Re: [squid-users] sslbump working with 3.4.9 but not in intercept mode?

Efe Mon, 10 Nov 2014 03:36:19 -0800

Here are the outputs:

$ egrep '^(https?_port|ssl)' /etc/squid3/squid.conf


http_port 3128

---------------------------------------------------------------------------------------------------
$ /usr/sbin/squid3 -N

WARNING: Cannot write log file: /var/log/squid3/cache.log
/var/log/squid3/cache.log: Permission denied
         messages will be sent to 'stderr'.
WARNING: Cannot write log file: /var/log/squid3/cache.log
/var/log/squid3/cache.log: Permission denied
         messages will be sent to 'stderr'.
2014/11/10 13:30:29| WARNING: Closing open FD    2
2014/11/10 13:30:29| Starting Squid Cache version 3.3.8 for
i686-pc-linux-gnu...
2014/11/10 13:30:29| Process ID 24524
2014/11/10 13:30:29| Process Roles: master worker
2014/11/10 13:30:29| With 65536 file descriptors available
2014/11/10 13:30:29| Initializing IP Cache...
2014/11/10 13:30:29| DNS Socket created at [::], FD 4
2014/11/10 13:30:29| DNS Socket created at 0.0.0.0, FD 5
2014/11/10 13:30:29| Adding nameserver 127.0.1.1 from /etc/resolv.conf
2014/11/10 13:30:29| Adding domain mynet from /etc/resolv.conf
2014/11/10 13:30:29|
'/usr/share/squid3/errors/templates/ERR_ACCESS_DENIED': (2) No such file or
directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_ACCESS_DENIED
2014/11/10 13:30:29|
'/usr/share/squid3/errors/templates/ERR_CACHE_ACCESS_DENIED': (2) No such
file or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_CACHE_ACCESS_DENIED
2014/11/10 13:30:29|
'/usr/share/squid3/errors/templates/ERR_CACHE_MGR_ACCESS_DENIED': (2) No
such file or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_CACHE_MGR_ACCESS_DENIED
2014/11/10 13:30:29|
'/usr/share/squid3/errors/templates/ERR_FORWARDING_DENIED': (2) No such
file or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_FORWARDING_DENIED
2014/11/10 13:30:29| '/usr/share/squid3/errors/templates/ERR_NO_RELAY': (2)
No such file or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_NO_RELAY
2014/11/10 13:30:29|
'/usr/share/squid3/errors/templates/ERR_CANNOT_FORWARD': (2) No such file
or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_CANNOT_FORWARD
2014/11/10 13:30:29| '/usr/share/squid3/errors/templates/ERR_READ_TIMEOUT':
(2) No such file or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_READ_TIMEOUT
2014/11/10 13:30:29| '/usr/share/squid3/errors/templates/ERR_LIFETIME_EXP':
(2) No such file or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_LIFETIME_EXP
2014/11/10 13:30:29| '/usr/share/squid3/errors/templates/ERR_READ_ERROR':
(2) No such file or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_READ_ERROR
2014/11/10 13:30:29| '/usr/share/squid3/errors/templates/ERR_WRITE_ERROR':
(2) No such file or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_WRITE_ERROR
2014/11/10 13:30:29| '/usr/share/squid3/errors/templates/ERR_CONNECT_FAIL':
(2) No such file or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_CONNECT_FAIL
2014/11/10 13:30:29|
'/usr/share/squid3/errors/templates/ERR_SECURE_CONNECT_FAIL': (2) No such
file or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_SECURE_CONNECT_FAIL
2014/11/10 13:30:29|
'/usr/share/squid3/errors/templates/ERR_SOCKET_FAILURE': (2) No such file
or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_SOCKET_FAILURE
2014/11/10 13:30:29| '/usr/share/squid3/errors/templates/ERR_DNS_FAIL': (2)
No such file or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_DNS_FAIL
2014/11/10 13:30:29| '/usr/share/squid3/errors/templates/ERR_URN_RESOLVE':
(2) No such file or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_URN_RESOLVE
2014/11/10 13:30:29|
'/usr/share/squid3/errors/templates/ERR_ONLY_IF_CACHED_MISS': (2) No such
file or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_ONLY_IF_CACHED_MISS
2014/11/10 13:30:29| '/usr/share/squid3/errors/templates/ERR_TOO_BIG': (2)
No such file or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_TOO_BIG
2014/11/10 13:30:29| '/usr/share/squid3/errors/templates/ERR_INVALID_RESP':
(2) No such file or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_INVALID_RESP
2014/11/10 13:30:29|
'/usr/share/squid3/errors/templates/ERR_UNSUP_HTTPVERSION': (2) No such
file or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_UNSUP_HTTPVERSION
2014/11/10 13:30:29| '/usr/share/squid3/errors/templates/ERR_INVALID_REQ':
(2) No such file or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_INVALID_REQ
2014/11/10 13:30:29| '/usr/share/squid3/errors/templates/ERR_UNSUP_REQ':
(2) No such file or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_UNSUP_REQ
2014/11/10 13:30:29| '/usr/share/squid3/errors/templates/ERR_INVALID_URL':
(2) No such file or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_INVALID_URL
2014/11/10 13:30:29|
'/usr/share/squid3/errors/templates/ERR_ZERO_SIZE_OBJECT': (2) No such file
or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_ZERO_SIZE_OBJECT
2014/11/10 13:30:29|
'/usr/share/squid3/errors/templates/ERR_PRECONDITION_FAILED': (2) No such
file or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_PRECONDITION_FAILED
2014/11/10 13:30:29|
'/usr/share/squid3/errors/templates/ERR_CONFLICT_HOST': (2) No such file or
directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_CONFLICT_HOST
2014/11/10 13:30:29| '/usr/share/squid3/errors/templates/ERR_FTP_DISABLED':
(2) No such file or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_FTP_DISABLED
2014/11/10 13:30:29|
'/usr/share/squid3/errors/templates/ERR_FTP_UNAVAILABLE': (2) No such file
or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_FTP_UNAVAILABLE
2014/11/10 13:30:29| '/usr/share/squid3/errors/templates/ERR_FTP_FAILURE':
(2) No such file or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_FTP_FAILURE
2014/11/10 13:30:29|
'/usr/share/squid3/errors/templates/ERR_FTP_PUT_ERROR': (2) No such file or
directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_FTP_PUT_ERROR
2014/11/10 13:30:29|
'/usr/share/squid3/errors/templates/ERR_FTP_NOT_FOUND': (2) No such file or
directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_FTP_NOT_FOUND
2014/11/10 13:30:29|
'/usr/share/squid3/errors/templates/ERR_FTP_FORBIDDEN': (2) No such file or
directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_FTP_FORBIDDEN
2014/11/10 13:30:29|
'/usr/share/squid3/errors/templates/ERR_FTP_PUT_CREATED': (2) No such file
or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_FTP_PUT_CREATED
2014/11/10 13:30:29|
'/usr/share/squid3/errors/templates/ERR_FTP_PUT_MODIFIED': (2) No such file
or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_FTP_PUT_MODIFIED
2014/11/10 13:30:29| '/usr/share/squid3/errors/templates/ERR_ESI': (2) No
such file or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file ERR_ESI
2014/11/10 13:30:29| '/usr/share/squid3/errors/templates/ERR_ICAP_FAILURE':
(2) No such file or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_ICAP_FAILURE
2014/11/10 13:30:29|
'/usr/share/squid3/errors/templates/ERR_GATEWAY_FAILURE': (2) No such file
or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_GATEWAY_FAILURE
2014/11/10 13:30:29| '/usr/share/squid3/errors/templates/ERR_DIR_LISTING':
(2) No such file or directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_DIR_LISTING
2014/11/10 13:30:29|
'/usr/share/squid3/errors/templates/ERR_SHUTTING_DOWN': (2) No such file or
directory
2014/11/10 13:30:29| WARNING: failed to find or read error text file
ERR_SHUTTING_DOWN
2014/11/10 13:30:29| Logfile: opening log daemon:/var/log/squid3/access.log
2014/11/10 13:30:29| Logfile Daemon: opening log /var/log/squid3/access.log
2014/11/10 13:30:29| WARNING: no_suid: setuid(0): (1) Operation not
permitted
2014/11/10 13:30:29| Local cache digest enabled; rebuild/rewrite every
3600/3600 sec
2014/11/10 13:30:29| Store logging disabled
2014/11/10 13:30:29| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2014/11/10 13:30:29| Target number of buckets: 1008
2014/11/10 13:30:29| Using 8192 Store buckets
2014/11/10 13:30:29| Max Mem  size: 262144 KB
2014/11/10 13:30:29| Max Swap size: 0 KB
2014/11/10 13:30:29| Using Least Load store dir selection
2014/11/10 13:30:29| chdir: /var/spool/squid3: (2) No such file or directory
2014/11/10 13:30:29| Current Directory is /home/myhome
fopen: Permission denied
2014/11/10 13:30:29| Loaded Icons.
2014/11/10 13:30:29| commBind: Cannot bind socket FD 8 to [::]:3128: (98)
Address already in use
2014/11/10 13:30:29| HTCP Disabled.
2014/11/10 13:30:29| WARNING: no_suid: setuid(0): (1) Operation not
permitted
2014/11/10 13:30:29| Pinger socket opened on FD 10
2014/11/10 13:30:29| /var/run/squid3.pid: (13) Permission denied
2014/11/10 13:30:29| WARNING: Could not write pid file
2014/11/10 13:30:29| Squid plugin modules loaded: 0
2014/11/10 13:30:29| Adaptation support is off.
2014/11/10 13:30:29| Closing HTTP port [::]:3128
2014/11/10 13:30:29| storeDirWriteCleanLogs: Starting...
2014/11/10 13:30:29|   Finished.  Wrote 0 entries.
2014/11/10 13:30:29|   Took 0.00 seconds (  0.00 entries/sec).
FATAL: Unable to open HTTP Socket
Squid Cache (Version 3.3.8): Terminated abnormally.
CPU Usage: 0.052 seconds = 0.048 user + 0.004 sys
Maximum Resident Size: 105920 KB
Page faults with physical i/o: 0
Memory usage for squid via mallinfo():
    total space in arena:   15512 KB
    Ordinary blocks:        15407 KB      4 blks
    Small blocks:               0 KB      1 blks
    Holding blocks:         27420 KB      8 blks
    Free Small blocks:          0 KB
    Free Ordinary blocks:     104 KB
    Total in use:           42827 KB 276%
    Total free:               104 KB 1%
2014/11/10 13:30:29| Closing Pinger socket on FD 10
myhome@firstcom:~$ 2014/11/10 13:30:29| pinger: Initialising ICMP pinger ...
2014/11/10 13:30:29| pinger: ICMP socket opened.
2014/11/10 13:30:29| pinger: ICMPv6 socket opened
2014/11/10 13:30:29| Pinger exiting.

---------------------------------------------------------------------------------------------------


On Mon, Nov 10, 2014 at 1:26 PM, Jason Haar <jason_h...@trimble.com> wrote:

> On 10/11/14 23:43, Eliezer Croitoru wrote:
> > Can you send all ssl_bump related settings?
> > There are some missing parts in the settings.
>
> How's this?
>
> # egrep '^(https?_port|ssl)' /etc/squid/squid.conf
> http_port 3128
> http_port 3126 ssl-bump cert=/etc/squid/squid-CA.cert
> capath=/etc/ssl/certs/ generate-host-certificates=on
> dynamic_cert_mem_cache_size=256MB options=ALL
> http_port 3129 intercept
> https_port 3127 intercept ssl-bump cert=/etc/squid/squid-CA.cert
> capath=/etc/ssl/certs/ generate-host-certificates=on
> dynamic_cert_mem_cache_size=256MB options=ALL
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
> sslcrtd_children 32 startup=5 idle=1
> ssl_bump server-first all
>
>
> This is a CentOS-6 64bit server with 8G RAM and two Ethernet cards - one
> internal and one external. iptables is used to redirect outbound tcp
> port 80/443 (on internal network) onto squid port 3129/3127
> respectively. I've removed the two ACLs I had and they haven't caused
> any change, so they are not related to the problem
>
> access.log does not show any entries (the crash occurs before they can
> write I guess) and the cache.log  shows the following whenever I "telnet
> 1.2.3.4 443" (I've appended the cache.log from the start, through the
> crash to the next start)
>
> 2014/11/11 00:14:02 kid1| Starting Squid Cache version 3.4.9 for
> x86_64-redhat-linux-gnu...
> 2014/11/11 00:14:02 kid1| Process ID 25288
> 2014/11/11 00:14:02 kid1| Process Roles: worker
> 2014/11/11 00:14:02 kid1| With 16384 file descriptors available
> 2014/11/11 00:14:02 kid1| Initializing IP Cache...
> 2014/11/11 00:14:02 kid1| DNS Socket created at 0.0.0.0, FD 7
> 2014/11/11 00:14:02 kid1| Adding domain xx.org from /etc/resolv.conf
> 2014/11/11 00:14:02 kid1| Adding nameserver 127.0.0.1 from /etc/resolv.conf
> 2014/11/11 00:14:02 kid1| helperOpenServers: Starting 5/32 'ssl_crtd'
> processes
> 2014/11/11 00:14:02 kid1| helperOpenServers: Starting 5/20 'squidguard'
> processes
> 2014/11/11 00:14:02 kid1| Logfile: opening log
> daemon:/var/log/squid/access.log
> 2014/11/11 00:14:02 kid1| Logfile Daemon: opening log
> /var/log/squid/access.log
> 2014/11/11 00:14:02 kid1| Unlinkd pipe opened on FD 33
> 2014/11/11 00:14:02 kid1| Local cache digest enabled; rebuild/rewrite
> every 3600/3600 sec
> 2014/11/11 00:14:02 kid1| Store logging disabled
> 2014/11/11 00:14:02 kid1| Swap maxSize 1024000 + 524288 KB, estimated
> 119099 objects
> 2014/11/11 00:14:02 kid1| Target number of buckets: 5954
> 2014/11/11 00:14:02 kid1| Using 8192 Store buckets
> 2014/11/11 00:14:02 kid1| Max Mem  size: 524288 KB
> 2014/11/11 00:14:02 kid1| Max Swap size: 1024000 KB
> 2014/11/11 00:14:02 kid1| Rebuilding storage in /var/spool/squid (clean
> log)
> 2014/11/11 00:14:02 kid1| Using Least Load store dir selection
> 2014/11/11 00:14:02 kid1| Set Current Directory to /var/spool/squid
> 2014/11/11 00:14:02 kid1| Finished loading MIME types and icons.
> 2014/11/11 00:14:02 kid1| HTCP Disabled.
> 2014/11/11 00:14:02 kid1| Squid plugin modules loaded: 0
> 2014/11/11 00:14:02 kid1| Adaptation support is off.
> 2014/11/11 00:14:02 kid1| Accepting HTTP Socket connections at
> local=0.0.0.0:3128 remote=[::] FD 36 flags=9
> 2014/11/11 00:14:02 kid1| Accepting SSL bumped HTTP Socket connections
> at local=0.0.0.0:3126 remote=[::] FD 37 flags=9
> 2014/11/11 00:14:02 kid1| Accepting NAT intercepted HTTP Socket
> connections at local=0.0.0.0:3129 remote=[::] FD 38 flags=41
> 2014/11/11 00:14:02 kid1| Accepting NAT intercepted SSL bumped HTTPS
> Socket connections at local=0.0.0.0:3127 remote=[::] FD 39 flags=41
> 2014/11/11 00:14:02 kid1| Store rebuilding is 42.19% complete
> 2014/11/11 00:14:02 kid1| Done reading /var/spool/squid swaplog (9479
> entries)
> 2014/11/11 00:14:02 kid1| Finished rebuilding storage from disk.
> 2014/11/11 00:14:02 kid1|      9479 Entries scanned
> 2014/11/11 00:14:02 kid1|         0 Invalid entries.
> 2014/11/11 00:14:02 kid1|         0 With invalid flags.
> 2014/11/11 00:14:02 kid1|      9479 Objects loaded.
> 2014/11/11 00:14:02 kid1|         0 Objects expired.
> 2014/11/11 00:14:02 kid1|         0 Objects cancelled.
> 2014/11/11 00:14:02 kid1|         0 Duplicate URLs purged.
> 2014/11/11 00:14:02 kid1|         0 Swapfile clashes avoided.
> 2014/11/11 00:14:02 kid1|   Took 0.06 seconds (147560.63 objects/sec).
> 2014/11/11 00:14:02 kid1| Beginning Validation Procedure
> 2014/11/11 00:14:02 kid1|   Completed Validation Procedure
> 2014/11/11 00:14:02 kid1|   Validated 9479 Entries
> 2014/11/11 00:14:02 kid1|   store_swap_size = 920980.00 KB
> 2014/11/11 00:14:03 kid1| storeLateRelease: released 0 objects
> 2014/11/11 00:14:09 kid1| Closing HTTP port 0.0.0.0:3128
> 2014/11/11 00:14:09 kid1| Closing HTTP port 0.0.0.0:3126
> 2014/11/11 00:14:09 kid1| Closing HTTP port 0.0.0.0:3129
> 2014/11/11 00:14:09 kid1| Closing HTTPS port 0.0.0.0:3127
> FATAL: xstrdup: tried to dup a NULL pointer!
>
> Squid Cache (Version 3.4.9): Terminated abnormally.
> CPU Usage: 0.077 seconds = 0.054 user + 0.023 sys
> Maximum Resident Size: 70912 KB
> Page faults with physical i/o: 0
> Memory usage for squid via mallinfo():
>     total space in arena:    9328 KB
>     Ordinary blocks:         9228 KB      5 blks
>     Small blocks:               0 KB      1 blks
>     Holding blocks:         10068 KB      6 blks
>     Free Small blocks:          0 KB
>     Free Ordinary blocks:      99 KB
>     Total in use:           19296 KB 207%
>     Total free:                99 KB 1%
> 2014/11/11 00:14:09 kid1| storeDirWriteCleanLogs: Starting...
> 2014/11/11 00:14:09 kid1|   Finished.  Wrote 9479 entries.
> 2014/11/11 00:14:09 kid1|   Took 0.04 seconds (240455.59 entries/sec).
> 2014/11/11 00:14:12 kid1| Set Current Directory to /var/spool/squid
> 2014/11/11 00:14:12 kid1| Starting Squid Cache version 3.4.9 for
> x86_64-redhat-linux-gnu...
>
> --
> Cheers
>
> Jason Haar
> Corporate Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] sslbump working with 3.4.9 but not in intercept mode?

Reply via email to