[LINUX] [https proxy with squid] Resolution of error caused by dh key too small

Introduction

I am operating an https proxy that intercepts ssl, and I have solved the problem, so I will record it. The environment to use is the following that was built last time. ** Easily create Proxy with Active Directory linkage and SSL interception with squid with docker **

What happened

An error occurs when trying to connect to the following site. https://blog.goo.ne.jp/

Screenshot from Gyazo

The content of the error is (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) Handshake with SSL server failed: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small It was that.

Research of cause

The error tls_process_ske_dhe: dh key too small. It seems to be repelled because the server certificate is shorter than the DH key length required by squid.

CentOS8 has a mechanism called crypto-policies, which seems to manage the encryption policy centrally throughout the system. The policy is managed by presets, and becomes stricter in the order of LEGACY / DEFAULT / FIPS / FUTURE.

You can check the current settings with the command ʻupdate-crypto-policies --show`.

# update-crypto-policies --show
DEFAULT

Referenced ** RHEL8 site * In *, the DH key length of DEFAULT is at least 2048 bits. If this is set to LEGACY, a short DH key length will be acceptable.

However, lowering the level of the entire system is a bit tricky.

Solution

The tls_outgoing_options directive in squid.conf specified the encryption set, so let's try it.

squid.conf


tls_outgoing_options cipher=DEFAULT:@SECLEVEL=1

Screenshot from Gyazo

This is OK

Source

I was allowed to reference. http://www.squid-cache.org/Doc/config/tls_outgoing_options/ https://yoku0825.blogspot.com/2019/12/centos-80url-error141a318assl.html https://access.redhat.com/documentation/ja-jp/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening https://stackoverflow.com/questions/53058362/openssl-v1-1-1-ssl-choose-client-version-unsupported-protocol

Recommended Posts

[https proxy with squid] Resolution of error caused by dh key too small
[https proxy with squid] How to represent https whitelist with url_regex
Value sort of dictionary with complicated structure (sort by key structure by deep value)