[squid-users] TCP FIN,ACK after ServerHelloDone with pcmag.com
Ahmad, Sarfaraz
Sarfaraz.Ahmad at deshaw.com
Mon May 28 12:17:05 UTC 2018
I was wrong. It is not the remote server but Squid itself which is sending a FIN,ACK after ServerHelloDone.
At 8 seconds, ServerKeyExchange, ServerHelloDone is received by Squid. The cipher suite looks like (ECDHE+RSA+SHA512 ,wireshark shows rsa_pkcs_sha512.)
After about 60 more seconds (there is no activity on the wire during this period), Squid sends a FIN/ACK to the remote server effectively closing the connection.
What debug_options should I be using for more relevant logging in cache.log ? 26,9 11,9 and 5,9 are not helping much.
I am adding few loglines anyways.
2018/05/28 07:20:13.603 kid1| 5,4| AsyncCall.cc(26) AsyncCall: The AsyncCall clientLifetimeTimeout constructed, this=0x1c5e5f0 [call136782]
2018/05/28 07:20:13.603 kid1| 5,3| comm.cc(559) commSetConnTimeout: local=<Squid_IP>:3128 remote=<Client_IP>:64774 FD 13 flags=1 timeout 86400
2018/05/28 07:20:13.603 kid1| 11,5| HttpRequest.cc(460) detailError: current error details: 12/-2
2018/05/28 07:20:13.603 kid1| 11,2| Stream.cc(266) sendStartOfMessage: HTTP Client local=<Squid_IP>:3128 remote=<Client_IP>:64774 FD 13 flags=1
2018/05/28 07:20:13.603 kid1| 11,2| Stream.cc(267) sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 503 Service Unavailable
Post splicing the webpage opens just fine. That website (www.pcmag.com) has over 750 DNS names added to SAN field. The RFC does not set an upper bound on the number of DNS names you can have in there.
Regards,
Sarfaraz
-----Original Message-----
From: Ahmad, Sarfaraz
Sent: Thursday, May 17, 2018 4:18 PM
To: 'squid-users at lists.squid-cache.org' <squid-users at lists.squid-cache.org>
Cc: 'Marcus Kool' <marcus.kool at urlfilterdb.com>
Subject: RE: [squid-users] TCP FIN,ACK after ServerHelloDone with pcmag.com
Guys,
Any thoughts ?
Regards,
Sarfaraz
-----Original Message-----
From: Ahmad, Sarfaraz
Sent: Wednesday, May 16, 2018 10:36 AM
To: 'Marcus Kool' <marcus.kool at urlfilterdb.com>; squid-users at lists.squid-cache.org
Subject: RE: [squid-users] TCP FIN,ACK after ServerHelloDone with pcmag.com
I see a message similar to Marcus' in cache.log.
2018/05/16 00:20:10 kid1| ERROR: negotiating TLS on FD 77: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
And I am running squid-4.0.24.
Sarfaraz
-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Marcus Kool
Sent: Wednesday, May 16, 2018 1:41 AM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] TCP FIN,ACK after ServerHelloDone with pcmag.com
The proxies that I used for the test have Squid 4.0.22 and Squid 4.0.23.
Marcus
On 15/05/18 15:40, Amos Jeffries wrote:
> On 16/05/18 01:32, Marcus Kool wrote:
>> pcmag.com also does not load here, although my config parameters are
>> slightly different.
>> The certificate is indeed huge...
>> Do you have
>> ERROR: negotiating TLS on FD NNN: error:14090086:SSL
>> routines:ssl3_get_server_certificate:certificate verify failed
>> (1/-1/0) or other errors in cache.log ?
>>
>> Marcus
>>
>
> Are these Squid-4.0.24 ? There is a regression[1] in the cafile=
> parameter handling in the latest release.
> <https://bugs.squid-cache.org/show_bug.cgi?id=4831>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list