[squid-users] RE Peek and Splice error SSL_accept failed

James Lay jlay at slave-tothe-box.net
Fri Jul 24 12:36:18 UTC 2015 

On Fri, 2015-07-24 at 12:09 +0000, Sebastian Kirschner wrote:

> Hi ,
> 
> I minimized the configuration a little bit(you could see it at the bottom of these message).
> 
> Also I still try to understand why these error happen , I increased the Debug level and saw that squid tried 48 times to peek but failed.
> At the end It says that it got an "Hello", does it mean that squid received after 48 tries the "Hello" ?
> 
> If yes why it does need so many tries ?
> 
> -> Part of debug log <-
> 2015/07/24 11:05:42.866 kid1| client_side.cc(4242) clientPeekAndSpliceSSL: Start peek and splice on FD 11
> 2015/07/24 11:05:42.866 kid1| bio.cc(120) read: FD 11 read 11 <= 11
> 2015/07/24 11:05:42.866 kid1| bio.cc(146) readAndBuffer: read 11 out of 11 bytes
> 2015/07/24 11:05:42.866 kid1| bio.cc(150) readAndBuffer: recorded 11 bytes of TLS client Hello
> 2015/07/24 11:05:42.866 kid1| ModEpoll.cc(116) SetSelect: FD 11, type=1, handler=1, client_data=0x7effbd078458, timeout=0
> 2015/07/24 11:05:42.866 kid1| client_side.cc(4245) clientPeekAndSpliceSSL: SSL_accept failed.
> .
> .
> .
> 2015/07/24 11:05:42.874 kid1| client_side.cc(4242) clientPeekAndSpliceSSL: Start peek and splice on FD 11
> 2015/07/24 11:05:42.874 kid1| bio.cc(120) read: FD 11 read 6 <= 11
> 2015/07/24 11:05:42.874 kid1| bio.cc(146) readAndBuffer: read 6 out of 11 bytes
> 2015/07/24 11:05:42.874 kid1| bio.cc(150) readAndBuffer: recorded 6 bytes of TLS client Hello
> 2015/07/24 11:05:42.875 kid1| SBuf.cc(152) assign: SBuf2040 from c-string, n=0)
> 2015/07/24 11:05:42.875 kid1| SBuf.cc(152) assign: SBuf2038 from c-string, n=13)
> 2015/07/24 11:05:42.875 kid1| ModEpoll.cc(116) SetSelect: FD 11, type=1, handler=1, client_data=0x7effbd078458, timeout=0
> 2015/07/24 11:05:42.875 kid1| client_side.cc(4245) clientPeekAndSpliceSSL: SSL_accept failed.
> 2015/07/24 11:05:42.875 kid1| SBuf.cc(152) assign: SBuf2025 from c-string, n=4294967295)
> 2015/07/24 11:05:42.875 kid1| client_side.cc(4259) clientPeekAndSpliceSSL: I got hello. Start forwarding the request!!!
> 
> -> new configuration <-
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> 
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> 
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> 
> # Listening Ports
> http_port 127.0.0.1:3120
> http_port 192.168.1.104:3128 intercept
> https_port 192.168.1.104:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/etc/squid3/ssl_cert/myCA.pem
> 
> # some configuration options
> cache_effective_user proxy
> cache_effective_group proxy
> access_log /var/squid/logs/access.log
> cache_log /var/squid/logs/cache.log
> pinger_enable on
> pinger_program /lib/squid3/pinger
> sslproxy_capath /etc/ssl/certs
> sslcrtd_program /lib/squid3/ssl_crtd -s /var/squid/certs -M 4MB -b 2048
> 
> #ACLs
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> acl bypass ssl::server_name www.google.de
> 
> ssl_bump peek step1
> ssl_bump splice bypass step2
> ssl_bump bump all
> 
> # Debugging if needeed
> debug_options all,6 6,0 16,0 18,0 19,0 20,0 32,0 47,0 79,0 90,0 92,0
> 
> # Leave coredumps in the first cache dir
> coredump_dir /var/spool/squid3
> 
> #
> # Add any of your own refresh_pattern entries above these.
> #
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
> 
> 
> Mit freundlichen Grüßen / Best Regards
> 
> Sebastian
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


Is that all sites or just a few special sites?

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150724/587c83c6/attachment-0001.html>

More information about the squid-users mailing list