On 3/12/2011 4:44 a.m., Sean Boran wrote:
With squid running sslbump in routing mode, and used by a handful of users, squid is crashing regularly, linked to visiting SSL sites. Logs -- 2011/11/29 11:39:36| clientNegotiateSSL: Error negotiating SSL connection on FD 45: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number (1/-1)
Something in your OpenSSL library is incompatible with the SSL or TLS version being used by one of the certificates.
Given your helper problems I would not put it past being a corrupted local certificate file in the helpers databse.
2011/11/29 11:39:43| WARNING: ssl_crtd #2 (FD 11) exited 2011/11/29 11:39:43| Too few ssl_crtd processes are running (need 1/50) 2011/11/29 11:39:43| Starting new helpers 2011/11/29 11:39:43| helperOpenServers: Starting 1/50 'ssl_crtd' processes 2011/11/29 11:39:43| client_side.cc(3462) sslCrtdHandleReply: "ssl_crtd" helper return<NULL> reply
Major problem. Why is the helper dying on startup?
2011/11/29 11:39:44| WARNING: ssl_crtd #1 (FD 9) exited 2011/11/29 11:39:44| Too few ssl_crtd processes are running (need 1/50) 2011/11/29 11:39:44| storeDirWriteCleanLogs: Starting... 2011/11/29 11:39:44| Finished. Wrote 0 entries. 2011/11/29 11:39:44| Took 0.00 seconds ( 0.00 entries/sec). FATAL: The ssl_crtd helpers are crashing too rapidly, need help! -- So ssl_crtd is dying which is one issue, but its also killing squid which is even worse.
As designed. These helper dying is not as trivial as you seem to think. It is happening immediately on starting the helper. Ignoring the crash abort in Squid only works if the helpers get some work done between dying. Ignoring startup crashes will lead to the machine CPU(s) being overloaded.
Amos