[squid-users] connecting directly to ssl-bump intercept port causes runaway CPU

Jason Haar Jason_Haar at trimble.com
Wed Nov 12 04:49:18 UTC 2014 

Hi there

I was reading this list about the issue with google.com and was playing
around - and I used telnet to connect directly to the intercept ssl-bump
port. End result was squid immediately went to 99% CPU, and the
cache.log started reporting

WARNING! Your cache is running out of filedescriptors
WARNING! Your cache is running out of filedescriptors
WARNING! Your cache is running out of filedescriptors

The box staggered to it's knees, so I had to kill squid. Restarted it
and everything is fine - until I do that again. If I let the network
redirecting work (ie make outbound port 443 connections), this doesn't
happen - it's only if I directly connect to the intercept port

I have my "http_port intercept" and "https_port intercept" set
identically (except for the ssl stuff of course), and yet if I telnet to
the http_port set to intercept, this does NOT happen - it works fine...

Any ideas where I should look to see what's causing the grief? This is
squid-3.4.9. "127.0.0.1" is in /etc/squid/SSL_noIntercept_sites.txt, but
not the ethernet IP nor hostname of the proxy if that matters.

#egrep '^(https?_port|ssl)|SSL_nonHTTPS|SSL_noInter' /etc/squid/squid.conf
http_port 3128
http_port 3126 ssl-bump cert=/etc/squid/squid-CA.cert 
capath=/etc/ssl/certs/ generate-host-certificates=on
dynamic_cert_mem_cache_size=256MB options=ALL
http_port 3129 intercept
https_port 3127 intercept ssl-bump cert=/etc/squid/squid-CA.cert 
capath=/etc/ssl/certs/ generate-host-certificates=on
dynamic_cert_mem_cache_size=256MB options=ALL
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 32 startup=5 idle=1
acl SSL_nonHTTPS_sites dstdom_regex "/etc/squid/SSL_nonHTTPS_sites.txt"
acl SSL_noIntercept_sites dstdom_regex
"/etc/squid/SSL_noIntercept_sites.txt"
ssl_bump none SSL_nonHTTPS_sites
ssl_bump none SSL_noIntercept_sites
ssl_bump server-first all
sslproxy_cert_error allow SSL_nonHTTPS_sites
sslproxy_cert_error allow all

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the squid-users mailing list