KB NO. 2804: ENABLE DH OR ECDH CIPHER SUITES BETWEEN CLIENT AND PROXY
BACKGROUND
When using SSL decryption through Olfeo, two encryption mechanisms need to be distinguished: exchanges between the client and the proxy, and between the proxy and the remote server.
By default, Squid uses the RSA algorithm for communication between client and proxy. This mode can be modified to increase the security of the communication chain or to satisfy certain applications that refuse to exchange with an intermediary that does not offer more sophisticated cryptographic means.
CIPHER SUITE
To check the cipher suite used between the client and the proxy, simply visit a website through the olfeo proxy (decryption must be enabled and the site decrypted). Then click on the padlock (here on the firefox browser) and on 'More information'. The 'verified by' section should indicate the name of your certificate used for decryption.
In this case, the cipher suite used is TLS_RSA_WITH_AES_128_GCM_SHA256.
This is the default Squid proxy configuration used by Olfeo (found in /etc/squid/squid.conf):
http_port 0.0.0.0:3129 ssl-bump options=ALL:SINGLE_DH_USE:NO_SSLv3 tls-cert=/opt/olfeo/data/proxy/ssl/squid3_ca_crt.pem tls-key=/opt/olfeo/data/proxy/ssl/squid3_ca_key.pem tls-default-ca=on
We're going to modify this setting to use the asymmetric Diffie-Hellmann (DH) algorithm and its variant ECDH (Elliptic Curve Diffie-Hellman). The latter are public-key algorithms like RSA, but are more modern and secure.
STEPS
1- Generate a parameter file
The first step in using modern DH/ECDH encryption is to create a DH params file. This is necessary because generating good parameters for DH is relatively simple but time-consuming. The OpenSSL library we use therefore requires its creation in advance. In addition, this avoids the use of predefined parameters, thus avoiding exposure to the Logjam vulnerability.
Run the following command and place the result in the /opt/olfeo/data/proxy/ssl/ directory:
openssl dhparam -outform PEM -out dhparam.pem 2048
2- Modify the proxy configuration
To modify the default cipher suite between client and proxy, we'll need to modify a template file. This is used as a template to generate Squid's configuration.
Create the following directory and place the template contents inside:
mkdir -p /opt/olfeo/etc/sysconfig_templates/squid/ cp /opt/olfeo/lib/sysconfig_templates/squid/http_ports.j2 /opt/olfeo/etc/sysconfig_templates/squid/
Then edit the file with a text editor (e.g. vim.tiny):
vim.tiny /opt/olfeo/etc/sysconfig_templates/squid/http_ports.j2
Go to line 4 and change " :SINGLE_DH_USE,NO_SSLv3 " to " :SINGLE_DH_USE:SINGLE_ECDH_USE:NO_SSLv3 ".
1 {% macro bump_options() -%} 2 {% if has_licence_ssl -%} 3 ssl-bump 4 options={{ confsquid.sslproxy_options }}:SINGLE_DH_USE:SINGLE_ECDH_USE:NO_SSLv3 5 tls-cert=/opt/olfeo/data/proxy/ssl/squid3_ca_crt.pem 6 tls-key=/opt/olfeo/data/proxy/ssl/squid3_ca_key.pem
Then save your changes with the command " :wq".
Then go to lines 17 and 19 and add the option tls-dh=prime256v1:/opt/olfeo/data/proxy/ssl/dhparam.pem
16 {%- if intercept -%} 17 https_port {{ port }} intercept {{ bump_options() | oneline }} tls-dh=prime256v1:/opt/olfeo/data/proxy/ssl/dhparam.pem 18 {%- else -%} 19 http_port {{ port }} {{ bump_options() | oneline }} tls-dh=prime256v1:/opt/olfeo/data/proxy/ssl/dhparam.pem 20 {%- endif %}
We're using the prime256v1 elliptic curve here, but you can use any other. To list all the curves supported by olfeo's version of OpenSSL, type:
openssl ecparam -list_curves
Enter " :wq " to confirm, then use the command to generate a new Squid configuration:
/etc/init.d/sysconfig_v2 restart
You can then open the Squid configuration file and check that it has been modified:
less /etc/squid/squid.conf http_port 0.0.0.0:3129 ssl-bump options=ALL:SINGLE_DH_USE,SINGLE_ECDH_USE,NO_SSLv3 tls-cert=/opt/olfeo/data/proxy/ssl/squid3_ca_crt.pem tls-key=/opt/olfeo/data/proxy/ssl/squid3_ca_key.pem tls-default-ca=on tls-dh=/opt/olfeo/data/proxy/ssl/dhparam.pem
Then restart Squid to take account of the change:
/etc/init.d/squid restart
VALIDATION
To validate the use of DH/ECDH algorithms, navigate through the proxy, then display the connection details, as before.
The result should take this form:
WARNING!
These parameters concern communication between the client and the olfeo proxy. Communication between olfeo and the remote server can be adjusted in the Advanced Proxy -> HTTP -> olfeo SSL Options section. In particular, you can adjust the cryptographic suite used in the Advanced Options section.