On 2024-04-10 16:22, Jonathan Lee wrote:
Could it be related to this ??
"WARNING: Failed to decode EC parameters '/etc/dh-parameters.2048'. error:1E08010C:DECODER routines::unsupported”
I do not know the answer to your question. I speculate that it could be related: Depending on various factors, without those DH parameters, Squid may not be able to communicate with clients. See WARNING in tls-dh description in squid.conf.documented.
I know that others are reporting similar WARNINGs during v6 upgrades and dislike the letters "EC" those messages use. I am not going to debate the best choice of letters for this message, but I can tell you that, in the cases I investigated, the message was caused by a mismatch between squid.conf tls-dh=... option value and DH parameter file contents:
* To Squid, tls-dh=curve:filename format implies that the keytype is "EC". These two letters are then fed to an OpenSSL function that configures related TLS state. OpenSSL then fails if tls-dh filename contains DH parameters produced with "openssl dhparam" command. I have seen these failures in tests.
* To Squid, tls-dh=filename format (i.e. format without the curve name prefix) implies that the keytype is "DC". These two letters are then fed to an OpenSSL function that configured related TLS state. OpenSSL then probably fails if tls-dh filename contains DH parameters produced with "openssl ecparam" command. I have not tested this use case.
* The failing checks and their messages are specific to Squids built with OpenSSL v3. It is possible that Squids built with OpenSSL v1 just silently fail (at runtime), but I have not checked that theory.
FWIW, this poorly categorized message indicates a configuration _error_. AFAICT, Squid code should be adjusted to _quit_ (i.e. reject bad configuration) after discovering this error instead of continuing as if nothing bad happened.
I recommend addressing the underlying cause, even if this message is unrelated to SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417.
HTH,
Alex.
On Apr 10, 2024, at 08:38, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 2024-04-10 10:50, Jonathan Lee wrote:
I am getting the following error in 6.6 after a upgrade from 5.8 does anyone know what this is caused by?
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR
$ openssl errstr A000417
error:0A000417:SSL routines::sslv3 alert illegal parameter
I think I have seen that error code before, but I do not recall the exact circumstances. Sorry! The error happens when Squid tries to accept (or peek at) a TLS connection from the client. Might be prohibited TLS version/feature, TLS greasing, or non-TLS traffic? Try examining client TLS Hello packet(s) in Wireshark.
Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
