On Fri, 2015-07-24 at 17:25 -0500, Stanford Prescott wrote: > I have a working implementation of Squid 3.5.5 with ssl-bump. When > 3.5.5 is started with ssl-bump enabled all the squid and ssl_crtd > processes start and Squid functions as intended when bumping ssl > sites. However, when I bump Squid to 3.5.6 squid seems to start but > ssl_crtd does not and Squid 3.5.6 cannot successfully bump ssl. > > > > These are the config options I use for both 3.5.5 and 3.5.6. > > > --enable-storeio="diskd,ufs,aufs" --enable-linux-netfilter \ > --enable-removal-policies="heap,lru" --enable-delay-pools > --libdir=/usr/lib/ \ > --localstatedir=/var --with-dl --with-openssl --enable-http-violations > \ > --with-large-files --with-libcap --disable-ipv6 > --with-swapdir=/var/spool/squid \ > --enable-ssl-crtd --enable-follow-x-forwarded-for > > > > > > This is the squid.conf file used for both versions. > > > visible_hostname smoothwallu3 > > # Uncomment the following to send debug info > to /var/log/squid/cache.log > debug_options ALL,1 33,2 28,9 > > # ACCESS CONTROLS > # ---------------------------------------------------------------- > acl localhostgreen src 10.20.20.1 > acl localnetgreen src 10.20.20.0/24 > > acl SSL_ports port 445 443 441 563 > acl Safe_ports port 80 # http > acl Safe_ports port 81 # smoothwall http > acl Safe_ports port 21 # ftp > acl Safe_ports port 445 443 441 563 # https, snews > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > > acl CONNECT method CONNECT > > # TAG: http_access > # ---------------------------------------------------------------- > > > > http_access allow localhost > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > > http_access allow localnetgreen > http_access allow CONNECT localnetgreen > > http_access allow localhostgreen > http_access allow CONNECT localhostgreen > > # http_port and https_port > #---------------------------------------------------------------------------- > > # For forward-proxy port. Squid uses this port to serve error pages, > ftp icons and communication with other proxies. > #---------------------------------------------------------------------------- > http_port 3127 > > http_port 10.20.20.1:800 intercept > https_port 10.20.20.1:808 intercept ssl-bump > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem > > > http_port 127.0.0.1:800 intercept > > sslproxy_cert_error allow all > sslproxy_flags DONT_VERIFY_PEER > sslproxy_session_cache_size 4 MB > > ssl_bump none localhostgreen > > acl step1 at_step SslBump1 > acl step2 at_step SslBump2 > ssl_bump peek step1 > ssl_bump bump all > > sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd > -s /var/smoothwall/mods/proxy/lib/ssl_db -M 4MB > sslcrtd_children 5 > > http_access deny all > > cache_replacement_policy heap GDSF > memory_replacement_policy heap GDSF > > # CACHE OPTIONS > # > ---------------------------------------------------------------------------- > cache_effective_user squid > cache_effective_group squid > > cache_swap_high 100 > cache_swap_low 80 > > cache_access_log stdio:/var/log/squid/access.log > cache_log /var/log/squid/cache.log > cache_mem 64 MB > > cache_dir diskd /var/spool/squid/cache 1024 16 256 > > maximum_object_size 33 MB > > minimum_object_size 0 KB > > > request_body_max_size 0 KB > > # OTHER OPTIONS > # > ---------------------------------------------------------------------------- > #via off > forwarded_for off > > pid_filename /var/run/squid.pid > > shutdown_lifetime 30 seconds > icp_port 3130 > > half_closed_clients off > icap_enable on > icap_send_client_ip on > icap_send_client_username on > icap_client_username_encode off > icap_client_username_header X-Authenticated-User > icap_preview_enable on > icap_preview_size 1024 > icap_service service_avi_req reqmod_precache > icap://localhost:1344/squidclamav bypass=off > adaptation_access service_avi_req allow all > icap_service service_avi_resp respmod_precache > icap://localhost:1344/squidclamav bypass=on > adaptation_access service_avi_resp allow all > > umask 022 > > logfile_rotate 0 > > strip_query_terms off > > redirect_program /usr/sbin/squidGuard > url_rewrite_children 5 > > > > And the cache.log file when starting 3.5.6 with debug options on in > squid.conf > > > 2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL > adaptation_access > 2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL > adaptation_access > 2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL > 2015/07/24 17:15:06 kid1| Current Directory is / > 2015/07/24 17:15:06 kid1| Starting Squid Cache version 3.5.6 for > i586-pc-linux-gnu... > 2015/07/24 17:15:06 kid1| Service Name: squid > 2015/07/24 17:15:06 kid1| Process ID 2907 > 2015/07/24 17:15:06 kid1| Process Roles: worker > 2015/07/24 17:15:06 kid1| With 1024 file descriptors available > 2015/07/24 17:15:06 kid1| Initializing IP Cache... > 2015/07/24 17:15:06 kid1| DNS Socket created at 0.0.0.0, FD 8 > 2015/07/24 17:15:06 kid1| Adding nameserver 127.0.0.1 > from /etc/resolv.conf > 2015/07/24 17:15:06 kid1| helperOpenServers: Starting 0/5 'squidGuard' > processes > 2015/07/24 17:15:06 kid1| helperOpenServers: No 'squidGuard' processes > needed. > 2015/07/24 17:15:06 kid1| Logfile: opening log > stdio:/var/log/squid/access.log > 2015/07/24 17:15:06 kid1| Unlinkd pipe opened on FD 15 > 2015/07/24 17:15:06 kid1| Store logging disabled > 2015/07/24 17:15:06 kid1| Swap maxSize 1048576 + 65536 KB, estimated > 85700 objects > 2015/07/24 17:15:06 kid1| Target number of buckets: 4285 > 2015/07/24 17:15:06 kid1| Using 8192 Store buckets > 2015/07/24 17:15:06 kid1| Max Mem size: 65536 KB > 2015/07/24 17:15:06 kid1| Max Swap size: 1048576 KB > 2015/07/24 17:15:06 kid1| Rebuilding storage in /var/spool/squid/cache > (dirty log) > 2015/07/24 17:15:06 kid1| Using Least Load store dir selection > 2015/07/24 17:15:06 kid1| Current Directory is / > 2015/07/24 17:15:06 kid1| Finished loading MIME types and icons. > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall: The > AsyncCall clientListenerConnectionOpened constructed, this=0x946d218 > [call5] > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall: > StartListening.cc(59) will call > clientListenerConnectionOpened(local=0.0.0.0:3127 remote=[::] FD 20 > flags=9, err=0, HTTP Socket port=0x946d24c) [call5] > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall: The > AsyncCall clientListenerConnectionOpened constructed, this=0x946d3a8 > [call7] > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall: > StartListening.cc(59) will call > clientListenerConnectionOpened(local=10.20.20.1:800 remote=[::] FD 21 > flags=41, err=0, HTTP Socket port=0x946d3dc) [call7] > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall: The > AsyncCall clientListenerConnectionOpened constructed, this=0x946d510 > [call9] > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall: > StartListening.cc(59) will call > clientListenerConnectionOpened(local=127.0.0.1:800 remote=[::] FD 22 > flags=41, err=0, HTTP Socket port=0x946d544) [call9] > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall: The > AsyncCall clientListenerConnectionOpened constructed, this=0x946d6b0 > [call11] > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall: > StartListening.cc(59) will call > clientListenerConnectionOpened(local=10.20.20.1:808 remote=[::] FD 23 > flags=41, err=0, HTTPS Socket port=0x946d6e4) [call11] > 2015/07/24 17:15:06.578 kid1| HTCP Disabled. > 2015/07/24 17:15:06.578 kid1| Squid plugin modules loaded: 0 > 2015/07/24 17:15:06.578 kid1| Adaptation support is on > 2015/07/24 17:15:06.578 kid1| AsyncCallQueue.cc(55) fireNext: entering > clientListenerConnectionOpened(local=0.0.0.0:3127 remote=[::] FD 20 > flags=9, err=0, HTTP Socket port=0x946d24c) > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(38) make: make call > clientListenerConnectionOpened [call5] > 2015/07/24 17:15:06.578 kid1| Accepting HTTP Socket connections at > local=0.0.0.0:3127 remote=[::] FD 20 flags=9 > 2015/07/24 17:15:06.578 kid1| AsyncCallQueue.cc(57) fireNext: leaving > clientListenerConnectionOpened(local=0.0.0.0:3127 remote=[::] FD 20 > flags=9, err=0, HTTP Socket port=0x946d24c) > 2015/07/24 17:15:06.578 kid1| AsyncCallQueue.cc(55) fireNext: entering > clientListenerConnectionOpened(local=10.20.20.1:800 remote=[::] FD 21 > flags=41, err=0, HTTP Socket port=0x946d3dc) > 2015/07/24 17:15:06.578 kid1| AsyncCall.cc(38) make: make call > clientListenerConnectionOpened [call7] > 2015/07/24 17:15:06.578 kid1| Accepting NAT intercepted HTTP Socket > connections at local=10.20.20.1:800 remote=[::] FD 21 flags=41 > 2015/07/24 17:15:06.578 kid1| AsyncCallQueue.cc(57) fireNext: leaving > clientListenerConnectionOpened(local=10.20.20.1:800 remote=[::] FD 21 > flags=41, err=0, HTTP Socket port=0x946d3dc) > 2015/07/24 17:15:06.579 kid1| AsyncCallQueue.cc(55) fireNext: entering > clientListenerConnectionOpened(local=127.0.0.1:800 remote=[::] FD 22 > flags=41, err=0, HTTP Socket port=0x946d544) > 2015/07/24 17:15:06.579 kid1| AsyncCall.cc(38) make: make call > clientListenerConnectionOpened [call9] > 2015/07/24 17:15:06.579 kid1| Accepting NAT intercepted HTTP Socket > connections at local=127.0.0.1:800 remote=[::] FD 22 flags=41 > 2015/07/24 17:15:06.579 kid1| AsyncCallQueue.cc(57) fireNext: leaving > clientListenerConnectionOpened(local=127.0.0.1:800 remote=[::] FD 22 > flags=41, err=0, HTTP Socket port=0x946d544) > 2015/07/24 17:15:06.579 kid1| AsyncCallQueue.cc(55) fireNext: entering > clientListenerConnectionOpened(local=10.20.20.1:808 remote=[::] FD 23 > flags=41, err=0, HTTPS Socket port=0x946d6e4) > 2015/07/24 17:15:06.579 kid1| AsyncCall.cc(38) make: make call > clientListenerConnectionOpened [call11] > 2015/07/24 17:15:06.579 kid1| Accepting NAT intercepted SSL bumped > HTTPS Socket connections at local=10.20.20.1:808 remote=[::] FD 23 > flags=41 > 2015/07/24 17:15:06.579 kid1| AsyncCallQueue.cc(57) fireNext: leaving > clientListenerConnectionOpened(local=10.20.20.1:808 remote=[::] FD 23 > flags=41, err=0, HTTPS Socket port=0x946d6e4) > 2015/07/24 17:15:06.579 kid1| Accepting ICP messages on 0.0.0.0:3130 > 2015/07/24 17:15:06.579 kid1| Sending ICP messages from 0.0.0.0:3130 > 2015/07/24 17:15:06.579 kid1| Done reading /var/spool/squid/cache > swaplog (12 entries) > 2015/07/24 17:15:06.579 kid1| Finished rebuilding storage from disk. > 2015/07/24 17:15:06.579 kid1| 12 Entries scanned > 2015/07/24 17:15:06.579 kid1| 0 Invalid entries. > 2015/07/24 17:15:06.579 kid1| 0 With invalid flags. > 2015/07/24 17:15:06.579 kid1| 12 Objects loaded. > 2015/07/24 17:15:06.579 kid1| 0 Objects expired. > 2015/07/24 17:15:06.579 kid1| 0 Objects cancelled. > 2015/07/24 17:15:06.579 kid1| 0 Duplicate URLs purged. > 2015/07/24 17:15:06.579 kid1| 0 Swapfile clashes avoided. > 2015/07/24 17:15:06.579 kid1| Took 0.06 seconds (210.47 > objects/sec). > 2015/07/24 17:15:06.579 kid1| Beginning Validation Procedure > 2015/07/24 17:15:06.579 kid1| Completed Validation Procedure > 2015/07/24 17:15:06.579 kid1| Validated 12 Entries > 2015/07/24 17:15:06.579 kid1| store_swap_size = 1444.00 KB > 2015/07/24 17:15:07 kid1| storeLateRelease: released 0 objects > > > > > > Any help or suggestions greatly appreciated. > > > > Regards > > > > Stan > > > > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users
I do not experience this issue: [18:04:56 jlay:~/nobackup/build$] ps aux | egrep "ssl|squid" root 3173 0.0 0.0 18840 372 ? Ss Jul23 0:00 /opt/sbin/squid nobody 3175 0.0 1.2 52856 39744 ? S Jul23 0:47 (squid-1) nobody 3177 0.0 0.0 5916 2040 ? S Jul23 0:05 (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096 nobody 3178 0.0 0.0 5828 1840 ? S Jul23 0:00 (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096 nobody 3179 0.0 0.0 5828 1708 ? S Jul23 0:00 (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096 nobody 3180 0.0 0.0 5648 912 ? S Jul23 0:00 (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096 nobody 3181 0.0 0.0 5648 912 ? S Jul23 0:00 (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096 my config line: ./configure --prefix=/opt --with-openssl --enable-ssl --enable-ssl-crtd --enable-linux-netfilter --enable-follow-x-forwarded-for --with-large-files --sysconfdir=/opt/etc/squid --enable-external-acl-helpers=none Squid Cache: Version 3.5.6 James
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
