Search squid archive

Re: Squid RP in front of Atlassian Stash with SSL - 100% CPU and not responding

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/08/2013 8:04 p.m., PSA4444 wrote:
I've been stuck on this for 2 days now.

After accessing this cache a couple of times, the CPU jumps to 100% and
squid stops forwarding requests.
It remained like this for 24 hours until I killed the process.

Adding the following lines to the config has resolved the issue:

########################
always_direct allow all
sslproxy_flags DONT_VERIFY_PEER
########################

BOTH of those lines must be added otherwise the symptoms return.

But why?  What are the security implications of these settings and why would
they resolve the infinite loop problem?

This may be OpenSSL's bug 3090 which has infinite loop recursing certificate chains on validation.

If so the sslproxy_flags is disabling certificate verification on DIRECT traffic, and always_direct is disabling use of the cache_peer with SSL settings.

Please try the patch which can be downloaded from here:
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-12963.patch
It may need some tweaking to apply on 3.3 or 3.2 versions of Squid.



Config snippet
########################
https_port 443 accel cert=/path/to/CertAuth/cert.cert
key=/path/to/CertAuth/key.pem vhost defaultsite=www.domain.com

cache_peer source.domain.com parent 443 0 no-query originserver ssl
sslversion=3 connect-timeout=8 connect-fail-limit=2 sslflags=DONT
_VERIFY_PEER front-end-https=on name=source login=PASSTHRU
acl sites_source dstdomain source.domain.com
cache_peer_access source allow sites_source
acl http proto http
acl https proto https
########################

Replicated problem with:
Ubuntu 12.04 - Squid 3.2 - compiled.
CentOS 6 - Squid 3.3 - compiled.
CentOS 6 - Squid 3.1 - installed from repository.

Atlassian Stash with paid for SSL Certificate - looks fine connecting
directly in firefox.
Atlassian Stash with self signed SSL certificate.

P.S.  This appears to be the same problem:
http://www.squid-cache.org/mail-archive/squid-users/201111/0416.html

I don't think so. That report the certificate is accepted and the hang occurs afterwards. They are also havign it with disabled verification on the failing link, which is the workaround that you found successful (you could replace that "always_direct allow all" with cache_peer sslflags=DONT_VERIFY_PEER).

Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux