

 

But yet I am still confused about the subject.

Can anyone simplify this specific issue for me?

 

Thanks,

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Error: (71) Protocol error (TLS code:SQUID_ERR_SSL_HANDSHAKE)

Loučanský Lukáš
Sorry -  but how is your solution different from:
1) openssl dhparam -outform PEM -out dhparam.pem 2048
2) https_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt key=/usr/local/squid/etc/rootCA.key options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=/usr/local/squid/etc/dhparam.pem

Or tls-dh=prime256v1:/usr/local/squid/etc/dhparam.pem

?

LL

> I have tested 4.12 and with default settings I am getting an error on some local common web pages.
>
>  
>
> (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
> Handshake with SSL server failed: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Error: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Amos Jeffries
Administrator
In reply to this post by Eliezer Croitoru-3
On 22/06/20 5:14 pm, Eliezer Croitoru wrote:
> I have tested 4.12 and with default settings I am getting an error on
> some local common web pages.
>
>
> (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
> Handshake with SSL server failed: error:141A318A:SSL
> routines:tls_process_ske_dhe:dh key too small
...
>
> But yet I am still confused about the subject.
>
> Can anyone simplify this specific issue for me?
>

Just like any other key-pair encryption DHE depends on a secret. Over
time short secrets become easy for attackers to discover.

You may be more familiar with the RSA 1024->2048->4096 migrations. The
same thing is going on here but for the DHE key bit-size.


IIRC, minimum these days for DHE is 1024-bit with 2048-bit secrets being
preferred. Anything under 2048 the clients may warn, under 1024 they are
expected to reject with the above error.

For public domains you should be able to use the QualSys SSL Labs tests
to check a problematic site and see some explanation of the details.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users