[squid-users] HTTPS woes

Olly Lennox oliver at lennox-it.uk
Wed Apr 19 23:35:38 UTC 2017 

Hi Alex,


Thanks for your response. I can confirm that disabling the ssl sesison cache seems to have resolved the issue. I found another post which references this patch to resolve the issue:

http://www.squid-cache.org/Versions/v4/changesets/squid-4-13984.patch

I've checked the source in main.cc and this seems quite different to what I have in 3.5.23 so I guess it would involve an upgrade to version 4? After the blood and tears I have gone through to get 3.5 working I don't think I'm read to make that leap yet!!

I check and the /dev/shm directory does exist with 777 permissions so from what I can see the OS should support it. I'm out of my depth here so maybe there is more to it but I can't see why squid couldn't write to this location. 
oliver at lennox-it.uk
lennox-it.uk
tel: 07900 648 252



________________________________
From: Alex Rousskov <rousskov at measurement-factory.com>
To: "'squid-users at squid-cache. org'" <squid-users at squid-cache.org> 
Cc: Olly Lennox <oliver at lennox-it.uk>
Sent: Thursday, 20 April 2017, 0:13
Subject: Re: [squid-users] HTTPS woes



On 04/19/2017 04:48 PM, Olly Lennox wrote:

> After further investigation the problem is something to do with permissions related to ssl_crtd.

No, it is not (or at least not yet).


> I can run squid as root but using the default account (proxy?) it
> won't run and is giving this error in cache.log:

> 2017/04/19 23:43:54 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' processes
> FATAL: Ipc::Mem::Segment::open failed to shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory

The FATAL line is unrelated to the ssl_crtd line above it (this is one
of several problems with FATAL error handling in Squid).


> I've checked the file and folder permissions across all aspects of
> squid and everything I can see is owned by proxy:proxy so not sure
> where it is failing.

Squid is failing when trying to open a shared memory segment used for
storing SSL sessions. This probably means two things:

1. Your OS environment is not compatible with Squid shared memory needs
(e.g., missing /dev/shm/ or equivalent). More info at
http://wiki.squid-cache.org/Features/SmpScale#Ipc::Mem::Segment::create_failed_to_shm_open.28....29:_.282.29_No_such_file_or_directory

2. There is a bug in Squid: Squid should not create shared memory
segments when running in non-SMP mode. Please consider reporting this
bug if it has not been reported already. At the expense of losing SSL
session resumption capabilities, you should be able to work around this
bug by disabling the session cache:
http://www.squid-cache.org/Doc/config/sslproxy_session_cache_size/


HTH,

Alex.



> acl SSL_ports port 443 
> acl Safe_ports port 80        # http 
> acl Safe_ports port 21        # ftp 
> acl Safe_ports port 443        # https 
> acl Safe_ports port 70        # gopher 
> acl Safe_ports port 210        # wais 
> acl Safe_ports port 1025-65535    # unregistered ports 
> acl Safe_ports port 280        # http-mgmt 
> acl Safe_ports port 488        # gss-http 
> acl Safe_ports port 591        # filemaker 
> acl Safe_ports port 777        # multiling http 
> acl CONNECT method CONNECT 
> 
> http_access deny !Safe_ports 
> http_access deny CONNECT !SSL_ports 
> http_access allow all 
> 
> http_port 3130 
> 
> http_port 3128 intercept 
> https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3 dhparams=/etc/squid3/ssl_cert/dhparam.pem 
> 
> acl step1 at_step SslBump1 
> ssl_bump peek step1 
> ssl_bump bump all 
> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE 
> sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS 
> sslproxy_cafile /etc/squid/ssl_cert/mozcacert.pem 
> 
> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB 
> sslcrtd_children 8 startup=1 idle=1 
> 
> coredump_dir /var/spool/squid 
> 
> # Add any of your own refresh_pattern entries above these. 
> refresh_pattern ^ftp:        1440    20%    10080 
> refresh_pattern ^gopher:    1440    0%    1440 
> refresh_pattern -i (/cgi-bin/|\?) 0    0%    0 
> refresh_pattern .        0    20%    4320 
> 
> cache_dir ufs /cache 400 16 256

More information about the squid-users mailing list