Search squid archive

Skype makes Squid with ssl_bump crash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi list.

I'm experiencing some crashes on Squid workers and eventually on the parent process while using a mixed authenticated/intercepted ssl_bump + Skype (7.21.0.100). After searching for some clues, I've found this:

Changes to squid-3.5.9 (17 Sep 2015):
    ...
    - Bug 4309: crash during Skype login
    ...

I'm running the exact Squid 3.5.9, provided by official Fedora 23 (x64) repositories and noticed this behavior only while using Skype.

My squid.conf contains the section below. If Skype isn't open or if it managed to authenticate without crashing the Squid main process then everything works normally. If I comment these lines, Skype won't affect Squid at all (not a single worker exits) and everything also works normally in the authenticated, non-intercepted mode. So, this only happens for whathever reason when it is trying to authenticate the Skype user. All other concurrent connections are terminated during the authentication.

If the bug has been addressed then maybe it is something I'm doing wrong? Or maybe this is a different one?
Thanks everyone!


/etc/squid/squid.conf
...
    http_port 192.168.0.1:3128 intercept
https_port 192.168.0.1:3129 cert=/etc/squid/ssl/squidCA.pem key=/etc/squid/ssl/squidCA.key ssl-bump intercept generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE

    acl http_intercept dstdom_regex -i "/etc/squid/allow-intercepted.txt"
    http_access allow SSL_ports
    http_access allow http_intercept
    http_access deny all

    acl step1 at_step SslBump1
    acl step2 at_step SslBump2
    acl step3 at_step SslBump3
    ssl_bump peek step1 all
    ssl_bump peek step2 all

acl https_intercept ssl::server_name_regex "/etc/squid/allow-intercepted.txt"
    ssl_bump splice step3 https_intercept
    ssl_bump terminate all

    sslproxy_capath /etc/ssl/certs
    sslproxy_options ALL

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
    sslcrtd_children 5

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
/var/log/messages:

...
Jun 8 17:12:44 squidserver abrt-hook-ccpp: Process 23301 (squid) of user 23 killed by SIGABRT - dumping core Jun 8 17:12:45 squidserver squid[23299]: Squid Parent: (squid-1) process 23301 exited due to signal 6 with status 0 Jun 8 17:12:45 squidserver abrt-server: Deleting problem directory ccpp-2016-06-08-17:12:44-23301 (dup of ccpp-2016-03-24-02:28:05-10168) Jun 8 17:12:45 squidserver dbus[630]: [system] Activating service name='org.freedesktop.problems' (using servicehelper) Jun 8 17:12:45 squidserver dbus[630]: [system] Successfully activated service 'org.freedesktop.problems' Jun 8 17:12:48 squidserver squid[23299]: Squid Parent: (squid-1) process 23726 started Jun 8 17:12:48 squidserver (squid-1): Ipc::Mem::Segment::open failed to shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory Jun 8 17:12:48 squidserver squid[23299]: Squid Parent: (squid-1) process 23726 exited with status 1 Jun 8 17:12:51 squidserver squid[23299]: Squid Parent: (squid-1) process 23733 started Jun 8 17:12:51 squidserver (squid-1): Ipc::Mem::Segment::open failed to shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory Jun 8 17:12:51 squidserver squid[23299]: Squid Parent: (squid-1) process 23733 exited with status 1 Jun 8 17:12:54 squidserver squid[23299]: Squid Parent: (squid-1) process 23806 started Jun 8 17:12:54 squidserver (squid-1): Ipc::Mem::Segment::open failed to shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory Jun 8 17:12:54 squidserver squid[23299]: Squid Parent: (squid-1) process 23806 exited with status 1 Jun 8 17:12:57 squidserver squid[23299]: Squid Parent: (squid-1) process 23813 started Jun 8 17:12:57 squidserver (squid-1): Ipc::Mem::Segment::open failed to shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory Jun 8 17:12:57 squidserver squid[23299]: Squid Parent: (squid-1) process 23813 exited with status 1 Jun 8 17:13:00 squidserver squid[23299]: Squid Parent: (squid-1) process 23820 started Jun 8 17:13:00 squidserver (squid-1): Ipc::Mem::Segment::open failed to shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory Jun 8 17:13:00 squidserver squid[23299]: Squid Parent: (squid-1) process 23820 exited with status 1 Jun 8 17:13:00 squidserver squid[23299]: Squid Parent: (squid-1) process 23820 will not be restarted due to repeated, frequent failures Jun 8 17:13:00 squidserver squid[23299]: Exiting due to repeated, frequent failures Jun 8 17:13:00 squidserver systemd: squid.service: Main process exited, code=exited, status=1/FAILURE Jun 8 17:13:00 squidserver squid: squid: ERROR: Could not send signal 15 to process 23301: (3) No such process Jun 8 17:13:00 squidserver systemd: squid.service: Control process exited, code=exited status=1 Jun 8 17:13:00 squidserver systemd: squid.service: Unit entered failed state. Jun 8 17:13:00 squidserver systemd: squid.service: Failed with result 'exit-code'.
...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
/var/log/squid/cache.log

...
2016/06/08 17:12:43 kid1| hold write on SSL connection on FD 29
2016/06/08 17:12:44 kid1| Closing HTTP port 192.168.0.1:8080
2016/06/08 17:12:44 kid1| Closing HTTP port 127.0.0.1:8080
2016/06/08 17:12:44 kid1| Closing HTTP port 192.168.0.1:3128
2016/06/08 17:12:44 kid1| Closing HTTPS port 192.168.0.1:3129
2016/06/08 17:12:44 kid1| storeDirWriteCleanLogs: Starting...
2016/06/08 17:12:44 kid1|   Finished.  Wrote 61 entries.
2016/06/08 17:12:44 kid1|   Took 0.00 seconds (291866.03 entries/sec).
2016/06/08 17:12:48 kid1| Set Current Directory to /var/spool/squid
2016/06/08 17:12:48 kid1| Starting Squid Cache version 3.5.9 for x86_64-redhat-linux-gnu...
2016/06/08 17:12:48 kid1| Service Name: squid
2016/06/08 17:12:48 kid1| Process ID 23726
2016/06/08 17:12:48 kid1| Process Roles: worker
2016/06/08 17:12:48 kid1| With 16384 file descriptors available
2016/06/08 17:12:48 kid1| Initializing IP Cache...
2016/06/08 17:12:48 kid1| DNS Socket created at [::], FD 9
2016/06/08 17:12:48 kid1| DNS Socket created at 0.0.0.0, FD 11
2016/06/08 17:12:48 kid1| Adding domain riosoft.local from /etc/resolv.conf
2016/06/08 17:12:48 kid1| Adding nameserver 192.168.0.7 from /etc/resolv.conf 2016/06/08 17:12:48 kid1| Adding nameserver 192.168.0.8 from /etc/resolv.conf 2016/06/08 17:12:48 kid1| helperOpenServers: Starting 5/5 'ssl_crtd' processes
...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Squid version and build flags:

[root@squidserver ~]# squid -v
Squid Cache: Version 3.5.9
Service Name: squid
configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=LDAP_group,time_quota,session,unix_group,wbinfo_group' '--enable-storeid-rewrite-helpers=file' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-diskio' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' '--with-pic' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -fPIC' 'LDFLAGS=-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -pie -Wl,-z,relro -Wl,-z,now -Wl,--warn-shared-textrel' 'CXXFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -fPIC' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'

OpenSSL: openssl-1.0.2h-1.fc23.x86_64

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux