This irrelevant to host_verify_strict. This is effect of server side CDN IP changes. Squid threats it as security alert. 08.02.2018 00:03, steveno пишет: > I was using squid 3.5.20 I encountered an issue running out of File > Descriptors on Centos7, the scebario was that sockets would be abandoned in > a "CLOSE_WAIT" state forever until the server ran out of FD's. > Searching I found the following BUG. > https://bugs.squid-cache.org/show_bug.cgi?id=4508 > This is listed as being a fix at 3.5.25, so I installed that version, once > installed the FD problem seemed to be resolved, but now there is another > issue "Default Value: host_verify_strict off" seems to be lost, in my access > logs I get an number of entries: > 2018-02-07 17:10:42 0 10.x.x.x TAG_NONE/409 3941 CONNECT > sqs.us-west-2.amazonaws.com:443 sqs.us-west-2.amazonaws.com HIER_NONE/- > text/html > > Cache logs I get: > 2018/02/07 17:57:45 kid1| SECURITY ALERT: on URL: > sqs.us-west-2.amazonaws.com:443 > > And the clients making those requests tend to see dropped connections with a > "SSL: UNKNOWN_PROTOCOL" error. > > I tried setting the value "host_verify_strict off" but it did not appear to > have any effect. > > It looks like this fix for the File Descriptors has broken something else. > > Thanks. > > Steven Oakley. > > > > -- > Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -- ***************************** * C++20 : Bug to the future * *****************************
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users