Does anyone know how to activate the TLS1.3 ciphers? Per lists.squid-cache.org <http://lists.squid-cache.org/>
Ref: https://lists.squid-cache.org/pipermail/squid-users/2018-February/017640.html https://openssl.org/blog/blog/2017/05/04/tlsv1.3/ And CVE-2016-0701 "Yes. Due to CVE-2016-0701 the SSL_OP_SINGLE_DH_USE option was deprecated” It is depreciated and the new pfSense package still shows it as a default option, however how does one append ppending > "TLS13-AES-256-GCM-SHA384" to the ciphers. > > But the log shows the use of "ECDHE-ECDSA-AES256-GCM-SHA384” > On Jul 5, 2024, at 09:11, Jonathan Lee <jonathanlee...@gmail.com> wrote: > > Wireshark shows Cipher Suite: TLS_AES_128_GCM_SHA256 is being used > How would I append the TLS13-AES-256-CGM-SHA384 cipher suite for use with > TLSv1.3 as it states change cipher spec on wireshark > >> On Jul 5, 2024, at 08:46, Jonathan Lee <jonathanlee...@gmail.com> wrote: >> >> More details for Unsupported TLS option >> >> When running squid -k parse >> >> 2024/07/05 08:40:43| Processing: http_port 192.168.1.1:3128 ssl-bump >> generate-host-certificates=on dynamic_cert_mem_cache_size=20MB >> cert=/usr/local/etc/squid/serverkey.pem >> cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ >> cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS >> tls-dh=prime256v1:/etc/dh-parameters.2048 >> options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE >> 2024/07/05 08:40:43| UPGRADE WARNING: >> 'cafile=/usr/local/share/certs/ca-root-nss.crt' is deprecated in http_port. >> Use 'tls-cafile=' instead. >> 2024/07/05 08:40:47| ERROR: Unsupported TLS option SINGLE_DH_USE >> 2024/07/05 08:40:47| ERROR: Unsupported TLS option SINGLE_ECDH_USE >> 2024/07/05 08:40:47| Processing: http_port 127.0.0.1:3128 intercept ssl-bump >> generate-host-certificates=on dynamic_cert_mem_cache_size=20MB >> cert=/usr/local/etc/squid/serverkey.pem >> cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ >> cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS >> tls-dh=prime256v1:/etc/dh-parameters.2048 >> options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE >> 2024/07/05 08:40:47| Starting Authentication on port 127.0.0.1:3128 >> 2024/07/05 08:40:47| Disabling Authentication on port 127.0.0.1:3128 >> (interception enabled) >> 2024/07/05 08:40:47| UPGRADE WARNING: >> 'cafile=/usr/local/share/certs/ca-root-nss.crt' is deprecated in http_port. >> Use 'tls-cafile=' instead. >> 2024/07/05 08:40:51| ERROR: Unsupported TLS option SINGLE_DH_USE >> 2024/07/05 08:40:51| ERROR: Unsupported TLS option SINGLE_ECDH_USE >> 2024/07/05 08:40:51| Processing: https_port 127.0.0.1:3129 intercept >> ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB >> cert=/usr/local/etc/squid/serverkey.pem >> cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ >> cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS >> tls-dh=prime256v1:/etc/dh-parameters.2048 >> options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE >> 2024/07/05 08:40:51| Starting Authentication on port 127.0.0.1:3129 >> 2024/07/05 08:40:51| Disabling Authentication on port 127.0.0.1:3129 >> (interception enabled) >> 2024/07/05 08:40:51| UPGRADE WARNING: >> 'cafile=/usr/local/share/certs/ca-root-nss.crt' is deprecated in https_port. >> Use 'tls-cafile=' instead. >> 2024/07/05 08:40:55| ERROR: Unsupported TLS option SINGLE_DH_USE >> 2024/07/05 08:40:55| ERROR: Unsupported TLS option SINGLE_ECDH_USE >> elliptic curve options are set below and I have inspected the file it is >> present. >> >> tls-dh=prime256v1:/etc/dh-parameters.2048 >> >>> On Jul 5, 2024, at 08:35, Jonathan Lee <jonathanlee...@gmail.com> wrote: >>> >>> tls_outgoing_options >>> cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS >>> tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE >>> Different thread for ciphers issues >>> >>> ERROR: Unsupported TLS option SINGLE_ECDH_USE >>> >>> I found researching in lists-squid-cache.org >>> <http://lists-squid-cache.org/> that someone solved this error with >>> appending TLS13-AES-256-CGM-SHA384 to the ciphers. >>> >>> I am thinking this is my issue also. >>> >>> I see that error over and over when I run "squid -k parse” >>> >>> Do I append this to the options cipher list? >>> >>> Does anyone know how to fix the 2 diffie-hellman key exchange algorithm >>> errors? >>> >>> >>> >>> Jonathan Lee >> >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
