On 8/08/2013 8:04 p.m., PSA4444 wrote:
I've been stuck on this for 2 days now. After accessing this cache a couple of times, the CPU jumps to 100% and squid stops forwarding requests. It remained like this for 24 hours until I killed the process. Adding the following lines to the config has resolved the issue: ######################## always_direct allow all sslproxy_flags DONT_VERIFY_PEER ######################## BOTH of those lines must be added otherwise the symptoms return. But why? What are the security implications of these settings and why would they resolve the infinite loop problem?
This may be OpenSSL's bug 3090 which has infinite loop recursing certificate chains on validation.
If so the sslproxy_flags is disabling certificate verification on DIRECT traffic, and always_direct is disabling use of the cache_peer with SSL settings.
Please try the patch which can be downloaded from here: http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-12963.patch It may need some tweaking to apply on 3.3 or 3.2 versions of Squid.
Config snippet ######################## https_port 443 accel cert=/path/to/CertAuth/cert.cert key=/path/to/CertAuth/key.pem vhost defaultsite=www.domain.com cache_peer source.domain.com parent 443 0 no-query originserver ssl sslversion=3 connect-timeout=8 connect-fail-limit=2 sslflags=DONT _VERIFY_PEER front-end-https=on name=source login=PASSTHRU acl sites_source dstdomain source.domain.com cache_peer_access source allow sites_source acl http proto http acl https proto https ######################## Replicated problem with: Ubuntu 12.04 - Squid 3.2 - compiled. CentOS 6 - Squid 3.3 - compiled. CentOS 6 - Squid 3.1 - installed from repository. Atlassian Stash with paid for SSL Certificate - looks fine connecting directly in firefox. Atlassian Stash with self signed SSL certificate.
P.S. This appears to be the same problem: http://www.squid-cache.org/mail-archive/squid-users/201111/0416.html
I don't think so. That report the certificate is accepted and the hang occurs afterwards. They are also havign it with disabled verification on the failing link, which is the workaround that you found successful (you could replace that "always_direct allow all" with cache_peer sslflags=DONT_VERIFY_PEER).
Amos
