[squid-users] ssl_crtd process doesn't start with Squid 3.5.6
Stanford Prescott
stan.prescott at gmail.com
Fri Jul 24 22:25:34 UTC 2015
I have a working implementation of Squid 3.5.5 with ssl-bump. When 3.5.5 is
started with ssl-bump enabled all the squid and ssl_crtd processes start
and Squid functions as intended when bumping ssl sites. However, when I
bump Squid to 3.5.6 squid seems to start but ssl_crtd does not and Squid
3.5.6 cannot successfully bump ssl.
These are the config options I use for both 3.5.5 and 3.5.6.
--enable-storeio="diskd,ufs,aufs" --enable-linux-netfilter \
--enable-removal-policies="heap,lru" --enable-delay-pools
--libdir=/usr/lib/ \
--localstatedir=/var --with-dl --with-openssl --enable-http-violations \
--with-large-files --with-libcap --disable-ipv6
--with-swapdir=/var/spool/squid \
--enable-ssl-crtd --enable-follow-x-forwarded-for
This is the squid.conf file used for both versions.
visible_hostname smoothwallu3
# Uncomment the following to send debug info to /var/log/squid/cache.log
debug_options ALL,1 33,2 28,9
# ACCESS CONTROLS
# ----------------------------------------------------------------
acl localhostgreen src 10.20.20.1
acl localnetgreen src 10.20.20.0/24
acl SSL_ports port 445 443 441 563
acl Safe_ports port 80 # http
acl Safe_ports port 81 # smoothwall http
acl Safe_ports port 21 # ftp
acl Safe_ports port 445 443 441 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# TAG: http_access
# ----------------------------------------------------------------
http_access allow localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnetgreen
http_access allow CONNECT localnetgreen
http_access allow localhostgreen
http_access allow CONNECT localhostgreen
# http_port and https_port
#----------------------------------------------------------------------------
# For forward-proxy port. Squid uses this port to serve error pages, ftp
icons and communication with other proxies.
#----------------------------------------------------------------------------
http_port 3127
http_port 10.20.20.1:800 intercept
https_port 10.20.20.1:808 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB
cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem
http_port 127.0.0.1:800 intercept
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_session_cache_size 4 MB
ssl_bump none localhostgreen
acl step1 at_step SslBump1
acl step2 at_step SslBump2
ssl_bump peek step1
ssl_bump bump all
sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s
/var/smoothwall/mods/proxy/lib/ssl_db -M 4MB
sslcrtd_children 5
http_access deny all
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF
# CACHE OPTIONS
#
----------------------------------------------------------------------------
cache_effective_user squid
cache_effective_group squid
cache_swap_high 100
cache_swap_low 80
cache_access_log stdio:/var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_mem 64 MB
cache_dir diskd /var/spool/squid/cache 1024 16 256
maximum_object_size 33 MB
minimum_object_size 0 KB
request_body_max_size 0 KB
# OTHER OPTIONS
#
----------------------------------------------------------------------------
#via off
forwarded_for off
pid_filename /var/run/squid.pid
shutdown_lifetime 30 seconds
icp_port 3130
half_closed_clients off
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_avi_req reqmod_precache
icap://localhost:1344/squidclamav bypass=off
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache
icap://localhost:1344/squidclamav bypass=on
adaptation_access service_avi_resp allow all
umask 022
logfile_rotate 0
strip_query_terms off
redirect_program /usr/sbin/squidGuard
url_rewrite_children 5
And the cache.log file when starting 3.5.6 with debug options on in
squid.conf
*2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL
adaptation_access2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL
adaptation_access2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.230| Acl.cc(380) ~ACL: freeing ACL 2015/07/24
17:15:06.231| Acl.cc(380) ~ACL: freeing ACL 2015/07/24 17:15:06.231|
Acl.cc(380) ~ACL: freeing ACL 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL:
freeing ACL 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL 2015/07/24
17:15:06.231| Acl.cc(380) ~ACL: freeing ACL 2015/07/24 17:15:06.231|
Acl.cc(380) ~ACL: freeing ACL 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL:
freeing ACL 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL 2015/07/24
17:15:06.231| Acl.cc(380) ~ACL: freeing ACL 2015/07/24 17:15:06.231|
Acl.cc(380) ~ACL: freeing ACL 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL:
freeing ACL 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL 2015/07/24
17:15:06.231| Acl.cc(380) ~ACL: freeing ACL 2015/07/24 17:15:06.231|
Acl.cc(380) ~ACL: freeing ACL 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL:
freeing ACL 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.231| Acl.cc(380) ~ACL: freeing ACL 2015/07/24
17:15:06.231| Acl.cc(380) ~ACL: freeing ACL 2015/07/24 17:15:06.231|
Acl.cc(380) ~ACL: freeing ACL 2015/07/24 17:15:06.231| Acl.cc(380) ~ACL:
freeing ACL 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL 2015/07/24
17:15:06.232| Acl.cc(380) ~ACL: freeing ACL 2015/07/24 17:15:06.232|
Acl.cc(380) ~ACL: freeing ACL 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL:
freeing ACL 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL 2015/07/24
17:15:06.232| Acl.cc(380) ~ACL: freeing ACL 2015/07/24 17:15:06.232|
Acl.cc(380) ~ACL: freeing ACL 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL:
freeing ACL 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL 2015/07/24
17:15:06.232| Acl.cc(380) ~ACL: freeing ACL 2015/07/24 17:15:06.232|
Acl.cc(380) ~ACL: freeing ACL 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL:
freeing ACL 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL 2015/07/24
17:15:06.232| Acl.cc(380) ~ACL: freeing ACL 2015/07/24 17:15:06.232|
Acl.cc(380) ~ACL: freeing ACL 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL:
freeing ACL 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL 2015/07/24
17:15:06.232| Acl.cc(380) ~ACL: freeing ACL 2015/07/24 17:15:06.232|
Acl.cc(380) ~ACL: freeing ACL 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL:
freeing ACL 2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL
2015/07/24 17:15:06.232| Acl.cc(380) ~ACL: freeing ACL 2015/07/24
17:15:06.232| Acl.cc(380) ~ACL: freeing ACL 2015/07/24 17:15:06 kid1|
Current Directory is /2015/07/24 17:15:06 kid1| Starting Squid Cache
version 3.5.6 for i586-pc-linux-gnu...2015/07/24 17:15:06 kid1| Service
Name: squid2015/07/24 17:15:06 kid1| Process ID 29072015/07/24 17:15:06
kid1| Process Roles: worker2015/07/24 17:15:06 kid1| With 1024 file
descriptors available2015/07/24 17:15:06 kid1| Initializing IP
Cache...2015/07/24 17:15:06 kid1| DNS Socket created at 0.0.0.0, FD
82015/07/24 17:15:06 kid1| Adding nameserver 127.0.0.1 from
/etc/resolv.conf2015/07/24 17:15:06 kid1| helperOpenServers: Starting 0/5
'squidGuard' processes2015/07/24 17:15:06 kid1| helperOpenServers: No
'squidGuard' processes needed.2015/07/24 17:15:06 kid1| Logfile: opening
log stdio:/var/log/squid/access.log2015/07/24 17:15:06 kid1| Unlinkd pipe
opened on FD 152015/07/24 17:15:06 kid1| Store logging disabled2015/07/24
17:15:06 kid1| Swap maxSize 1048576 + 65536 KB, estimated 85700
objects2015/07/24 17:15:06 kid1| Target number of buckets: 42852015/07/24
17:15:06 kid1| Using 8192 Store buckets2015/07/24 17:15:06 kid1| Max Mem
size: 65536 KB2015/07/24 17:15:06 kid1| Max Swap size: 1048576 KB2015/07/24
17:15:06 kid1| Rebuilding storage in /var/spool/squid/cache (dirty
log)2015/07/24 17:15:06 kid1| Using Least Load store dir
selection2015/07/24 17:15:06 kid1| Current Directory is /2015/07/24
17:15:06 kid1| Finished loading MIME types and icons.2015/07/24
17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall: The AsyncCall
clientListenerConnectionOpened constructed, this=0x946d218
[call5]2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall:
StartListening.cc(59) will call
clientListenerConnectionOpened(local=0.0.0.0:3127 <http://0.0.0.0:3127>
remote=[::] FD 20 flags=9, err=0, HTTP Socket port=0x946d24c)
[call5]2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall: The
AsyncCall clientListenerConnectionOpened constructed, this=0x946d3a8
[call7]2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall:
StartListening.cc(59) will call
clientListenerConnectionOpened(local=10.20.20.1:800 <http://10.20.20.1:800>
remote=[::] FD 21 flags=41, err=0, HTTP Socket port=0x946d3dc)
[call7]2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall: The
AsyncCall clientListenerConnectionOpened constructed, this=0x946d510
[call9]2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall:
StartListening.cc(59) will call
clientListenerConnectionOpened(local=127.0.0.1:800 <http://127.0.0.1:800>
remote=[::] FD 22 flags=41, err=0, HTTP Socket port=0x946d544)
[call9]2015/07/24 17:15:06.578 kid1| AsyncCall.cc(26) AsyncCall: The
AsyncCall clientListenerConnectionOpened constructed, this=0x946d6b0
[call11]2015/07/24 17:15:06.578 kid1| AsyncCall.cc(93) ScheduleCall:
StartListening.cc(59) will call
clientListenerConnectionOpened(local=10.20.20.1:808 <http://10.20.20.1:808>
remote=[::] FD 23 flags=41, err=0, HTTPS Socket port=0x946d6e4)
[call11]2015/07/24 17:15:06.578 kid1| HTCP Disabled.2015/07/24 17:15:06.578
kid1| Squid plugin modules loaded: 02015/07/24 17:15:06.578 kid1|
Adaptation support is on2015/07/24 17:15:06.578 kid1| AsyncCallQueue.cc(55)
fireNext: entering clientListenerConnectionOpened(local=0.0.0.0:3127
<http://0.0.0.0:3127> remote=[::] FD 20 flags=9, err=0, HTTP Socket
port=0x946d24c)2015/07/24 17:15:06.578 kid1| AsyncCall.cc(38) make: make
call clientListenerConnectionOpened [call5]2015/07/24 17:15:06.578 kid1|
Accepting HTTP Socket connections at local=0.0.0.0:3127
<http://0.0.0.0:3127> remote=[::] FD 20 flags=92015/07/24 17:15:06.578
kid1| AsyncCallQueue.cc(57) fireNext: leaving
clientListenerConnectionOpened(local=0.0.0.0:3127 <http://0.0.0.0:3127>
remote=[::] FD 20 flags=9, err=0, HTTP Socket port=0x946d24c)2015/07/24
17:15:06.578 kid1| AsyncCallQueue.cc(55) fireNext: entering
clientListenerConnectionOpened(local=10.20.20.1:800 <http://10.20.20.1:800>
remote=[::] FD 21 flags=41, err=0, HTTP Socket port=0x946d3dc)2015/07/24
17:15:06.578 kid1| AsyncCall.cc(38) make: make call
clientListenerConnectionOpened [call7]2015/07/24 17:15:06.578 kid1|
Accepting NAT intercepted HTTP Socket connections at local=10.20.20.1:800
<http://10.20.20.1:800> remote=[::] FD 21 flags=412015/07/24 17:15:06.578
kid1| AsyncCallQueue.cc(57) fireNext: leaving
clientListenerConnectionOpened(local=10.20.20.1:800 <http://10.20.20.1:800>
remote=[::] FD 21 flags=41, err=0, HTTP Socket port=0x946d3dc)2015/07/24
17:15:06.579 kid1| AsyncCallQueue.cc(55) fireNext: entering
clientListenerConnectionOpened(local=127.0.0.1:800 <http://127.0.0.1:800>
remote=[::] FD 22 flags=41, err=0, HTTP Socket port=0x946d544)2015/07/24
17:15:06.579 kid1| AsyncCall.cc(38) make: make call
clientListenerConnectionOpened [call9]2015/07/24 17:15:06.579 kid1|
Accepting NAT intercepted HTTP Socket connections at local=127.0.0.1:800
<http://127.0.0.1:800> remote=[::] FD 22 flags=412015/07/24 17:15:06.579
kid1| AsyncCallQueue.cc(57) fireNext: leaving
clientListenerConnectionOpened(local=127.0.0.1:800 <http://127.0.0.1:800>
remote=[::] FD 22 flags=41, err=0, HTTP Socket port=0x946d544)2015/07/24
17:15:06.579 kid1| AsyncCallQueue.cc(55) fireNext: entering
clientListenerConnectionOpened(local=10.20.20.1:808 <http://10.20.20.1:808>
remote=[::] FD 23 flags=41, err=0, HTTPS Socket port=0x946d6e4)2015/07/24
17:15:06.579 kid1| AsyncCall.cc(38) make: make call
clientListenerConnectionOpened [call11]2015/07/24 17:15:06.579 kid1|
Accepting NAT intercepted SSL bumped HTTPS Socket connections at
local=10.20.20.1:808 <http://10.20.20.1:808> remote=[::] FD 23
flags=412015/07/24 17:15:06.579 kid1| AsyncCallQueue.cc(57) fireNext:
leaving clientListenerConnectionOpened(local=10.20.20.1:808
<http://10.20.20.1:808> remote=[::] FD 23 flags=41, err=0, HTTPS Socket
port=0x946d6e4)2015/07/24 17:15:06.579 kid1| Accepting ICP messages on
0.0.0.0:3130 <http://0.0.0.0:3130>2015/07/24 17:15:06.579 kid1| Sending ICP
messages from 0.0.0.0:3130 <http://0.0.0.0:3130>2015/07/24 17:15:06.579
kid1| Done reading /var/spool/squid/cache swaplog (12 entries)2015/07/24
17:15:06.579 kid1| Finished rebuilding storage from disk.2015/07/24
17:15:06.579 kid1| 12 Entries scanned2015/07/24 17:15:06.579
kid1| 0 Invalid entries.2015/07/24 17:15:06.579 kid1| 0
With invalid flags.2015/07/24 17:15:06.579 kid1| 12 Objects
loaded.2015/07/24 17:15:06.579 kid1| 0 Objects expired.2015/07/24
17:15:06.579 kid1| 0 Objects cancelled.2015/07/24 17:15:06.579
kid1| 0 Duplicate URLs purged.2015/07/24 17:15:06.579 kid1|
0 Swapfile clashes avoided.2015/07/24 17:15:06.579 kid1| Took 0.06
seconds (210.47 objects/sec).2015/07/24 17:15:06.579 kid1| Beginning
Validation Procedure2015/07/24 17:15:06.579 kid1| Completed Validation
Procedure2015/07/24 17:15:06.579 kid1| Validated 12 Entries2015/07/24
17:15:06.579 kid1| store_swap_size = 1444.00 KB2015/07/24 17:15:07 kid1|
storeLateRelease: released 0 objects*
Any help or suggestions greatly appreciated.
Regards
Stan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150724/8415964d/attachment-0001.html>
More information about the squid-users
mailing list