[squid-users] Squid 6.6 kick abandoning connections

Hello fellow Squid Users I am using Bump with certificates installed on devices does anyone know what this error is... kick abandoning conn43723 local=192.168.1.1:3128 remote=192.168.1.5:52129 FD 178 flags=1 Does anyone know how to fix my last weird error I have with Squid 6.6 This is my la

Re: [squid-users] Squid Cache Issues migration from 5.8 to 6.6

FIXED I think it wanted a new certificate generated mine became to weak I needed one that ECDSA with prime256v sha256 and not RSA anymore that solved my errors The error is gone when this cert is used :) > On Jul 5, 2024, at 14:33, Jonathan Lee wrote: > > However even with it marked as no

Re: [squid-users] Squid Cache Issues migration from 5.8 to 6.6

However even with it marked as no 05.07.2024 14:30:46 ERROR: failure while accepting a TLS connection on conn4633 local=192.168.1.1:3128 remote=192.168.1.5:49721 FD 30 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1 continues I am going to take a break please if anyone kn

Re: [squid-users] Squid Cache Issues migration from 5.8 to 6.6

tls_outgoing_options options=NO_SSLv3,NO_TLSv1_3 NO_TLSv1_3 is the directive if you need to disable this I have found for all other users with this problem > On Jul 5, 2024, at 14:21, Jonathan Lee wrote: > > output of versions > > Shell Output - openssl ciphers -s -v ECDHE > TLS_AES_256_GCM_

Re: [squid-users] Squid Cache Issues migration from 5.8 to 6.6

output of versions Shell Output - openssl ciphers -s -v ECDHE TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx

Re: [squid-users] Squid Cache Issues migration from 5.8 to 6.6

I have also tested in 5.8 and 6.6 both show the same condition, 6.6 shows errors for it however. I have also imported my certificates into wireshark. Just to confirm this is the firewall 192.168.1.1 port 3128 is squid going to iMac that is attempting TSL1.3 I have nosslv3 set also. The firewall

Re: [squid-users] Squid Cache Issues migration from 5.8 to 6.6

If it’s encrypted at TLS1.3 it should still work with the approved certificate authority as it is imported to my devices I own. I just enable TLS1.3 right? > On Jul 5, 2024, at 11:28, > wrote: > > The only one I got a certificate from was the non iMac > > The iMac keeps sending change cipher

Re: [squid-users] Squid Cache Issues migration from 5.8 to 6.6

The only one I got a certificate from was the non iMac The iMac keeps sending change cipher requests and wants TLS1.3 over and over as soon as a TLS1.2 pops up it works That one has the certificate however that system the Toshiba does not have any issues with this error. I highly suspect that

Re: [squid-users] Squid Cache Issues migration from 5.8 to 6.6

On 2024-07-05 12:02, Jonathan Lee wrote: > Alex: I recommend determining what that CA is in these cases (e.g., by capturing raw TLS packets and matching them with connection information from A000417 error messages in cache.log or %err_detail in access.log). I have Wireshark running do I ju

Re: [squid-users] ERROR: Unsupported TLS option SINGLE_ECDH_USE

On 2024-07-05 11:35, Jonathan Lee wrote: tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE ERROR: Unsupported TLS option SINGLE_ECDH_USE Your OpenSSL version defines SSL_OP_SINGLE_ECDH_USE name but otherwise ignores SSL_OP_SINGLE_ECDH_USE. OpenSSL behavior that was triggere

Re: [squid-users] Squid Cache Issues migration from 5.8 to 6.6

Side note: I have just found while analyzing Wireshark packets that this A000417 error only occurs with use of the iMac and the Safari browser, this does not occur on Windows 10 with the Edge browser. > On Jul 5, 2024, at 09:02, Jonathan Lee wrote: > > per > > As the next step in triage, I

Re: [squid-users] ERROR: Unsupported TLS option SINGLE_ECDH_USE

Does anyone know how to activate the TLS1.3 ciphers? Per lists.squid-cache.org Ref: https://lists.squid-cache.org/pipermail/squid-users/2018-February/017640.html https://openssl.org/blog/blog/2017/05/04/tlsv1.3/ And CVE-2016-0701 "Yes. Due to CVE-2016-0701 the SS

Re: [squid-users] ERROR: Unsupported TLS option SINGLE_ECDH_USE

Wireshark shows Cipher Suite: TLS_AES_128_GCM_SHA256 is being used How would I append the TLS13-AES-256-CGM-SHA384 cipher suite for use with TLSv1.3 as it states change cipher spec on wireshark > On Jul 5, 2024, at 08:46, Jonathan Lee wrote: > > More details for Unsupported TLS option > > When

Re: [squid-users] Squid Cache Issues migration from 5.8 to 6.6

per As the next step in triage, I recommend determining what that CA is in these cases (e.g., by capturing raw TLS packets and matching them with connection information from A000417 error messages in cache.log or %err_detail in access.log). I have Wireshark running do I just look for informa

Re: [squid-users] ERROR: Unsupported TLS option SINGLE_ECDH_USE

More details for Unsupported TLS option When running squid -k parse 2024/07/05 08:40:43| Processing: http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/

[squid-users] ERROR: Unsupported TLS option SINGLE_ECDH_USE

tls_outgoing_options cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSStls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USEDifferent thread for ciphers issuesERROR: Unsupported TLS option SINGLE_ECDH_USEI found researching in lists-squid-cache.org that someone

Re: [squid-users] Squid as http to https forward proxy

On 2024-07-05 10:15, Wagner, Juergen03 wrote: FWIW, I do not know why URL scheme rewriting does not work in your use case. In principle, bugs notwithstanding, I would expect URL scheme rewriting to work. In my original response, I was focusing on avoiding rewrites for a case where they should

Re: [squid-users] Squid Cache Issues migration from 5.8 to 6.6

Thanks for the email and support with this. I will get wireshark running on the client and get the info required. Yes the information prior is from the firewall side outside of the proxy testing from the demilitarized zone area. I wanted to test this first to rule that out as it’s coming in from

Re: [squid-users] Squid as http to https forward proxy

>FWIW, I do not know why URL scheme rewriting does not work in your use case. >In principle, bugs notwithstanding, I would expect URL scheme rewriting to >work. In my original response, I was focusing on avoiding rewrites for a case >where they should not be >needed because they should not be

Re: [squid-users] Squid as http to https forward proxy

On 2024-07-05 09:16, Wagner, Juergen03 wrote: Actually we want to be able to connect to any remote server. So we are not looking for a solution with a "single true origin server". Thank you for clarifying that. My current understanding from your response is, that a simple url-rewrite only,

Re: [squid-users] Squid Cache Issues migration from 5.8 to 6.6

On 2024-07-04 19:12, Jonathan Lee wrote: You also stated .. " my current working theory suggests that we are looking at a (default) signUntrusted use case.” I noticed for Squid documents that default is now set to off .. The http_port option you are looking at now is not the directive I was

[squid-users] Squid as http to https forward proxy

Hello, thanks a lot for the fast responses. Actually we want to be able to connect to any remote server. So we are not looking for a solution with a "single true origin server". My current understanding from your response is, that a simple url-rewrite only, as we tried, is not working to forward h

Re: [squid-users] Squid Cache Issues migration from 5.8 to 6.6

On 2024-07-04 19:02, Jonathan Lee wrote: I do not recommend changing your configuration at this time. I recommend rereading my earlier recommendation and following that instead: "As the next step in triage, I recommend determining what that CA is in these cases (e.g., by capturing raw TLS packe

Re: [squid-users] Squid Cache Issues migration from 5.8 to 6.6

On 2024-07-04 18:12, Jonathan Lee wrote: I know before I could use tls_outgoing_options cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS