On 2024-04-10 16:22, Jonathan Lee wrote:
Could it be related to this ??
"WARNING: Failed to decode EC parameters '/etc/dh-parameters.2048'.
error:1E08010C:DECODER routines::unsupported”
I do not know the answer to your question. I speculate that it could be
related: Depending on various factors, without those DH parameters,
Squid may not be able to communicate with clients. See WARNING in tls-dh
description in squid.conf.documented.
I know that others are reporting similar WARNINGs during v6 upgrades and
dislike the letters "EC" those messages use. I am not going to debate
the best choice of letters for this message, but I can tell you that, in
the cases I investigated, the message was caused by a mismatch between
squid.conf tls-dh=... option value and DH parameter file contents:
* To Squid, tls-dh=curve:filename format implies that the keytype is
"EC". These two letters are then fed to an OpenSSL function that
configures related TLS state. OpenSSL then fails if tls-dh filename
contains DH parameters produced with "openssl dhparam" command. I have
seen these failures in tests.
* To Squid, tls-dh=filename format (i.e. format without the curve name
prefix) implies that the keytype is "DC". These two letters are then fed
to an OpenSSL function that configured related TLS state. OpenSSL then
probably fails if tls-dh filename contains DH parameters produced with
"openssl ecparam" command. I have not tested this use case.
* The failing checks and their messages are specific to Squids built
with OpenSSL v3. It is possible that Squids built with OpenSSL v1 just
silently fail (at runtime), but I have not checked that theory.
FWIW, this poorly categorized message indicates a configuration _error_.
AFAICT, Squid code should be adjusted to _quit_ (i.e. reject bad
configuration) after discovering this error instead of continuing as if
nothing bad happened.
I recommend addressing the underlying cause, even if this message is
unrelated to SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417.
HTH,
Alex.
On Apr 10, 2024, at 08:38, Alex Rousskov
<rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 2024-04-10 10:50, Jonathan Lee wrote:
I am getting the following error in 6.6 after a upgrade from 5.8 does
anyone know what this is caused by?
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR
$ openssl errstr A000417
error:0A000417:SSL routines::sslv3 alert illegal parameter
I think I have seen that error code before, but I do not recall the
exact circumstances. Sorry! The error happens when Squid tries to
accept (or peek at) a TLS connection from the client. Might be
prohibited TLS version/feature, TLS greasing, or non-TLS traffic? Try
examining client TLS Hello packet(s) in Wireshark.
Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
