[LINUX] [https proxy with squid] Resolution of error caused by dh key too small
Introduction
I am operating an https proxy that intercepts ssl, and I have solved the problem, so I will record it. The environment to use is the following that was built last time. ** Easily create Proxy with Active Directory linkage and SSL interception with squid with docker **
What happened
An error occurs when trying to connect to the following site. https://blog.goo.ne.jp/
The content of the error is (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) Handshake with SSL server failed: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small It was that.
Research of cause
The error tls_process_ske_dhe: dh key too small.
It seems to be repelled because the server certificate is shorter than the DH key length required by squid.
CentOS8 has a mechanism called crypto-policies, which seems to manage the encryption policy centrally throughout the system.
The policy is managed by presets, and becomes stricter in the order of LEGACY / DEFAULT / FIPS / FUTURE.
You can check the current settings with the command ʻupdate-crypto-policies --show`.
# update-crypto-policies --show
DEFAULT
Referenced ** RHEL8 site * In *, the DH key length of DEFAULT is at least 2048 bits. If this is set to LEGACY, a short DH key length will be acceptable.
However, lowering the level of the entire system is a bit tricky.
Solution
The tls_outgoing_options directive in squid.conf specified the encryption set, so let's try it.
squid.conf
tls_outgoing_options cipher=DEFAULT:@SECLEVEL=1
This is OK
Source
I was allowed to reference. http://www.squid-cache.org/Doc/config/tls_outgoing_options/ https://yoku0825.blogspot.com/2019/12/centos-80url-error141a318assl.html https://access.redhat.com/documentation/ja-jp/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening https://stackoverflow.com/questions/53058362/openssl-v1-1-1-ssl-choose-client-version-unsupported-protocol