<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">I apologize for the ultra-long delay on this. I did just test this tonight and it worked properly under OpenBSD.<br class=""><div class="">
<div style="color: rgb(0, 0, 0); font-family: Play; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;"><br class=""></div><div style="color: rgb(0, 0, 0); font-family: Play; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;">What would be the process for submitting a bug report?</div><div style="color: rgb(0, 0, 0); font-family: Play; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;"><br class=""></div><div style="color: rgb(0, 0, 0); font-family: Play; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;">-Robert</div></div><div style="color: rgb(0, 0, 0); font-family: Play; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;"><br class=""></div><div style="color: rgb(0, 0, 0); font-family: Play; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;"><br class=""></div><div><blockquote type="cite" class=""><div class="">On Mar 29, 2021, at 4:33 AM, Amos Jeffries <<a href="mailto:squid3@treenet.co.nz" class="">squid3@treenet.co.nz</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">On 29/03/21 6:16 am, Eliezer Croitoru wrote:<br class=""><blockquote type="cite" class="">Hey Robert,<br class="">I am not sure I understood what is the meaning of the description:<br class="">openbsd: Requiring client certificates.<br class="">linux: Not requiring any client certificates<br class=""></blockquote><br class="">@Eliezer:<br class="">  They are startup messages Squid prints in cache.log when a TLS server context is initialized.<br class=""><br class=""><br class=""><br class=""><blockquote type="cite" class="">-----Original Message-----<br class="">From: Robert Smith<br class="">Sent: Sunday, March 28, 2021 7:27 PM<br class="">Dear Squid-Dev list:<br class="">I could use some help on this one:<br class="">I have a build environment that is identical on linux, openbsd, and macosx<br class="">In this scenario, I am developing under:<br class="">Ubuntu 18.04 - All patches and updates applied as of 3/24<br class="">OpenBSD 6.8 - All patches and updates applied as of 3/24<br class="">I will note that I am really only using the libc from each system whereas every other component dependencies (which are not many! Good job squid team!) are a part of my build system.<br class="">When building squid with the exact same tool chain and library stack, with the same configure options, I am seeing a difference in behavior on the two platforms:<br class="">The difference is that after parsing the configuration file, the two systems differ in whether or not they will require client certificates:<br class="">openbsd: Requiring client certificates.<br class="">linux: Not requiring any client certificates<br class=""><br class=""></blockquote><br class="">What the message means depends on whether the http(s)_port, a cache_peer, or the outgoing https:// context is being initialized. Options that directive was supposed to be using (including the default security).<br class=""><br class="">Looking at your logs I see:<br class=""><br class=""><br class="">On OpenBSD Squid detects the presence of an IPv6 split-stack for networking. Which means Squid has to clone the internal representation of all your squid.conf *_port settings and setup separate contexts and state for IPv4 versions of them.<br class=""> There seems to be a bug in that cloning process which is turning on the TLS client certificates feature. Please report this to our bugzilla so it does not get forgotten until fixed.<br class=""><br class=""><br class="">On Linux Squid is detecting IPv6 disabled in the kernel networking setup. So it is disabling its own IPv6 support. That said Linux has a hybrid-stack networking so the cloning would not happen anyway. If IPv6 were enabled here it would be somewhat more obvious that the IPv4 ports on OpenBSD are the odd ones.<br class=""><br class=""><br class="">For a workaround you may be able to set sslflags=DELAYED_AUTH on the http*_port lines and leave your ACLs as they are without anything requiring a client certificate.<br class=""><br class=""><br class=""><br class=""><blockquote type="cite" class=""># openbsd<br class="">root@openbsd:~# /root/squid.init conftest<br class=""></blockquote><br class=""><blockquote type="cite" class="">2021/03/28 10:47:31| Processing: http_port 3128 ssl-bump cert=/opt/osec/etc/ssl_cert/squid-ca-cert+key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=16MB<br class="">2021/03/28 10:47:31| Processing: https_port 3129 intercept ssl-bump cert=/opt/osec/etc/ssl_cert/squid-ca-cert+key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=16MB<br class=""></blockquote><br class=""><blockquote type="cite" class="">2021/03/28 10:47:31| Processing: tls_outgoing_options cafile=/opt/osec/etc/pki/tls/certs/ca-bundle.crt<br class=""></blockquote><br class=""><br class=""><blockquote type="cite" class="">2021/03/28 10:47:31| Initializing https:// proxy context<br class="">2021/03/28 10:47:31| Requiring client certificates.<br class=""></blockquote><br class=""><br class=""><blockquote type="cite" class="">2021/03/28 10:47:31| Initializing http_port [::]:3128 TLS contexts<br class="">2021/03/28 10:47:31| Using certificate in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem<br class="">2021/03/28 10:47:31| Using certificate chain in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem<br class="">2021/03/28 10:47:31| Adding issuer CA: /C=US/ST=Kansas/L=Overland Park/O=Company, Inc./OU=Area <a href="mailto:77/CN=local.corp.dom/emailAddress=ssladmin@Company.com" class="">77/CN=local.corp.dom/emailAddress=ssladmin@Company.com</a><br class="">2021/03/28 10:47:31| Using key in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem<br class="">2021/03/28 10:47:31| Not requiring any client certificates<br class=""></blockquote><br class=""><br class=""><blockquote type="cite" class="">2021/03/28 10:47:31| Initializing http_port 0.0.0.0:3128 TLS contexts<br class="">2021/03/28 10:47:31| Using certificate in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem<br class="">2021/03/28 10:47:31| Using certificate chain in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem<br class="">2021/03/28 10:47:31| Adding issuer CA: /C=US/ST=Kansas/L=Overland Park/O=Company, Inc./OU=Area <a href="mailto:77/CN=local.corp.dom/emailAddress=ssladmin@Company.com" class="">77/CN=local.corp.dom/emailAddress=ssladmin@Company.com</a><br class="">2021/03/28 10:47:31| Using key in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem<br class="">2021/03/28 10:47:31| Requiring client certificates.<br class=""></blockquote><br class=""><br class=""><blockquote type="cite" class="">2021/03/28 10:47:31| Initializing https_port [::]:3129 TLS contexts<br class="">2021/03/28 10:47:31| Using certificate in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem<br class="">2021/03/28 10:47:31| Using certificate chain in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem<br class="">2021/03/28 10:47:31| Adding issuer CA: /C=US/ST=Kansas/L=Overland Park/O=Company, Inc./OU=Area <a href="mailto:77/CN=local.corp.dom/emailAddress=ssladmin@Company.com" class="">77/CN=local.corp.dom/emailAddress=ssladmin@Company.com</a><br class="">2021/03/28 10:47:31| Using key in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem<br class="">2021/03/28 10:47:31| Not requiring any client certificates<br class=""></blockquote><br class=""><br class=""><blockquote type="cite" class="">2021/03/28 10:47:31| Initializing https_port 0.0.0.0:3129 TLS contexts<br class="">2021/03/28 10:47:31| Using certificate in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem<br class="">2021/03/28 10:47:31| Using certificate chain in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem<br class="">2021/03/28 10:47:31| Adding issuer CA: /C=US/ST=Kansas/L=Overland Park/O=Company, Inc./OU=Area <a href="mailto:77/CN=local.corp.dom/emailAddress=ssladmin@Company.com" class="">77/CN=local.corp.dom/emailAddress=ssladmin@Company.com</a><br class="">2021/03/28 10:47:31| Using key in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem<br class="">2021/03/28 10:47:31| Requiring client certificates.<br class=""># linux<br class="">root@linux:~# /root/squid.init conftest<br class=""></blockquote><br class=""><blockquote type="cite" class="">2021/03/28 10:48:21| WARNING: BCP 177 violation. Detected non-functional IPv6 loopback.<br class="">2021/03/28 10:48:21| aclIpParseIpData: IPv6 has not been enabled.<br class="">2021/03/28 10:48:21| aclIpParseIpData: IPv6 has not been enabled.<br class="">2021/03/28 10:48:21| Initializing https:// proxy context<br class="">2021/03/28 10:48:21| Requiring client certificates.<br class=""></blockquote><br class=""><blockquote type="cite" class="">2021/03/28 10:48:21| Initializing http_port 0.0.0.0:3128 TLS contexts<br class="">2021/03/28 10:48:21| Using certificate in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem<br class="">2021/03/28 10:48:21| Using certificate chain in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem<br class="">2021/03/28 10:48:21| Adding issuer CA: /C=US/ST=Kansas/L=Overland Park/O=Company, Inc./OU=Area <a href="mailto:77/CN=local.corp.dom/emailAddress=ssladmin@Company.com" class="">77/CN=local.corp.dom/emailAddress=ssladmin@Company.com</a><br class="">2021/03/28 10:48:21| Using key in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem<br class="">2021/03/28 10:48:21| Not requiring any client certificates<br class=""></blockquote><br class=""><blockquote type="cite" class="">2021/03/28 10:48:21| Initializing https_port 0.0.0.0:3129 TLS contexts<br class="">2021/03/28 10:48:21| Using certificate in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem<br class="">2021/03/28 10:48:21| Using certificate chain in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem<br class="">2021/03/28 10:48:21| Adding issuer CA: /C=US/ST=Kansas/L=Overland Park/O=Company, Inc./OU=Area <a href="mailto:77/CN=local.corp.dom/emailAddress=ssladmin@Company.com" class="">77/CN=local.corp.dom/emailAddress=ssladmin@Company.com</a><br class="">2021/03/28 10:48:21| Using key in /opt/osec/etc/ssl_cert/squid-ca-cert+key.pem<br class="">2021/03/28 10:48:21| Not requiring any client certificates<br class=""></blockquote><br class=""><br class=""><br class="">Amos<br class=""><br class="">_______________________________________________<br class="">squid-dev mailing list<br class=""><a href="mailto:squid-dev@lists.squid-cache.org" class="">squid-dev@lists.squid-cache.org</a><br class="">http://lists.squid-cache.org/listinfo/squid-dev<br class=""><br class=""></div></div></blockquote></div><br class=""></body></html>