[squid-users] SSL bumping without faked server certificates

Alex Rousskov rousskov at measurement-factory.com
Sat Nov 14 22:52:43 UTC 2015

On 11/14/2015 12:42 PM, Stefan Kutzke wrote:

> I have built a RPM package with latest 3.5.11 source based
> on http://www1.ngtech.co.il/repo/centos/6/SRPMS/squid-3.5.9-1.el6.src.rpm
> Squid is configured with SSL bump similar to the configuration suggested
> by Sebastian.


> 2015/11/10 19:24:30.181 kid1| 33,5|...
> 2015/11/10 19:25:30.016 kid1| 33,3| AsyncCall.cc(93) ScheduleCall:
> IoCallback.cc(135) will call
> ConnStateData::clientPinnedConnectionRead(local=
> remote= FD 15 flags=1, flag=-10, data=0x19ced08)
> [call349]

This one second gap after a successful SSL negotiation with the origin
server is rather suspicious, but I am going to ignore it, go out on a
limb, and speculate that you might be suffering from the "Handshake
Problem during Renegotiation" bug that we recently fixed. I do not think
the fix has made it into v3.5 branch yet, but you can get our v3.5 patch


If that fix does not help, I recommend the following:

1. Reproduce the same bug with debug_options set to ALL,9.

2. File a new bug report in Squid bugzilla and post [compressed]
cache.log or a link to that log there. You may also post here, but it is
easier to track progress in bugzilla.

Thank you,


More information about the squid-users mailing list