On 2024-07-04 19:02, Jonathan Lee wrote:
I do not recommend changing your configuration at this time. I
recommend rereading my earlier recommendation and following that
instead: "As the next step in triage, I recommend determining what
that CA is in these cases (e.g., by capturing raw TLS packets and
matching them with connection information from A000417 error
messages in cache.log or %err_detail in access.log)."
Ok I went back to 5.8 and ran the following command after I removed the
changes I used does this help this is ran on the firewall side itself.
openssl s_client -connect foxnews.com:443
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
Did the above connection go through Squid? Sorry, I do not know whether
"on the firewall side itself" implies a "yes" or "no" answer in this
test case.
Does that help
It does not hurt, but it is not the information I have requested for the
next triage step: I asked about the certificate corresponding to the
A000417 error message in Squid v6.6. You are sharing the certificate
corresponding to either a direct connection to the origin server or the
certificate corresponding to a problem-free connection through Squid v5.8.
Should I regenerate a new certificate for the new version of Squid and
redeploy them all to hosts again?
IMHO, on this thread, you should follow the recommended triage steps. If
those recommendations are problematic, please discuss.
Alex.
On Jul 4, 2024, at 14:45, Alex Rousskov
<rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 2024-07-04 15:37, Jonathan Lee wrote:
in Squid.conf I have nothing with that detective.
Sounds good; sslproxy_cert_sign default should work OK in most
cases. I mentioned signUntrusted algorithm so that you can discover
(from the corresponding sslproxy_cert_sign documentation) which
CA/certificate Squid uses in which SslBump use case. Triage is often
easier if folks share the same working theory, and my current
working theory suggests that we are looking at a (default)
signUntrusted use case.
The solution here probably does _not_ involve changing
sslproxy_cert_sign configuration, but, to make progress, I need more
info to confirm this working theory and describe next steps.
Yes I am using SSL bump with this configuration..
Noted, thank you.
So would I use this directive
I do not recommend changing your configuration at this time. I
recommend rereading my earlier recommendation and following that
instead: "As the next step in triage, I recommend determining what
that CA is in these cases (e.g., by capturing raw TLS packets and
matching them with connection information from A000417 error
messages in cache.log or %err_detail in access.log)."
HTH,
Alex.
On Jul 4, 2024, at 09:56, Alex Rousskov wrote:
On 2024-07-04 12:11, Jonathan Lee wrote:
failure while accepting a TLS connection on conn5887
local=192.168.1.1:3128
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417
A000417 is an "unknown CA" alert sent by client to Squid while the
client is trying to establish a TLS connection to/through Squid.
The client does not trust the Certificate Authority that signed
the certificate that was used for that TLS connection.
As the next step in triage, I recommend determining what that CA
is in these cases (e.g., by capturing raw TLS packets and matching
them with connection information from A000417 error messages in
cache.log or %err_detail in access.log).
If you use SslBump for port 3128 traffic, then one of the
possibilities here is that Squid is using an unknown-to-client CA
to report an origin server that Squid itself does not trust (see
signUntrusted in squid.conf.documented). In those cases, logging a
level-1 ERROR is a Squid bug because that expected/desirable
outcome should be treated as success (and a successful TLS accept
treated as an error!).
HTH,
Alex.
Is my main concern however I use the squid guard URL blocker
Sent from my iPhone
On Jul 4, 2024, at 07:41, Alex Rousskov
<rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 2024-07-03 13:56, Jonathan Lee wrote:
Hello fellow Squid users does anyone know how to fix this issue?
I counted about eight different "issues" in your cache.log
sample. Most of them are probably independent. I recommend that
you explicitly pick _one_, search mailing list archives for
previous discussions about it, and then provide as many details
about it as you can (e.g., what traffic causes it and/or
matching access.log records).
HTH,
Alex.
Squid - Cache Logs
Date-Time Message
31.12.1969 16:00:00
03.07.2024 10:54:34 kick abandoning
conn7853 local=192.168.1.1:3128 remote=192.168.1.5:49710 FD 89
flags=1
31.12.1969 16:00:00
03.07.2024 10:54:29 kick abandoning
conn7844 local=192.168.1.1:3128 remote=192.168.1.5:49702 FD 81
flags=1
03.07.2024 10:54:09 ERROR: failure while accepting a TLS
connection on conn7648 local=192.168.1.1:3128
remote=192.168.1.5:49672 FD 44 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
03.07.2024 10:54:09 ERROR: failure while accepting a TLS
connection on conn7647 local=192.168.1.1:3128
remote=192.168.1.5:49670 FD 43 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
03.07.2024 10:54:09 ERROR: failure while accepting a TLS
connection on conn7646 local=192.168.1.1:3128
remote=192.168.1.5:49668 FD 34 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
03.07.2024 10:53:04 ERROR: failure while accepting a TLS
connection on conn7367 local=192.168.1.1:3128
remote=192.168.1.5:49627 FD 22 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
03.07.2024 10:52:47 ERROR: failure while accepting a TLS
connection on conn7345 local=192.168.1.1:3128
remote=192.168.1.5:49618 FD 31 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
03.07.2024 10:52:38 ERROR: failure while accepting a TLS
connection on conn7340 local=192.168.1.1:3128
remote=192.168.1.5:49616 FD 45 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
03.07.2024 10:52:34 ERROR: failure while accepting a TLS
connection on conn7316 local=192.168.1.1:3128
remote=192.168.1.5:49609 FD 45 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
31.12.1969 16:00:00
03.07.2024 10:51:55 WARNING: Error Pages Missing Language: en-us
31.12.1969 16:00:00
03.07.2024 10:51:55 ERROR: loading file
9;/usr/local/etc/squid/errors/en-us/ERR_ZERO_SIZE_OBJECT': (2)
No such file or directory
03.07.2024 10:51:44 ERROR: failure while accepting a TLS
connection on conn7102 local=192.168.1.1:3128
remote=192.168.1.5:49574 FD 34 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
03.07.2024 10:51:28 ERROR: failure while accepting a TLS
connection on conn7071 local=192.168.1.1:3128
remote=192.168.1.5:49568 FD 92 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
03.07.2024 10:50:29 ERROR: failure while accepting a TLS
connection on conn6944 local=192.168.1.1:3128
remote=192.168.1.5:49534 FD 101 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
03.07.2024 10:49:54 ERROR: failure while accepting a TLS
connection on conn6866 local=192.168.1.1:3128
remote=192.168.1.5:49519 FD 31 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
03.07.2024 10:49:38 ERROR: failure while accepting a TLS
connection on conn6809 local=192.168.1.1:3128
remote=192.168.1.5:49503 FD 31 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
31.12.1969 16:00:00
03.07.2024 10:49:32 ERROR: system call failure while
accepting a TLS connection on conn6794 local=192.168.1.1:3128
remote=192.168.1.5:49496 FD 19 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_IO_ERR=5+errno=54
03.07.2024 10:49:24 ERROR: failure while accepting a TLS
connection on conn6776 local=192.168.1.1:3128
remote=192.168.1.5:49481 FD 137 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
03.07.2024 10:48:49 ERROR: failure while accepting a TLS
connection on conn6440 local=192.168.1.1:3128
remote=192.168.1.5:49424 FD 16 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
03.07.2024 10:48:49 ERROR: failure while accepting a TLS
connection on conn6445 local=192.168.1.1:3128
remote=192.168.1.5:49426 FD 34 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
03.07.2024 10:48:22 ERROR: failure while accepting a TLS
connection on conn6035 local=192.168.1.1:3128
remote=192.168.1.5:49355 FD 226 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
03.07.2024 10:48:09 ERROR: failure while accepting a TLS
connection on conn5887 local=192.168.1.1:3128
remote=192.168.1.5:49318 FD 33 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
03.07.2024 10:48:09 ERROR: failure while accepting a TLS
connection on conn5875 local=192.168.1.1:3128
remote=192.168.1.5:49312 FD 216 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
03.07.2024 10:48:09 ERROR: failure while accepting a TLS
connection on conn5876 local=192.168.1.1:3128
remote=192.168.1.5:49314 FD 217 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
03.07.2024 10:47:57 ERROR: failure while accepting a TLS
connection on conn5815 local=192.168.1.1:3128
remote=192.168.1.5:49297 FD 201 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
03.07.2024 10:47:54 ERROR: failure while accepting a TLS
connection on conn5760 local=192.168.1.1:3128
remote=192.168.1.5:49289 FD 195 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
03.07.2024 10:47:52 ERROR: failure while accepting a TLS
connection on conn5717 local=192.168.1.1:3128
remote=192.168.1.5:49284 FD 195 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
03.07.2024 10:47:50 ERROR: failure while accepting a TLS
connection on conn5552 local=192.168.1.1:3128
remote=192.168.1.5:49268 FD 142 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
31.12.1969 16:00:00
03.07.2024 10:47:34 kick abandoning
conn5254 local=192.168.1.1:3128 remote=192.168.1.5:49209 FD 100
flags=1
31.12.1969 16:00:00
03.07.2024 10:47:21 kick abandoning
conn5022 local=192.168.1.1:3128 remote=192.168.1.5:49167 FD 37
flags=1
31.12.1969 16:00:00
03.07.2024 10:47:21 kick abandoning
conn5020 local=192.168.1.1:3128 remote=192.168.1.5:49165 FD 36
flags=1
31.12.1969 16:00:00
31.12.1969 16:00:00
31.12.1969 16:00:00
31.12.1969 16:00:00
31.12.1969 16:00:00
31.12.1969 16:00:00
31.12.1969 16:00:00
31.12.1969 16:00:00
31.12.1969 16:00:00
31.12.1969 16:00:00
03.07.2024 10:42:22 WARNING: Forwarding loop detected for:
03.07.2024 10:40:08 ERROR: failure while accepting a TLS
connection on conn4955 local=192.168.1.1:3128
remote=192.168.1.5:52339 FD 98 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
31.12.1969 16:00:00
03.07.2024 10:39:52 kick abandoning
conn4927 local=192.168.1.1:3128 remote=192.168.1.5:52331 FD 105
flags=1
03.07.2024 10:39:09 ERROR: failure while accepting a TLS
connection on conn4846 local=192.168.1.1:3128
remote=192.168.1.5:52314 FD 19 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
03.07.2024 10:38:14 ERROR: failure while accepting a TLS
connection on conn4650 local=192.168.1.1:3128
remote=192.168.1.5:52274 FD 35 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
03.07.2024 10:38:08 ERROR: failure while accepting a TLS
connection on conn4645 local=192.168.1.1:3128
remote=192.168.1.5:52272 FD 35 flags=1:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
03.07.2024 10:38:04 ERROR: Unsupported TLS option
SINGLE_ECDH_USE
03.07.2024 10:38:04 ERROR: Unsupported TLS option SINGLE_DH_USE
31.12.1969 16:00:00
31.12.1969 16:00:00
31.12.1969 16:00:00
31.12.1969 16:00:00
31.12.1969 16:00:00
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users