tls_outgoing_options, cipher list not parseable

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

tls_outgoing_options, cipher list not parseable

L A Walsh
I seem to have a problem specifying the cipher list in the tls_outgoing
options.
The line I have:
tls_outgoing_options
options=NOSSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE,cipher=EECDH+ECDSA+AESGCM:\
EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:\
EECDH+aRSA+SHA256:EECDH+aRSA+RC4:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

Of note, I split the line here in email with '\', but in the config
file, it is one long line (w/o the '\').

The error I get from squid 4.0.25 is: (using check)

# /usr/sbin/squid -k check
2018/10/11 16:14:31| FATAL: Unknown TLS option
'=EECDH-ECDSA-AESGCM:EECDH-aRSA-AESGCM:EECDH-ECDSA-SHA384:EECDH-ECDSA-SHA256:\
EECDH-aRSA-SHA384:EECDH-aRSA-SHA256:EECDH-aRSA-RC4:!RC4:!aNULL:!eNULL:!LOW:!3DES:\
!MD5:!EXP:!PSK:!SRP:!DSS'

(w/o the splits).

I can't tell what it is objecting to.

To give it a rootcert, can I re-use the same rootcert
I had in 3.x?


Below is my config w/o comment lines.  This is a private proxy.


acl msdata dstdomain \.data\.microsoft\.com
acl localnet  src 127.0.0.0/8
acl localnet  src 192.168.3.0/24
acl sc_subnet src 192.168.3.0/24
acl robot_txt url_regex -i ^http.*/robots.txt$
acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 81        # http
acl Safe_ports port 82        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1024-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl Allowed_Connect port 1024-65535    #allowed non-SSL Connects to
non-reserved ports
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny msdata
http_access allow CONNECT Safe_Ports
http_access allow localhost manager
http_access allow localnet manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access allow all
http_port ishtar.sc.tlinx.org:8118 ignore-cc ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=64MB
http_port ishtar.sc.tlinx.org:8080 ignore-cc
http_port 127.0.0.1:8118 ignore-cc
http_port 127.0.0.1:8080 ignore-cc
http_port wpad.sc.tlinx.org:80
acl WPAD urlpath_regex ^/wpad.dat$
deny_info 200:wpad.dat WPAD
http_access deny WPAD
reply_header_access Content-Type deny WPAD
reply_header_replace Content-Type application/x-ns-proxy-autoconfig
acl internal_net src 192.168.3.0/24
clientside_tos 0x54
tls_outgoing_options
options=NOSSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE,cipher=EECDH-ECDSA-AESGCM:EECDH-aRSA-AESGCM:EECDH-ECDSA-SHA384:EECDH-ECDSA-SHA256:EECDH-aRSA-SHA384:EECDH-aRSA-SHA256:EECDH-aRSA-RC4:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslproxy_session_ttl 900
sslproxy_session_cache_size 16 MB
sslcrtd_program /usr/lib64/squid/security_file_certgen -s
/var/cache/squid/lib/ssl_db -M 128MB
maximum_object_size 2 GB
cache_dir aufs /var/cache/squid 98304 64 64
workers 1
log_mime_hdrs on
strip_query_terms off
buffered_logs on
cache_log /var/log/squid/cache.log squid
debug_options ALL,1,11,2 rotate=10
coredump_dir /var/cache/squid rotate=10
url_rewrite_host_header off
url_rewrite_access deny all
max_stale 60 days
refresh_pattern -i /robots.txt$  600 90% 3600 ignore-reload
ignore-no-store ignore-must-revalidate ignore-private ignore-auth
override-lastmod store-stale
refresh_pattern -i download 10 50% 100800 override-expire ignore-private
ignore-must-revalidate
refresh_pattern -i \.flv 10080 90% 10080 override-expire ignore-private
refresh_pattern -i \.pdf 3600 90% 10080 ignore-no-store ignore-private
override-expire
refresh_pattern -i \.(ico|gif|jpg|png)   600 20%   4320    
ignore-private override-expire
refresh_pattern ^http(s)?://bakabt.me   1200 30%   14320    
ignore-private override-expire ignore-no-store ignore-no-cache
ignore-must-revalidate
refresh_pattern ^http(s)?://*.bakashots.me   1200 30%   14320    
ignore-private override-expire ignore-no-store ignore-no-cache
ignore-must-revalidate
refresh_pattern -i \.html   0 20%   4320    ignore-private  ignore-no-store
refresh_pattern -i (/cgi-bin/|\?) 0    10%    1    ignore-private
refresh_pattern ^(http|https):   0 20%   4320    ignore-private
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern .        0    20%    4320
quick_abort_min 16 MB
quick_abort_max 24 MB
quick_abort_pct 75
read_ahead_gap 768 MB
negative_ttl 2 seconds
range_offset_limit 1 MB
store_avg_object_size 256 KB
store_objects_per_bucket 32
request_header_max_size 1 MB
client_request_buffer_max_size 2 MB
vary_ignore_expire on
request_header_access Strict-Transport-Security deny all
request_header_replace Strict-Transport-Security max-age=0;
includeSubDomains
reply_header_access Strict-Transport-Security deny all
reply_header_replace Strict-Transport-Security max-age=0; includeSubDomains
collapsed_forwarding on
forward_timeout 10 seconds
request_timeout 45 seconds
request_timeout 45 seconds
ident_timeout 1 seconds
shutdown_lifetime 8 seconds
visible_hostname    web-proxy
hostname_aliases ishtar ishtar.sc.tlinx.org web-proxy ns1.sc.tlinx.org  
webproxy
umask 002
always_direct allow all
dns_packet_max 1400 bytes
dns_defnames on
dns_v4_first on
memory_pools_limit 2 GB
forwarded_for transparent
reload_into_ims on
connect_retries 2
retry_on_error on
pipeline_prefetch 8
high_response_time_warning 15000
high_page_fault_warning 512



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: tls_outgoing_options, cipher list not parseable

Amos Jeffries
Administrator
On 12/10/18 12:34 PM, L A Walsh wrote:
> I seem to have a problem specifying the cipher list in the tls_outgoing
> options.
> The line I have:
> tls_outgoing_options
> options=NOSSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE,cipher=EECDH+ECDSA+AESGCM:\

 Comma  .....................................^^^^^

> EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:\
> EECDH+aRSA+SHA256:EECDH+aRSA+RC4:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>
>
> Of note, I split the line here in email with '\', but in the config
> file, it is one long line (w/o the '\').

Squid understands line wrapping in the form of  '\' terminators and
whitespace prefix on the next line. So you can make the config easier to
read and fix bugs like above by using the wrapping.

tls_outgoing_options options=... \
  cipher=...


>
> The error I get from squid 4.0.25 is: (using check)
>
> # /usr/sbin/squid -k check
> 2018/10/11 16:14:31| FATAL: Unknown TLS option
> '=EECDH-ECDSA-AESGCM:EECDH-aRSA-AESGCM:EECDH-ECDSA-SHA384:EECDH-ECDSA-SHA256:\
>
> EECDH-aRSA-SHA384:EECDH-aRSA-SHA256:EECDH-aRSA-RC4:!RC4:!aNULL:!eNULL:!LOW:!3DES:\
>
> !MD5:!EXP:!PSK:!SRP:!DSS'
>
> (w/o the splits).
>
> I can't tell what it is objecting to.

There is no such "options=" setting as ",cipher=EECDH+..."


>
> To give it a rootcert, can I re-use the same rootcert
> I had in 3.x?
>

Yes.



Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users