Thanks a lot for the swift reply, Amos! Much appreciated. Best regards, Johannes
2015-09-21 19:36 GMT+02:00 Amos Jeffries <squ...@treenet.co.nz>: > On 22/09/2015 2:09 a.m., Johannes Engel wrote: > > Dear all, > > > > I would like to run squid 3.5.8 as a reverse proxy for our webserver. I > > already have a certificate which is currently in use by the Apache > > Webserver 2.4 itself. It is based upon an EC (elliptic curve) private key > > of length 384. > > Until now I have not managed to fire up squid with by specifying > https_port > > with private key and certificate. It will run, but all connection > attempts > > (e.g. using openssl s_client or gnutls-cli) will break down with the > > following server-side error: > > > > Error negotiating SSL connection on FD 14: error:1408A0C1:SSL > > routines:SSL3_GET_CLIENT_HELLO:no shared cipher (1/-1) > > > > The https_port line looks like this: > > https_port 443 accel cert=/etc/squid/test.pem key=/etc/squid/test.key > > cafile=/etc/squid/globalsign.pem dhparams=/etc/squid/dhparams.pem > > defaultsite=my.web.site > > > > Does Squid simply not support elliptic curvers for primary keys? OpenSSL > > 1.0.1k is installed which works fine with the Apache... > > Squid-3.x do not support Curves. Only the older DH ciphers. > > For ECDH support you need to use Squid-4. > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
