[squid-users] sslbump working with 3.4.9 but not in intercept mode?

Jason Haar Jason_Haar at trimble.com
Mon Nov 10 11:26:23 UTC 2014 

On 10/11/14 23:43, Eliezer Croitoru wrote:
> Can you send all ssl_bump related settings?
> There are some missing parts in the settings.

How's this?

# egrep '^(https?_port|ssl)' /etc/squid/squid.conf
http_port 3128
http_port 3126 ssl-bump cert=/etc/squid/squid-CA.cert 
capath=/etc/ssl/certs/ generate-host-certificates=on
dynamic_cert_mem_cache_size=256MB options=ALL
http_port 3129 intercept
https_port 3127 intercept ssl-bump cert=/etc/squid/squid-CA.cert 
capath=/etc/ssl/certs/ generate-host-certificates=on
dynamic_cert_mem_cache_size=256MB options=ALL
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 32 startup=5 idle=1
ssl_bump server-first all


This is a CentOS-6 64bit server with 8G RAM and two Ethernet cards - one
internal and one external. iptables is used to redirect outbound tcp
port 80/443 (on internal network) onto squid port 3129/3127
respectively. I've removed the two ACLs I had and they haven't caused
any change, so they are not related to the problem

access.log does not show any entries (the crash occurs before they can
write I guess) and the cache.log  shows the following whenever I "telnet
1.2.3.4 443" (I've appended the cache.log from the start, through the
crash to the next start)

2014/11/11 00:14:02 kid1| Starting Squid Cache version 3.4.9 for
x86_64-redhat-linux-gnu...
2014/11/11 00:14:02 kid1| Process ID 25288
2014/11/11 00:14:02 kid1| Process Roles: worker
2014/11/11 00:14:02 kid1| With 16384 file descriptors available
2014/11/11 00:14:02 kid1| Initializing IP Cache...
2014/11/11 00:14:02 kid1| DNS Socket created at 0.0.0.0, FD 7
2014/11/11 00:14:02 kid1| Adding domain xx.org from /etc/resolv.conf
2014/11/11 00:14:02 kid1| Adding nameserver 127.0.0.1 from /etc/resolv.conf
2014/11/11 00:14:02 kid1| helperOpenServers: Starting 5/32 'ssl_crtd'
processes
2014/11/11 00:14:02 kid1| helperOpenServers: Starting 5/20 'squidguard'
processes
2014/11/11 00:14:02 kid1| Logfile: opening log
daemon:/var/log/squid/access.log
2014/11/11 00:14:02 kid1| Logfile Daemon: opening log
/var/log/squid/access.log
2014/11/11 00:14:02 kid1| Unlinkd pipe opened on FD 33
2014/11/11 00:14:02 kid1| Local cache digest enabled; rebuild/rewrite
every 3600/3600 sec
2014/11/11 00:14:02 kid1| Store logging disabled
2014/11/11 00:14:02 kid1| Swap maxSize 1024000 + 524288 KB, estimated
119099 objects
2014/11/11 00:14:02 kid1| Target number of buckets: 5954
2014/11/11 00:14:02 kid1| Using 8192 Store buckets
2014/11/11 00:14:02 kid1| Max Mem  size: 524288 KB
2014/11/11 00:14:02 kid1| Max Swap size: 1024000 KB
2014/11/11 00:14:02 kid1| Rebuilding storage in /var/spool/squid (clean log)
2014/11/11 00:14:02 kid1| Using Least Load store dir selection
2014/11/11 00:14:02 kid1| Set Current Directory to /var/spool/squid
2014/11/11 00:14:02 kid1| Finished loading MIME types and icons.
2014/11/11 00:14:02 kid1| HTCP Disabled.
2014/11/11 00:14:02 kid1| Squid plugin modules loaded: 0
2014/11/11 00:14:02 kid1| Adaptation support is off.
2014/11/11 00:14:02 kid1| Accepting HTTP Socket connections at
local=0.0.0.0:3128 remote=[::] FD 36 flags=9
2014/11/11 00:14:02 kid1| Accepting SSL bumped HTTP Socket connections
at local=0.0.0.0:3126 remote=[::] FD 37 flags=9
2014/11/11 00:14:02 kid1| Accepting NAT intercepted HTTP Socket
connections at local=0.0.0.0:3129 remote=[::] FD 38 flags=41
2014/11/11 00:14:02 kid1| Accepting NAT intercepted SSL bumped HTTPS
Socket connections at local=0.0.0.0:3127 remote=[::] FD 39 flags=41
2014/11/11 00:14:02 kid1| Store rebuilding is 42.19% complete
2014/11/11 00:14:02 kid1| Done reading /var/spool/squid swaplog (9479
entries)
2014/11/11 00:14:02 kid1| Finished rebuilding storage from disk.
2014/11/11 00:14:02 kid1|      9479 Entries scanned
2014/11/11 00:14:02 kid1|         0 Invalid entries.
2014/11/11 00:14:02 kid1|         0 With invalid flags.
2014/11/11 00:14:02 kid1|      9479 Objects loaded.
2014/11/11 00:14:02 kid1|         0 Objects expired.
2014/11/11 00:14:02 kid1|         0 Objects cancelled.
2014/11/11 00:14:02 kid1|         0 Duplicate URLs purged.
2014/11/11 00:14:02 kid1|         0 Swapfile clashes avoided.
2014/11/11 00:14:02 kid1|   Took 0.06 seconds (147560.63 objects/sec).
2014/11/11 00:14:02 kid1| Beginning Validation Procedure
2014/11/11 00:14:02 kid1|   Completed Validation Procedure
2014/11/11 00:14:02 kid1|   Validated 9479 Entries
2014/11/11 00:14:02 kid1|   store_swap_size = 920980.00 KB
2014/11/11 00:14:03 kid1| storeLateRelease: released 0 objects
2014/11/11 00:14:09 kid1| Closing HTTP port 0.0.0.0:3128
2014/11/11 00:14:09 kid1| Closing HTTP port 0.0.0.0:3126
2014/11/11 00:14:09 kid1| Closing HTTP port 0.0.0.0:3129
2014/11/11 00:14:09 kid1| Closing HTTPS port 0.0.0.0:3127
FATAL: xstrdup: tried to dup a NULL pointer!

Squid Cache (Version 3.4.9): Terminated abnormally.
CPU Usage: 0.077 seconds = 0.054 user + 0.023 sys
Maximum Resident Size: 70912 KB
Page faults with physical i/o: 0
Memory usage for squid via mallinfo():
    total space in arena:    9328 KB
    Ordinary blocks:         9228 KB      5 blks
    Small blocks:               0 KB      1 blks
    Holding blocks:         10068 KB      6 blks
    Free Small blocks:          0 KB
    Free Ordinary blocks:      99 KB
    Total in use:           19296 KB 207%
    Total free:                99 KB 1%
2014/11/11 00:14:09 kid1| storeDirWriteCleanLogs: Starting...
2014/11/11 00:14:09 kid1|   Finished.  Wrote 9479 entries.
2014/11/11 00:14:09 kid1|   Took 0.04 seconds (240455.59 entries/sec).
2014/11/11 00:14:12 kid1| Set Current Directory to /var/spool/squid
2014/11/11 00:14:12 kid1| Starting Squid Cache version 3.4.9 for
x86_64-redhat-linux-gnu...

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the squid-users mailing list