Hi, Hmm. Is that negotiation between browser and squid or between squid and the destination site? Openssl is 0.9.8k (standard with Ubuntu Lucid 10.04) I wiped /var/lib/squid_ssl_db/certs, and re-ran /usr/local/squid/libexec/ssl_crtd -c -s /var/lib/squid_ssl_db /var/lib/squid_ssl_db/certs so that new certs would be generated. ... and so far, no crashes. It this resolves the issue, the perhaps the problem was that I changed the proxy's CA key several times during tests, so some target sites would have generated with different CA keys, and would have still be cached in /var/lib/squid_ssl_db/certs. The lesson would then be to empty /var/lib/squid_ssl_db/certs if one changes the CA key :-) Thanks, Sean On 2 December 2011 17:48, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 3/12/2011 4:44 a.m., Sean Boran wrote: >> >> With squid running sslbump in routing mode, and used by a handful of >> users, squid is crashing regularly, linked to visiting SSL sites. >> >> Logs >> -- >> 2011/11/29 11:39:36| clientNegotiateSSL: Error negotiating SSL connection >> on FD >> 45: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number >> (1/-1) > > > Something in your OpenSSL library is incompatible with the SSL or TLS > version being used by one of the certificates. > > Given your helper problems I would not put it past being a corrupted local > certificate file in the helpers databse. > > >> 2011/11/29 11:39:43| WARNING: ssl_crtd #2 (FD 11) exited >> 2011/11/29 11:39:43| Too few ssl_crtd processes are running (need 1/50) >> 2011/11/29 11:39:43| Starting new helpers >> 2011/11/29 11:39:43| helperOpenServers: Starting 1/50 'ssl_crtd' processes >> 2011/11/29 11:39:43| client_side.cc(3462) sslCrtdHandleReply: "ssl_crtd" >> helper >> return<NULL> reply > > > Major problem. Why is the helper dying on startup? > > >> 2011/11/29 11:39:44| WARNING: ssl_crtd #1 (FD 9) exited >> 2011/11/29 11:39:44| Too few ssl_crtd processes are running (need 1/50) >> 2011/11/29 11:39:44| storeDirWriteCleanLogs: Starting... >> 2011/11/29 11:39:44| Finished. Wrote 0 entries. >> 2011/11/29 11:39:44| Took 0.00 seconds ( 0.00 entries/sec). >> FATAL: The ssl_crtd helpers are crashing too rapidly, need help! >> -- >> >> So ssl_crtd is dying which is one issue, but its also killing squid which >> is >> even worse. > > > As designed. These helper dying is not as trivial as you seem to think. It > is happening immediately on starting the helper. Ignoring the crash abort in > Squid only works if the helpers get some work done between dying. Ignoring > startup crashes will lead to the machine CPU(s) being overloaded. > > > Amos
