Search squid archive

Re: Error negotiating SSL connection on FD 366 - cache.log

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Cool, so I put this in squid.conf

debug_options 9
And then restart squid and tail the cache.log

On Wed, 30 Jun 2021, 16:48 robert k Wild, <robertkwild@xxxxxxxxx> wrote:
Thanks Alex,

How do I enable all 9 debugging to find out what client ip it is thats sending all these tls errors.

There's a lot of mac/pcs that are connected to this squid server and I have added the myca.der file to there machines as I'm doing ssl bumping.

Thanks,
Rob



On Wed, 30 Jun 2021, 16:16 Alex Rousskov, <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 6/30/21 6:41 AM, robert k Wild wrote:

> never really noticed this as i rarely "tail -f" the cache log but im
> noticing these lines like every second

> 2021/06/30 11:39:13 kid1| Error negotiating SSL connection on FD 266:
> error:00000001:lib(0):func(0):reason(1) (1/-1)
> 2021/06/30 11:39:13 kid1| Error negotiating SSL connection on FD 270:
> error:00000001:lib(0):func(0):reason(1) (1/-1)
> 2021/06/30 11:39:13 kid1| Error negotiating SSL connection on FD 285:
> error:00000001:lib(0):func(0):reason(1) (1/0)

> is this something to be worried about

IMHO, you should worry about two things, at least:

1) The fact that you did not know about Squid complaints, especially
frequent ones. I do not think that constantly watching "tail -f" is the
answer here, but something in your Squid administration approach should
change to prevent similar lack of problem awareness in the future.

2) The fact that your Squid is complaining about something every second.
If the actual problem behind these errors does not deserve your
attention, then Squid should not be logging it at level 1 (and you
should complain that it does). Otherwise, the problem itself should be
addressed.

As for the error itself, it looks like your Squid cannot negotiate TLS
with some client(s). I do not know whether it is Squid's fault or the
client's. Enabling "ALL,9" debugging for a few seconds should be
sufficient to identify the client (at least by its IP address), which
may be enough to understand why the negotiation fails (or to give you
enough information to collect more details for triage).


HTH,

Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux