[squid-users] Error negotiating SSL connection on FD 366 - cache.log

robert k Wild robertkwild at gmail.com
Wed Jun 30 16:00:02 UTC 2021 

Cool, so I put this in squid.conf

debug_options 9

And then restart squid and tail the cache.log


On Wed, 30 Jun 2021, 16:48 robert k Wild, <robertkwild at gmail.com> wrote:

> Thanks Alex,
>
> How do I enable all 9 debugging to find out what client ip it is thats
> sending all these tls errors.
>
> There's a lot of mac/pcs that are connected to this squid server and I
> have added the myca.der file to there machines as I'm doing ssl bumping.
>
> Thanks,
> Rob
>
>
>
> On Wed, 30 Jun 2021, 16:16 Alex Rousskov, <
> rousskov at measurement-factory.com> wrote:
>
>> On 6/30/21 6:41 AM, robert k Wild wrote:
>>
>> > never really noticed this as i rarely "tail -f" the cache log but im
>> > noticing these lines like every second
>>
>> > 2021/06/30 11:39:13 kid1| Error negotiating SSL connection on FD 266:
>> > error:00000001:lib(0):func(0):reason(1) (1/-1)
>> > 2021/06/30 11:39:13 kid1| Error negotiating SSL connection on FD 270:
>> > error:00000001:lib(0):func(0):reason(1) (1/-1)
>> > 2021/06/30 11:39:13 kid1| Error negotiating SSL connection on FD 285:
>> > error:00000001:lib(0):func(0):reason(1) (1/0)
>>
>> > is this something to be worried about
>>
>> IMHO, you should worry about two things, at least:
>>
>> 1) The fact that you did not know about Squid complaints, especially
>> frequent ones. I do not think that constantly watching "tail -f" is the
>> answer here, but something in your Squid administration approach should
>> change to prevent similar lack of problem awareness in the future.
>>
>> 2) The fact that your Squid is complaining about something every second.
>> If the actual problem behind these errors does not deserve your
>> attention, then Squid should not be logging it at level 1 (and you
>> should complain that it does). Otherwise, the problem itself should be
>> addressed.
>>
>> As for the error itself, it looks like your Squid cannot negotiate TLS
>> with some client(s). I do not know whether it is Squid's fault or the
>> client's. Enabling "ALL,9" debugging for a few seconds should be
>> sufficient to identify the client (at least by its IP address), which
>> may be enough to understand why the negotiation fails (or to give you
>> enough information to collect more details for triage).
>>
>>
>> HTH,
>>
>> Alex.
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210630/2778dfdc/attachment-0001.htm>

More information about the squid-users mailing list