SSL negotiation errors on https_port

Robert <rs-squid@xxxxxxxxxxxxxxxxxxxxx> · Thu, 17 Oct 2019 22:52:14 +0200

Hi there,

I have configured squid's https_port for client certificate
authorization:

https_port [2001:XXX:XX:XXX::2]:8008 cert=/etc/ssl/private/mydomain_de/mydomain_de.crt key=/etc/ssl/private/mydomain_de/mydomain_de.key clientca=/etc/squid/ssl-proxy/ca.crt tls-dh=/etc/squid/ssl/dh_2048.pem

This works as expected. Clients connect via client side stunnel4 using
their individual client certificates.

However, I see many lines like these in the cache.log file:

2019/10/17 22:38:33.552 kid1| Error negotiating SSL connection on FD 44: error:00000001:lib(0):func(0):reason(1) (1/-1)
2019/10/17 22:38:41.619 kid1| Error negotiating SSL connection on FD 37: error:00000001:lib(0):func(0):reason(1) (1/-1)
2019/10/17 22:38:42.174 kid1| Error negotiating SSL connection on FD 40: error:00000001:lib(0):func(0):reason(1) (1/-1)
2019/10/17 22:38:42.312 kid1| Error negotiating SSL connection on FD 42: error:00000001:lib(0):func(0):reason(1) (1/-1)
2019/10/17 22:38:42.507 kid1| Error negotiating SSL connection on FD 44: error:00000001:lib(0):func(0):reason(1) (1/-1)
2019/10/17 22:38:46.755 kid1| Error negotiating SSL connection on FD 48: error:00000001:lib(0):func(0):reason(1) (1/-1)
2019/10/17 22:38:46.763 kid1| Error negotiating SSL connection on FD 58: error:00000001:lib(0):func(0):reason(1) (1/-1)
2019/10/17 22:38:46.771 kid1| Error negotiating SSL connection on FD 48: error:00000001:lib(0):func(0):reason(1) (1/-1)
2019/10/17 22:38:50.306 kid1| Error negotiating SSL connection on FD 77: error:00000001:lib(0):func(0):reason(1) (1/-1)
2019/10/17 22:38:50.314 kid1| Error negotiating SSL connection on FD 80: error:00000001:lib(0):func(0):reason(1) (1/-1)
2019/10/17 22:38:50.324 kid1| Error negotiating SSL connection on FD 77: error:00000001:lib(0):func(0):reason(1) (1/-1)
2019/10/17 22:40:01.898 kid1| Error negotiating SSL connection on FD 13: error:00000001:lib(0):func(0):reason(1) (1/-1)

Increasing debug output tells me that SSL negotiation fails and then
succeeds, but I have no idea what causes these failures. Is it just
related to the ssl handshake and not to worry about? If so, why is that
reported to the logs? Setting min and max TLS version on the client
does not change the log outpu. TLS version used is 1.3 if allowed on
the client.

Thanks for clarification,

Robert 

-- 
Robert Senger

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users