Re: [squid-users] Squid Cache Issues migration from 5.8 to 6.6

Thu, 04 Jul 2024 15:14:11 -0700 

Sorry 

tls_outgoing_options 
cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

Would I add this here?

> On Jul 4, 2024, at 15:12, Jonathan Lee <jonathanlee...@gmail.com> wrote:
> 
> I know before I could use 
> 
> tls_outgoing_options 
> cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> 
> However with the update I am seeing 
> 
> ERROR: Unsupported TLS option SINGLE_ECDH_USE
> 
> I found researching in lists-squid-cache.org <http://lists-squid-cache.org/> 
> that someone solved this with appending TLS13-AES-256-CGM-SHA384 to the 
> ciphers. 
> 
> I am thinking this is my issue also.
> 
> I see that error over and over when I run "squid -k parse”
> 
> Do I append this to the options cipher list?
> 
> Jonathan Lee
> 
>> On Jul 4, 2024, at 14:45, Alex Rousskov <rouss...@measurement-factory.com> 
>> wrote:
>> 
>> On 2024-07-04 15:37, Jonathan Lee wrote:
>> 
>>> in Squid.conf I have nothing with that detective.
>> 
>> Sounds good; sslproxy_cert_sign default should work OK in most cases. I 
>> mentioned signUntrusted algorithm so that you can discover (from the 
>> corresponding sslproxy_cert_sign documentation) which CA/certificate Squid 
>> uses in which SslBump use case. Triage is often easier if folks share the 
>> same working theory, and my current working theory suggests that we are 
>> looking at a (default) signUntrusted use case.
>> 
>> The solution here probably does _not_ involve changing sslproxy_cert_sign 
>> configuration, but, to make progress, I need more info to confirm this 
>> working theory and describe next steps.
>> 
>> 
>>> Yes I am using SSL bump with this configuration..
>> 
>> Noted, thank you.
>> 
>> 
>>> So would I use this directive
>> 
>> I do not recommend changing your configuration at this time. I recommend 
>> rereading my earlier recommendation and following that instead: "As the next 
>> step in triage, I recommend determining what that CA is in these cases 
>> (e.g., by capturing raw TLS packets and matching them with connection 
>> information from A000417 error messages in cache.log or %err_detail in 
>> access.log)."
>> 
>> 
>> HTH,
>> 
>> Alex.
>> 
>> 
>>>> On Jul 4, 2024, at 09:56, Alex Rousskov wrote:
>>>> 
>>>> On 2024-07-04 12:11, Jonathan Lee wrote:
>>>>> failure while accepting a TLS connection on conn5887 
>>>>> local=192.168.1.1:3128
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417
>>>> 
>>>> A000417 is an "unknown CA" alert sent by client to Squid while the client 
>>>> is trying to establish a TLS connection to/through Squid. The client does 
>>>> not trust the Certificate Authority that signed the certificate that was 
>>>> used for that TLS connection.
>>>> 
>>>> As the next step in triage, I recommend determining what that CA is in 
>>>> these cases (e.g., by capturing raw TLS packets and matching them with 
>>>> connection information from A000417 error messages in cache.log or 
>>>> %err_detail in access.log).
>>>> 
>>>> If you use SslBump for port 3128 traffic, then one of the possibilities 
>>>> here is that Squid is using an unknown-to-client CA to report an origin 
>>>> server that Squid itself does not trust (see signUntrusted in 
>>>> squid.conf.documented). In those cases, logging a level-1 ERROR is a Squid 
>>>> bug because that expected/desirable outcome should be treated as success 
>>>> (and a successful TLS accept treated as an error!).
>>>> 
>>>> 
>>>> HTH,
>>>> 
>>>> Alex.
>> 
>> 
>>>>> Is my main concern however I use the squid guard URL blocker
>>>>> Sent from my iPhone
>>>>>> On Jul 4, 2024, at 07:41, Alex Rousskov 
>>>>>> <rouss...@measurement-factory.com> wrote:
>>>>>> 
>>>>>> On 2024-07-03 13:56, Jonathan Lee wrote:
>>>>>>> Hello fellow Squid users does anyone know how to fix this issue?
>>>>>> 
>>>>>> I counted about eight different "issues" in your cache.log sample. Most 
>>>>>> of them are probably independent. I recommend that you explicitly pick 
>>>>>> _one_, search mailing list archives for previous discussions about it, 
>>>>>> and then provide as many details about it as you can (e.g., what traffic 
>>>>>> causes it and/or matching access.log records).
>>>>>> 
>>>>>> 
>>>>>> HTH,
>>>>>> 
>>>>>> Alex.
>>>>>> 
>>>>>> 
>>>>>>> Squid - Cache Logs
>>>>>>> Date-Time    Message
>>>>>>> 31.12.1969 16:00:00
>>>>>>> 03.07.2024 10:54:34    kick abandoning conn7853 local=192.168.1.1:3128 
>>>>>>> remote=192.168.1.5:49710 FD 89 flags=1
>>>>>>> 31.12.1969 16:00:00
>>>>>>> 03.07.2024 10:54:29    kick abandoning conn7844 local=192.168.1.1:3128 
>>>>>>> remote=192.168.1.5:49702 FD 81 flags=1
>>>>>>> 03.07.2024 10:54:09    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn7648 local=192.168.1.1:3128 remote=192.168.1.5:49672 FD 44 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>> 03.07.2024 10:54:09    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn7647 local=192.168.1.1:3128 remote=192.168.1.5:49670 FD 43 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>> 03.07.2024 10:54:09    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn7646 local=192.168.1.1:3128 remote=192.168.1.5:49668 FD 34 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>> 03.07.2024 10:53:04    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn7367 local=192.168.1.1:3128 remote=192.168.1.5:49627 FD 22 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>> 03.07.2024 10:52:47    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn7345 local=192.168.1.1:3128 remote=192.168.1.5:49618 FD 31 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>> 03.07.2024 10:52:38    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn7340 local=192.168.1.1:3128 remote=192.168.1.5:49616 FD 45 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>>>> 03.07.2024 10:52:34    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn7316 local=192.168.1.1:3128 remote=192.168.1.5:49609 FD 45 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>> 31.12.1969 16:00:00
>>>>>>> 03.07.2024 10:51:55    WARNING: Error Pages Missing Language: en-us
>>>>>>> 31.12.1969 16:00:00
>>>>>>> 03.07.2024 10:51:55    ERROR: loading file 
>>>>>>> 9;/usr/local/etc/squid/errors/en-us/ERR_ZERO_SIZE_OBJECT': (2) No such 
>>>>>>> file or directory
>>>>>>> 03.07.2024 10:51:44    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn7102 local=192.168.1.1:3128 remote=192.168.1.5:49574 FD 34 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>> 03.07.2024 10:51:28    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn7071 local=192.168.1.1:3128 remote=192.168.1.5:49568 FD 92 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>> 03.07.2024 10:50:29    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn6944 local=192.168.1.1:3128 remote=192.168.1.5:49534 FD 101 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>>>> 03.07.2024 10:49:54    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn6866 local=192.168.1.1:3128 remote=192.168.1.5:49519 FD 31 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>> 03.07.2024 10:49:38    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn6809 local=192.168.1.1:3128 remote=192.168.1.5:49503 FD 31 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>> 31.12.1969 16:00:00
>>>>>>> 03.07.2024 10:49:32    ERROR: system call failure while accepting a TLS 
>>>>>>> connection on conn6794 local=192.168.1.1:3128 remote=192.168.1.5:49496 
>>>>>>> FD 19 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_IO_ERR=5+errno=54
>>>>>>> 03.07.2024 10:49:24    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn6776 local=192.168.1.1:3128 remote=192.168.1.5:49481 FD 137 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>>>> 03.07.2024 10:48:49    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn6440 local=192.168.1.1:3128 remote=192.168.1.5:49424 FD 16 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>>>> 03.07.2024 10:48:49    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn6445 local=192.168.1.1:3128 remote=192.168.1.5:49426 FD 34 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>> 03.07.2024 10:48:22    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn6035 local=192.168.1.1:3128 remote=192.168.1.5:49355 FD 226 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>>>> 03.07.2024 10:48:09    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn5887 local=192.168.1.1:3128 remote=192.168.1.5:49318 FD 33 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>> 03.07.2024 10:48:09    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn5875 local=192.168.1.1:3128 remote=192.168.1.5:49312 FD 216 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>> 03.07.2024 10:48:09    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn5876 local=192.168.1.1:3128 remote=192.168.1.5:49314 FD 217 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>> 03.07.2024 10:47:57    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn5815 local=192.168.1.1:3128 remote=192.168.1.5:49297 FD 201 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>>>> 03.07.2024 10:47:54    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn5760 local=192.168.1.1:3128 remote=192.168.1.5:49289 FD 195 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>>>> 03.07.2024 10:47:52    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn5717 local=192.168.1.1:3128 remote=192.168.1.5:49284 FD 195 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>>>> 03.07.2024 10:47:50    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn5552 local=192.168.1.1:3128 remote=192.168.1.5:49268 FD 142 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>>>> 31.12.1969 16:00:00
>>>>>>> 03.07.2024 10:47:34    kick abandoning conn5254 local=192.168.1.1:3128 
>>>>>>> remote=192.168.1.5:49209 FD 100 flags=1
>>>>>>> 31.12.1969 16:00:00
>>>>>>> 03.07.2024 10:47:21    kick abandoning conn5022 local=192.168.1.1:3128 
>>>>>>> remote=192.168.1.5:49167 FD 37 flags=1
>>>>>>> 31.12.1969 16:00:00
>>>>>>> 03.07.2024 10:47:21    kick abandoning conn5020 local=192.168.1.1:3128 
>>>>>>> remote=192.168.1.5:49165 FD 36 flags=1
>>>>>>> 31.12.1969 16:00:00
>>>>>>> 31.12.1969 16:00:00
>>>>>>> 31.12.1969 16:00:00
>>>>>>> 31.12.1969 16:00:00
>>>>>>> 31.12.1969 16:00:00
>>>>>>> 31.12.1969 16:00:00
>>>>>>> 31.12.1969 16:00:00
>>>>>>> 31.12.1969 16:00:00
>>>>>>> 31.12.1969 16:00:00
>>>>>>> 31.12.1969 16:00:00
>>>>>>> 03.07.2024 10:42:22    WARNING: Forwarding loop detected for:
>>>>>>> 03.07.2024 10:40:08    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn4955 local=192.168.1.1:3128 remote=192.168.1.5:52339 FD 98 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>> 31.12.1969 16:00:00
>>>>>>> 03.07.2024 10:39:52    kick abandoning conn4927 local=192.168.1.1:3128 
>>>>>>> remote=192.168.1.5:52331 FD 105 flags=1
>>>>>>> 03.07.2024 10:39:09    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn4846 local=192.168.1.1:3128 remote=192.168.1.5:52314 FD 19 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>> 03.07.2024 10:38:14    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn4650 local=192.168.1.1:3128 remote=192.168.1.5:52274 FD 35 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>>>> 03.07.2024 10:38:08    ERROR: failure while accepting a TLS connection 
>>>>>>> on conn4645 local=192.168.1.1:3128 remote=192.168.1.5:52272 FD 35 
>>>>>>> flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>> 03.07.2024 10:38:04    ERROR: Unsupported TLS option SINGLE_ECDH_USE
>>>>>>> 03.07.2024 10:38:04    ERROR: Unsupported TLS option SINGLE_DH_USE
>>>>>>> 31.12.1969 16:00:00
>>>>>>> 31.12.1969 16:00:00
>>>>>>> 31.12.1969 16:00:00
>>>>>>> 31.12.1969 16:00:00
>>>>>>> 31.12.1969 16:00:00
>>>>>>> _______________________________________________
>>>>>>> squid-users mailing list
>>>>>>> squid-users@lists.squid-cache.org
>>>>>>> https://lists.squid-cache.org/listinfo/squid-users
>>>>>> 
>>>> 
>> 
> 


_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Reply via email to