[squid-users] SSL TAG_NONE/503 errors
Hugo Saavedra
hugo.saavedra.oteiza at gmail.com
Wed Dec 6 19:06:36 UTC 2017
ok,
Alex, this are the errors on cache.log (for 2 different tests)
2017/12/06 16:01:52 kid1| Error negotiating SSL on FD 18:
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure (1/-1/0)
2017/12/06 16:01:52 kid1| Error negotiating SSL on FD 25:
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure (1/-1/0)
2017/12/06 16:01:52 kid1| Error negotiating SSL on FD 26:
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure (1/-1/0)
2017/12/06 16:02:10 kid1| send: (111) Connection refused
2017/12/06 16:02:10 kid1| Closing Pinger socket on FD 36
2017/12/06 16:02:23 kid1| Starting new ssl_crtd helpers...
2017/12/06 16:02:23 kid1| helperOpenServers: Starting 1/16 'ssl_crtd' processes
2017/12/06 16:02:23 kid1| helperOpenServers: Starting 1/16 'ssl_crtd' processes
2017/12/06 16:02:23 kid1| Error negotiating SSL on FD 67:
error:00000000:lib(0): func(0):reason(0) (5/0/0)
2017/12/06 16:02:23 kid1| Error negotiating SSL on FD 68:
error:00000000:lib(0): func(0):reason(0) (5/0/0)
2017/12/06 16:02:23 kid1| Error negotiating SSL on FD 70:
error:00000000:lib(0): func(0):reason(0) (5/0/0)
2017/12/06 16:02:23 kid1| Error negotiating SSL on FD 69:
error:00000000:lib(0): func(0):reason(0) (5/0/0)
2017/12/06 16:02:23 kid1| Error negotiating SSL on FD 75:
error:00000000:lib(0): func(0):reason(0) (5/0/0)
2017/12/06 16:02:23 kid1| Error negotiating SSL on FD 74:
error:00000000:lib(0): func(0):reason(0) (5/0/0)
2017/12/06 16:02:23 kid1| Starting new ssl_crtd helpers...
2017/12/06 16:02:23 kid1| helperOpenServers: Starting 1/16 'ssl_crtd' processes
2017/12/06 16:02:23 kid1| Starting new ssl_crtd helpers...
2017/12/06 16:02:23 kid1| helperOpenServers: Starting 1/16 'ssl_crtd' processes
2017/12/06 16:02:23 kid1| Starting new ssl_crtd helpers...
2017/12/06 16:02:23 kid1| helperOpenServers: Starting 1/16 'ssl_crtd' processes
2017/12/06 16:02:23 kid1| Starting new ssl_crtd helpers...
2017/12/06 16:02:23 kid1| helperOpenServers: Starting 1/16 'ssl_crtd' processes
2017/12/06 16:02:37 kid1| Error negotiating SSL connection on FD 61:
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
(1/0)
Best,
Hugo
2017-12-06 15:54 GMT-03:00 Alex Rousskov <rousskov at measurement-factory.com>:
> On 12/06/2017 11:45 AM, Hugo Saavedra wrote:
>
>> Currently we have cache.log disabled for performance.
>
> With default debug_options, cache.log should not affect performance. If
> it does in your setup, then there is probably a problem that you should
> solve (without disabling cache.log).
>
>
>> any clues?
>
> You are probably not supplying enough information for others to guess
> what the problem is. Enabling cache.log may be the best next step. You
> can also try logging %err_code/%err_detail to access.log but not all
> errors populate those two logformat %codes so YMMV.
>
> Alex.
>
>
>> 2017-12-06 14:51 GMT-03:00 Enrico Heine <flashdown at data-core.org>:
>>> Hi,
>>>
>>> Can you confirm that squid is able to resolve these hostnames? If not try
>>> browsing to them without https and check if squid gives you an error
>>> message.
>>>
>>> Did you check the cache.log as well?
>>>
>>> Br Enrico
>>>
>>> Am 6. Dezember 2017 17:38:24 MEZ schrieb Hugo Saavedra
>>> <hugo.saavedra.oteiza at gmail.com>:
>>>>
>>>> Hi All,
>>>>
>>>> We have the following setup of a transparent squid box:
>>>> OS: CentOS release 6.9 (Final)
>>>> Squid Cache: Version 3.5.26-20170625-r14174
>>>> Compile options:
>>>> '--with-included-ltdl' '--enable-icap-client'
>>>> '--enable-delay-pools' '--with-openssl' '--enable-ssl-crtd'
>>>> '--enable-icmp' '--enable-snmp' '--prefix=/usr'
>>>> '--includedir=/usr/include' '--datadir=/usr/share'
>>>> '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid'
>>>> '--localstatedir=/var' '--sysconfdir=/etc/squid'
>>>> --enable-ltdl-convenience
>>>>
>>>> Endpoints are redirected to the Squid box using a policy route for
>>>> TCP80/443 on a Fortigate firewall. All http/80 traffic works well. We
>>>> are using ssl bump for ssl, but there is an strange behavior, some
>>>> websites opens well, but some ones breaks and getting TAG_NONE/503
>>>> errors in the access log:
>>>>
>>>> 1512561423.930 1 192.168.1.108 TAG_NONE/503 31435 POST
>>>> https://api.chatlio.com/v1/p/visitor/session/new - HIER_NONE/-
>>>> text/html
>>>> 1512562220.870 1 192.168.1.158 TAG_NONE/503 12386 GET
>>>>
>>>> https://tile-service.weather.microsoft.com/es-CL/livetile/front/-33.44,-70.65?
>>>> - HIER_NONE/- text/html
>>>> 1512562220.870 1 192.168.1.158 TAG_NONE/503 12386 GET
>>>> https://service.weather.microsoft.com/appex/DesktopTile/Badge? -
>>>> HIER_NONE/- text/html
>>>> 1512566858.355 186 192.168.1.104 TAG_NONE/503 31436 GET
>>>>
>>>> https://www.mercantil.com/empresa/reac-importadora-spa/estaci%C3%B3n-central/300469639/esp
>>>> - HIER_NONE/- text/html
>>>>
>>>> In the same time-range, other websites loads well
>>>>
>>>> 1512561134.548 306 192.168.1.112 TCP_MISS/302 572 GET
>>>> https://loadm.exelator.com/load/? - ORIGINAL_DST/63.251.252.12
>>>> image/gif
>>>> 1512561139.701 216 192.168.1.148 TCP_MISS/200 386 POST
>>>> https://cloud-ecs.gravityzone.bitdefender.com/hydra-
>>>> ORIGINAL_DST/107.20.215.8 application/json
>>>> 1512561142.180 13 192.168.1.112 TCP_MISS/200 419 GET
>>>> https://www.facebook.com/tr/? - ORIGINAL_DST/179.60.193.35 image/gif
>>>> 1512561142.410 243 192.168.1.112 TCP_MISS/200 286 GET
>>>> https://bam.nr-data.net/1/ef1706da28? - ORIGINAL_DST/162.247.242.21
>>>> text/javascript
>>>>
>>>>
>>>> IPTABLES CONFIGURATION
>>>> =======================
>>>> # PREROUTING INTERCEPT PBR
>>>>
>>>> *nat
>>>> :PREROUTING ACCEPT [0:0]
>>>> :POSTROUTING ACCEPT [0:0]
>>>> :OUTPUT ACCEPT [0:0]
>>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports
>>>> 3128
>>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
>>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports
>>>> 3129
>>>> COMMIT
>>>>
>>>> *filter
>>>> :INPUT ACCEPT [0:0]
>>>> :FORWARD ACCEPT [0:0]
>>>> :OUTPUT ACCEPT [0:0]
>>>>
>>>> #WEB
>>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>>>> --dport 80 -j ACCEPT
>>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>>>> --dport 443 -j ACCEPT
>>>>
>>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>>>> --dport 3128 -j ACCEPT
>>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>>>> --dport 3129 -j ACCEPT
>>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>>>> --dport 3130 -j ACCEPT
>>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>>>> --dport 3131 -j ACCEPT
>>>>
>>>> #default
>>>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>>> -A INPUT -p icmp -j ACCEPT
>>>> -A INPUT -i lo -j ACCEPT
>>>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>>>> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>>>> COMMIT
>>>>
>>>>
>>>> SQUID CONFIGURATION
>>>> ====================
>>>>
>>>> #WHITE LIST
>>>> acl exclWL url_regex "/etc/squid/white_url.squid"
>>>> acl neoWL url_regex "/etc/squid/neowl.squid"
>>>> http_access allow exclWL
>>>> http_access allow neoWL
>>>> cache deny exclWL
>>>> cache deny neoWL
>>>> always_direct allow exclWL
>>>> always_direct allow neoWL
>>>>
>>>> #Malicious URLs
>>>> acl dom url_regex "/etc/squid/dom.squid"
>>>> acl cc url_regex "/etc/squid/cc.squid"
>>>> http_access deny dom
>>>> http_access deny cc
>>>>
>>>> #BLACK LIST
>>>> acl exclBL url_regex "/etc/squid/black_url.squid"
>>>> acl neoBL url_regex "/etc/squid/neobl.squid"
>>>> http_access deny exclBL
>>>> http_access deny neoBL
>>>>
>>>> #ACLS BASE
>>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>>> acl localnet src fc00::/7 # RFC 4193 local private network range
>>>> acl localnet src fe80::/10 # RFC 4291 link-local (directly
>>>> plugged) machines
>>>> acl SSL_ports port 443
>>>> acl SSL_ports port 3129
>>>> acl Safe_ports port 80 # http
>>>> acl Safe_ports port 21 # ftp
>>>> acl Safe_ports port 443 # https
>>>> acl Safe_ports port 70 # gopher
>>>> acl Safe_ports port 210 # wais
>>>> acl Safe_ports port 1025-65535 # unregistered ports
>>>> acl Safe_ports port 280 # http-mgmt
>>>> acl Safe_ports port 488 # gss-http
>>>> acl Safe_ports port 591 # filemaker
>>>> acl Safe_ports port 777 # multiling http
>>>> acl CONNECT method CONNECT
>>>> acl HTTPS proto HTTPS
>>>>
>>>> include /etc/squid/acls_whitelist.conf
>>>> acl useragent browser "/etc/squid/useragent.squid"
>>>> range_offset_limit 0 !useragent
>>>> minimum_object_size 0 bytes
>>>> maximum_object_size 3 GB
>>>> quick_abort_min -1
>>>> delay_pools 1
>>>> delay_class 1 1
>>>> delay_parameters 1 128000/128000
>>>> delay_access 1 deny SSL_ports
>>>> delay_access 1 allow !useragent
>>>> delay_access 1 deny all
>>>>
>>>> #cache conf
>>>> max_filedescriptors 24576
>>>> memory_cache_mode disk
>>>> cache_mem 0 MB
>>>> cache allow all
>>>> minimum_object_size 0 bytes
>>>> maximum_object_size 20 MB
>>>> sslproxy_flags DONT_VERIFY_PEER
>>>> connect_timeout 8 seconds
>>>>
>>>> http_access deny !Safe_ports
>>>> http_access deny CONNECT !SSL_ports
>>>> http_access allow localhost manager
>>>> http_access deny manager
>>>> http_access allow localnet
>>>> http_access allow localhost
>>>> http_access deny all
>>>> reply_header_access Alternate-Protocol deny all
>>>>
>>>> http_port 3130
>>>> http_port 3131 ssl-bump cert=/etc/squid/ssl_cert/SIC.pem
>>>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>>>> http_port 3128 intercept
>>>> https_port 3129 intercept ssl-bump generate-host-certificates=on
>>>> dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/SIC.pem
>>>>
>>>> cache_dir ufs /var/cache/squid 9000 16 256
>>>> cache_store_log /var/log/squid/store.log
>>>> cache_effective_user squid
>>>> visible_hostname Proxy
>>>>
>>>> refresh_pattern ^ftp: 1440 20% 10080
>>>> refresh_pattern ^gopher: 1440 0% 1440
>>>> refresh_pattern -i (/cgi-bin/|\?) 2 20% 10
>>>> refresh_pattern . 2 20% 10 ignore-reload
>>>> override-expire ignore-no-cache ignore-no-store store-stale
>>>> ignore-private ignore-must-revalidate ignore-auth
>>>> refresh_pattern -i
>>>> \.(dmg|msi|deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf)$ 1
>>>> 20% 4 override-expire ignore-no-cache ignore-no-store ignore-private
>>>> reload-into-ims
>>>>
>>>>
>>>> #SSL BUMP
>>>> include /etc/squid/ssl.conf
>>>>
>>>> #LOGGING
>>>> access_log /var/log/squid/access.log
>>>> access_log /var/log/squid/access_c2.log cc
>>>> access_log /var/log/squid/access_c2.log dom
>>>> access_log /var/log/squid/splc.log excludeSSL
>>>> cache_log /dev/null
>>>> coredump_dir /var/cache/squid
>>>>
>>>> #ICAP
>>>> icap_enable on
>>>> icap_send_client_ip on
>>>> icap_send_client_username on
>>>> icap_client_username_header X-Authenticated-User
>>>> icap_service service_req reqmod_precache bypass=1
>>>> icap://127.0.0.1:1344/squidclamav
>>>> adaptation_access service_req allow useragent
>>>> icap_service service_resp respmod_precache bypass=1
>>>> icap://127.0.0.1:1344/squidclamav
>>>> adaptation_access service_resp allow useragent
>>>>
>>>> #X FORWARDED FOR
>>>> forwarded_for on
>>>>
>>>> SSL.conf
>>>> =======
>>>>
>>>> sslproxy_foreign_intermediate_certs /etc/squid/intermediate_ca.pem
>>>> sslproxy_cafile /etc/squid/intermediate_ca.pem
>>>> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 16MB
>>>> sslcrtd_children 16 startup=5 idle=1
>>>>
>>>> acl FakeCert ssl::server_name .apple.com
>>>> acl FakeCert ssl::server_name .icloud.com
>>>> acl FakeCert ssl::server_name .mzstatic.com
>>>> acl FakeCert ssl::server_name .dropbox.com
>>>> acl ssl_step1 at_step SslBump1
>>>> acl ssl_step2 at_step SslBump2
>>>> acl ssl_step3 at_step SslBump3
>>>>
>>>> ssl_bump peek ssl_step1
>>>> ssl_bump splice GlobalWhitelistDSTNet
>>>> ssl_bump splice GlobalWhitelistDomainsRx
>>>> ssl_bump splice GlobalWhitelistDomains
>>>> ssl_bump splice FakeCert
>>>> ssl_bump bump ssl_step2 all
>>>> ssl_bump splice all
>>>> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
>>>> sslproxy_cipher
>>>>
>>>> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
>>>> sslproxy_flags DONT_VERIFY_PEER
>>>> sslproxy_cert_error allow all
>>>> sslproxy_cert_error deny all
>>>>
>>>> acls_whitelist.conf
>>>> =============
>>>>
>>>> acl WindowsUpdates dstdomain officecdn.microsoft.com
>>>> acl WindowsUpdates dstdomain windowsupdate.microsoft.com
>>>> acl WindowsUpdates dstdomain ntservicepack.microsoft.com
>>>> acl WindowsUpdates dstdomain download.microsoft.com
>>>> acl WindowsUpdates dstdomain .windowsupdate.com
>>>> acl WindowsUpdates dstdomain .windowsupdate.net
>>>> acl WindowsUpdates dstdomain .update.microsoft.com
>>>> acl WindowsUpdates dstdomain .mp.microsoft.com
>>>> acl WindowsUpdates dstdomain .ws.microsoft.com
>>>> acl GlobalWhitelistDomains dstdomain
>>>> "/etc/squid/acls_whitelist.dstdomain.conf"
>>>> acl GlobalWhitelistDSTNet dst "/etc/squid/acls_whitelist.dst.conf"
>>>> acl GlobalWhitelistDomainsRx dstdom_regex -i
>>>> "/etc/squid/acls_whitelist.dstdom_regex.conf"
>>>> acl GlobalWhitelistBrowsers browser -i
>>>> "/etc/squid/acls_whitelist.browser.conf"
>>>> http_access allow GlobalWhitelistDomains
>>>> url_rewrite_access deny GlobalWhitelistDomains
>>>> http_access allow GlobalWhitelistDSTNet
>>>> url_rewrite_access deny GlobalWhitelistDSTNet
>>>> http_access allow GlobalWhitelistDomainsRx
>>>> url_rewrite_access deny GlobalWhitelistDomainsRx
>>>> http_access allow GlobalWhitelistBrowsers
>>>>
>>>>
>>>> Any one with the same TAG_NONE/503 error, please help!?
>>>>
>>>> Regards,
>>>> Hugo
>>>> ________________________________
>>>>
>>>> squid-users mailing list
>>>> squid-users at lists.squid-cache.org
>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>>
>>> --
>>> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
>>
>>
>>
>
--
Saludos,
Hugo Saavedra
More information about the squid-users
mailing list