Thanks for that. Any ideas why I am experiencing that? Stan
On Fri, Jul 24, 2015 at 7:07 PM, James Lay <j...@slave-tothe-box.net> wrote: > On Fri, 2015-07-24 at 17:25 -0500, Stanford Prescott wrote: > > I have a working implementation of Squid 3.5.5 with ssl-bump. When 3.5.5 > is started with ssl-bump enabled all the squid and ssl_crtd processes start > and Squid functions as intended when bumping ssl sites. However, when I > bump Squid to 3.5.6 squid seems to start but ssl_crtd does not and Squid > 3.5.6 cannot successfully bump ssl. > > > These are the config options I use for both 3.5.5 and 3.5.6. > > --enable-storeio="diskd,ufs,aufs" --enable-linux-netfilter \ > --enable-removal-policies="heap,lru" --enable-delay-pools > --libdir=/usr/lib/ \ > --localstatedir=/var --with-dl --with-openssl --enable-http-violations \ > --with-large-files --with-libcap --disable-ipv6 > --with-swapdir=/var/spool/squid \ > --enable-ssl-crtd --enable-follow-x-forwarded-for > > > > This is the squid.conf file used for both versions. > > visible_hostname smoothwallu3 > > # Uncomment the following to send debug info to /var/log/squid/cache.log > debug_options ALL,1 33,2 28,9 > > # ACCESS CONTROLS > # ---------------------------------------------------------------- > acl localhostgreen src 10.20.20.1 > acl localnetgreen src 10.20.20.0/24 > > acl SSL_ports port 445 443 441 563 > acl Safe_ports port 80 # http > acl Safe_ports port 81 # smoothwall http > acl Safe_ports port 21 # ftp > acl Safe_ports port 445 443 441 563 # https, snews > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > > acl CONNECT method CONNECT > > # TAG: http_access > # ---------------------------------------------------------------- > > > > http_access allow localhost > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > > http_access allow localnetgreen > http_access allow CONNECT localnetgreen > > http_access allow localhostgreen > http_access allow CONNECT localhostgreen > > # http_port and https_port > > #---------------------------------------------------------------------------- > > # For forward-proxy port. Squid uses this port to serve error pages, ftp > icons and communication with other proxies. > > #---------------------------------------------------------------------------- > http_port 3127 > > http_port 10.20.20.1:800 intercept > https_port 10.20.20.1:808 intercept ssl-bump > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem > > > http_port 127.0.0.1:800 intercept > > sslproxy_cert_error allow all > sslproxy_flags DONT_VERIFY_PEER > sslproxy_session_cache_size 4 MB > > ssl_bump none localhostgreen > > acl step1 at_step SslBump1 > acl step2 at_step SslBump2 > ssl_bump peek step1 > ssl_bump bump all > > sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s > /var/smoothwall/mods/proxy/lib/ssl_db -M 4MB > sslcrtd_children 5 > > http_access deny all > > cache_replacement_policy heap GDSF > memory_replacement_policy heap GDSF > > # CACHE OPTIONS > # > ---------------------------------------------------------------------------- > cache_effective_user squid > cache_effective_group squid > > cache_swap_high 100 > cache_swap_low 80 > > cache_access_log stdio:/var/log/squid/access.log > cache_log /var/log/squid/cache.log > cache_mem 64 MB > > cache_dir diskd /var/spool/squid/cache 1024 16 256 > > maximum_object_size 33 MB > > minimum_object_size 0 KB > > > request_body_max_size 0 KB > > # OTHER OPTIONS > # > ---------------------------------------------------------------------------- > #via off > forwarded_for off > > pid_filename /var/run/squid.pid > > shutdown_lifetime 30 seconds > icp_port 3130 > > half_closed_clients off > icap_enable on > icap_send_client_ip on > icap_send_client_username on > icap_client_username_encode off > icap_client_username_header X-Authenticated-User > icap_preview_enable on > icap_preview_size 1024 > icap_service service_avi_req reqmod_precache > icap://localhost:1344/squidclamav bypass=off > adaptation_access service_avi_req allow all > icap_service service_avi_resp respmod_precache > icap://localhost:1344/squidclamav bypass=on > adaptation_access service_avi_resp allow all > > umask 022 > > logfile_rotate 0 > > strip_query_terms off > > redirect_program /usr/sbin/squidGuard > url_rewrite_children 5 > > > And the cache.log file when starting 3.5.6 with debug options on in > squid.conf > > *2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL > adaptation_access* > *2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL adaptation_access* > *2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL * > *2015/07/24 17:15:06 kid1| Current Directory is /* > *2015/07/24 17:15:06 kid1| Starting Squid Cache version 3.5.6 for > i586-pc-linux-gnu...* > *2015/07/24 17:15:06 kid1| Service Name: squid* > *2015/07/24 17:15:06 kid1| Process ID 2907* > *2015/07/24 17:15:06 kid1| Process Roles: worker* > *2015/07/24 17:15:06 kid1| With 1024 file descriptors available* > *2015/07/24 17:15:06 kid1| Initializing IP Cache...* > *2015/07/24 17:15:06 kid1| DNS Socket created at 0.0.0.0, FD 8* > *2015/07/24 17:15:06 kid1| Adding nameserver 127.0.0.1 from > /etc/resolv.conf* > *2015/07/24 17:15:06 kid1| helperOpenServers: Starting 0/5 'squidGuard' > processes* > *2015/07/24 17:15:06 kid1| helperOpenServers: No 'squidGuard' processes > needed.* > *2015/07/24 17:15:06 kid1| Logfile: opening log > stdio:/var/log/squid/access.log* > *2015/07/24 17:15:06 kid1| Unlinkd pipe opened on FD 15* > *2015/07/24 17:15:06 kid1| Store logging disabled* > *2015/07/24 17:15:06 kid1| Swap maxSize 1048576 + 65536 KB, estimated > 85700 objects* > *2015/07/24 17:15:06 kid1| Target number of buckets: 4285* > *2015/07/24 17:15:06 kid1| Using 8192 Store buckets* > *2015/07/24 17:15:06 kid1| Max Mem size: 65536 KB* > *2015/07/24 17:15:06 kid1| Max Swap size: 1048576 KB* > *2015/07/24 17:15:06 kid1| Rebuilding storage in /var/spool/squid/cache > (dirty log)* > *2015/07/24 17:15:06 kid1| Using Least Load store dir selection* > *2015/07/24 17:15:06 kid1| Current Directory is /* > *2015/07/24 17:15:06 kid1| Finished loading MIME types and icons.* > *2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall: The AsyncCall > clientListenerConnectionOpened constructed, this=0x946d218 [call5]* > *2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall: > StartListening.cc(59) will call > clientListenerConnectionOpened(local=0.0.0.0:3127 <http://0.0.0.0:3127> > remote=[::] FD 20 flags=9, err=0, HTTP Socket port=0x946d24c) [call5]* > *2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall: The AsyncCall > clientListenerConnectionOpened constructed, this=0x946d3a8 [call7]* > *2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall: > StartListening.cc(59) will call > clientListenerConnectionOpened(local=10.20.20.1:800 <http://10.20.20.1:800> > remote=[::] FD 21 flags=41, err=0, HTTP Socket port=0x946d3dc) [call7]* > *2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall: The AsyncCall > clientListenerConnectionOpened constructed, this=0x946d510 [call9]* > *2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall: > StartListening.cc(59) will call > clientListenerConnectionOpened(local=127.0.0.1:800 <http://127.0.0.1:800> > remote=[::] FD 22 flags=41, err=0, HTTP Socket port=0x946d544) [call9]* > *2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall: The AsyncCall > clientListenerConnectionOpened constructed, this=0x946d6b0 [call11]* > *2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall: > StartListening.cc(59) will call > clientListenerConnectionOpened(local=10.20.20.1:808 <http://10.20.20.1:808> > remote=[::] FD 23 flags=41, err=0, HTTPS Socket port=0x946d6e4) [call11]* > *2015/07/24 17:15:06.578 kid1| HTCP Disabled.* > *2015/07/24 17:15:06.578 kid1| Squid plugin modules loaded: 0* > *2015/07/24 17:15:06.578 kid1| Adaptation support is on* > *2015/07/24 17:15:06.578 kid1| AsyncCallQueue.cc(55) fireNext: entering > clientListenerConnectionOpened(local=0.0.0.0:3127 <http://0.0.0.0:3127> > remote=[::] FD 20 flags=9, err=0, HTTP Socket port=0x946d24c)* > *2015/07/24 17:15:06.578 kid1| AsyncCall.cc(38) make: make call > clientListenerConnectionOpened [call5]* > *2015/07/24 17:15:06.578 kid1| Accepting HTTP Socket connections at > local=0.0.0.0:3127 <http://0.0.0.0:3127> remote=[::] FD 20 flags=9* > *2015/07/24 17:15:06.578 kid1| AsyncCallQueue.cc(57) fireNext: leaving > clientListenerConnectionOpened(local=0.0.0.0:3127 <http://0.0.0.0:3127> > remote=[::] FD 20 flags=9, err=0, HTTP Socket port=0x946d24c)* > *2015/07/24 17:15:06.578 kid1| AsyncCallQueue.cc(55) fireNext: entering > clientListenerConnectionOpened(local=10.20.20.1:800 <http://10.20.20.1:800> > remote=[::] FD 21 flags=41, err=0, HTTP Socket port=0x946d3dc)* > *2015/07/24 17:15:06.578 kid1| AsyncCall.cc(38) make: make call > clientListenerConnectionOpened [call7]* > *2015/07/24 17:15:06.578 kid1| Accepting NAT intercepted HTTP Socket > connections at local=10.20.20.1:800 <http://10.20.20.1:800> remote=[::] FD > 21 flags=41* > *2015/07/24 17:15:06.578 kid1| AsyncCallQueue.cc(57) fireNext: leaving > clientListenerConnectionOpened(local=10.20.20.1:800 <http://10.20.20.1:800> > remote=[::] FD 21 flags=41, err=0, HTTP Socket port=0x946d3dc)* > *2015/07/24 17:15:06.579 kid1| AsyncCallQueue.cc(55) fireNext: entering > clientListenerConnectionOpened(local=127.0.0.1:800 <http://127.0.0.1:800> > remote=[::] FD 22 flags=41, err=0, HTTP Socket port=0x946d544)* > *2015/07/24 17:15:06.579 kid1| AsyncCall.cc(38) make: make call > clientListenerConnectionOpened [call9]* > *2015/07/24 17:15:06.579 kid1| Accepting NAT intercepted HTTP Socket > connections at local=127.0.0.1:800 <http://127.0.0.1:800> remote=[::] FD 22 > flags=41* > *2015/07/24 17:15:06.579 kid1| AsyncCallQueue.cc(57) fireNext: leaving > clientListenerConnectionOpened(local=127.0.0.1:800 <http://127.0.0.1:800> > remote=[::] FD 22 flags=41, err=0, HTTP Socket port=0x946d544)* > *2015/07/24 17:15:06.579 kid1| AsyncCallQueue.cc(55) fireNext: entering > clientListenerConnectionOpened(local=10.20.20.1:808 <http://10.20.20.1:808> > remote=[::] FD 23 flags=41, err=0, HTTPS Socket port=0x946d6e4)* > *2015/07/24 17:15:06.579 kid1| AsyncCall.cc(38) make: make call > clientListenerConnectionOpened [call11]* > *2015/07/24 17:15:06.579 kid1| Accepting NAT intercepted SSL bumped HTTPS > Socket connections at local=10.20.20.1:808 <http://10.20.20.1:808> > remote=[::] FD 23 flags=41* > *2015/07/24 17:15:06.579 kid1| AsyncCallQueue.cc(57) fireNext: leaving > clientListenerConnectionOpened(local=10.20.20.1:808 <http://10.20.20.1:808> > remote=[::] FD 23 flags=41, err=0, HTTPS Socket port=0x946d6e4)* > *2015/07/24 17:15:06.579 kid1| Accepting ICP messages on 0.0.0.0:3130 > <http://0.0.0.0:3130>* > *2015/07/24 17:15:06.579 kid1| Sending ICP messages from 0.0.0.0:3130 > <http://0.0.0.0:3130>* > *2015/07/24 17:15:06.579 kid1| Done reading /var/spool/squid/cache swaplog > (12 entries)* > *2015/07/24 17:15:06.579 kid1| Finished rebuilding storage from disk.* > *2015/07/24 17:15:06.579 kid1| 12 Entries scanned* > *2015/07/24 17:15:06.579 kid1| 0 Invalid entries.* > *2015/07/24 17:15:06.579 kid1| 0 With invalid flags.* > *2015/07/24 17:15:06.579 kid1| 12 Objects loaded.* > *2015/07/24 17:15:06.579 kid1| 0 Objects expired.* > *2015/07/24 17:15:06.579 kid1| 0 Objects cancelled.* > *2015/07/24 17:15:06.579 kid1| 0 Duplicate URLs purged.* > *2015/07/24 17:15:06.579 kid1| 0 Swapfile clashes avoided.* > *2015/07/24 17:15:06.579 kid1| Took 0.06 seconds (210.47 objects/sec).* > *2015/07/24 17:15:06.579 kid1| Beginning Validation Procedure* > *2015/07/24 17:15:06.579 kid1| Completed Validation Procedure* > *2015/07/24 17:15:06.579 kid1| Validated 12 Entries* > *2015/07/24 17:15:06.579 kid1| store_swap_size = 1444.00 KB* > *2015/07/24 17:15:07 kid1| storeLateRelease: released 0 objects* > > > > Any help or suggestions greatly appreciated. > > > Regards > > > Stan > > > > _______________________________________________ > squid-users mailing > listsquid-users@lists.squid-cache.orghttp://lists.squid-cache.org/listinfo/squid-users > > > I do not experience this issue: > > [18:04:56 jlay <jlay@gateway>:~/nobackup/build$] ps aux | egrep > "ssl|squid" > root 3173 0.0 0.0 18840 372 ? Ss Jul23 0:00 > /opt/sbin/squid > nobody 3175 0.0 1.2 52856 39744 ? S Jul23 0:47 (squid-1) > nobody 3177 0.0 0.0 5916 2040 ? S Jul23 0:05 > (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096 > nobody 3178 0.0 0.0 5828 1840 ? S Jul23 0:00 > (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096 > nobody 3179 0.0 0.0 5828 1708 ? S Jul23 0:00 > (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096 > nobody 3180 0.0 0.0 5648 912 ? S Jul23 0:00 > (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096 > nobody 3181 0.0 0.0 5648 912 ? S Jul23 0:00 > (ssl_crtd) -s /opt/var/ssl_db -M 4MB -b 4096 > > my config line: > ./configure --prefix=/opt --with-openssl --enable-ssl --enable-ssl-crtd > --enable-linux-netfilter --enable-follow-x-forwarded-for --with-large-files > --sysconfdir=/opt/etc/squid --enable-external-acl-helpers=none > > Squid Cache: Version 3.5.6 > > James > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
