KB 2804: Enabling DH or ECDH cipher suites between client and proxy

Published December 20, 2023

BACKGROUND

 

When using SSL decryption through Olfeo, two encryption mechanisms need to be distinguished: exchanges between the client and the proxy, and between the proxy and the remote server.

By default, Squid uses the RSA algorithm for communication between client and proxy. This mode can be modified to increase the security of the communication chain or to satisfy certain applications that refuse to exchange with an intermediary that does not offer more sophisticated cryptographic means.

 

CIPHER SUITE

To check the cipher suite used between the client and the proxy, simply visit a website through the olfeo proxy (decryption must be enabled and the site decrypted). Then click on the padlock (here on the firefox browser) and on 'More information'. The 'verified by' section should indicate the name of your certificate used for decryption.

In this case, the cipher suite used is TLS_RSA_WITH_AES_128_GCM_SHA256.

This is the default Squid proxy configuration used by Olfeo (found in /etc/squid/squid.conf):

http_port 0.0.0.0:3129 ssl-bump options=ALL:SINGLE_DH_USE:NO_SSLv3
tls-cert=/opt/olfeo/data/proxy/ssl/squid3_ca_crt.pem
tls-key=/opt/olfeo/data/proxy/ssl/squid3_ca_key.pem tls-default-ca=on

We're going to modify this setting to use the asymmetric Diffie-Hellmann (DH) algorithm and its variant ECDH (Elliptic Curve Diffie-Hellman). The latter are public-key algorithms like RSA, but are more modern and secure.

STEPS

1- Generate a parameter file

 

The first step in using modern DH/ECDH encryption is to create a DH params file. This is necessary because generating good parameters for DH is relatively simple but time-consuming. The OpenSSL library we use therefore requires its creation in advance. In addition, this avoids the use of predefined parameters, which can lead to the Logjam vulnerability.

Run the following command and place the result in the /opt/olfeo/data/proxy/ssl/ directory:

openssl dhparam -outform PEM -out dhparam.pem 2048

 

2- Modify the proxy configuration

 

To modify the default cipher suite between client and proxy, we'll need to modify a template file. This is used as a template to generate Squid's configuration.

Create the following directory and place the template contents inside:

mkdir -p /opt/olfeo/etc/sysconfig_templates/squid/
cp /opt/olfeo/lib/sysconfig_templates/squid/http_ports.j2 /opt/olfeo/etc/sysconfig_templates/squid/

Then edit the file with a text editor (e.g. vim.tiny):

vim.tiny /opt/olfeo/etc/sysconfig_templates/squid/http_ports.j2

Go to line 4 and change " :SINGLE_DH_USE,NO_SSLv3 " to " :SINGLE_DH_USE:SINGLE_ECDH_USE:NO_SSLv3 ".

  1 {% macro bump_options() -%}
  2   {% if has_licence_ssl -%}
  3         ssl-bump
  4         options={{ confsquid.sslproxy_options }}:SINGLE_DH_USE:SINGLE_ECDH_USE:NO_SSLv3
  5         tls-cert=/opt/olfeo/data/proxy/ssl/squid3_ca_crt.pem
  6         tls-key=/opt/olfeo/data/proxy/ssl/squid3_ca_key.pem

Then save your changes with the command " :wq".

Then go to lines 17 and 19 and add the option tls-dh=prime256v1:/opt/olfeo/data/proxy/ssl/dhparam.pem

 16         {%- if intercept -%}
 17                 https_port {{ port }} intercept {{ bump_options() | oneline }} tls-dh=prime256v1:/opt/olfeo/data/proxy/ssl/dhparam.pem
 18         {%- else -%}
 19                 http_port {{ port }} {{ bump_options() | oneline }} tls-dh=prime256v1:/opt/olfeo/data/proxy/ssl/dhparam.pem
 20         {%- endif %}

We're using the prime256v1 elliptic curve here, but you can use any other. To list all the curves supported by olfeo's version of OpenSSL, type:

openssl ecparam -list_curves

Enter " :wq " to confirm, then use the command to generate a new Squid configuration:

/etc/init.d/sysconfig_v2 restart

You can then open the Squid configuration file and check that it has been modified:

less /etc/squid/squid.conf

http_port 0.0.0.0:3129 ssl-bump options=ALL:SINGLE_DH_USE,SINGLE_ECDH_USE,NO_SSLv3
tls-cert=/opt/olfeo/data/proxy/ssl/squid3_ca_crt.pem tls-key=/opt/olfeo/data/proxy/ssl/squid3_ca_key.pem
tls-default-ca=on tls-dh=/opt/olfeo/data/proxy/ssl/dhparam.pem

Then restart Squid to take account of the change:

/etc/init.d/squid restart

 

VALIDATION

To validate the use of DH/ECDH algorithms, navigate through the proxy, then display the connection details, as before.

The result should take this form:

These parameters concern communication between the client and the olfeo proxy. Communication between olfeo and the remote server can be adjusted in the Advanced Proxy -> HTTP -> olfeo SSL Options section. In particular, you can adjust the cryptographic suite used in the Advanced Options section.