[squid-users] Error negotiating SSL connection on FD 366 - cache.log

Alex Rousskov rousskov at measurement-factory.com
Wed Jun 30 16:09:10 UTC 2021 

On 6/30/21 11:48 AM, robert k Wild wrote:

> How do I enable all 9 debugging to find out what client ip it is thats
> sending all these tls errors.

0. Start Squid if necessary.

1. Locate your Squid log file or equivalent. In this example, we will
call it cache.log.

2. Run "tail -f cache.log > partial-cache.log" in background or another
terminal. This will start appending new debugging to the
partial-cache.log file.

3. Run "squid -k debug" to enable ALL,9 debugging.

4. Wait a few seconds.

5. Run "squid -k debug" to disable ALL,9 debugging.

6. Kill the "tail" command in step 2.

7. Check that partial-cache.log contains at least one "Error negotiating
SSL connection" entry. If not, go to step 2 and repeat. Perhaps give
Squid a few extra seconds this time.

8. Analyze the resulting partial-cache.log (or share it with those who
are willing to analyze it for you, compressing it if needed). Please
note that this debugging log may contain sensitive information such as
user names and passwords.


HTH,

Alex.


> On Wed, 30 Jun 2021, 16:16 Alex Rousskov wrote:
> 
>     On 6/30/21 6:41 AM, robert k Wild wrote:
> 
>     > never really noticed this as i rarely "tail -f" the cache log but im
>     > noticing these lines like every second
> 
>     > 2021/06/30 11:39:13 kid1| Error negotiating SSL connection on FD 266:
>     > error:00000001:lib(0):func(0):reason(1) (1/-1)
>     > 2021/06/30 11:39:13 kid1| Error negotiating SSL connection on FD 270:
>     > error:00000001:lib(0):func(0):reason(1) (1/-1)
>     > 2021/06/30 11:39:13 kid1| Error negotiating SSL connection on FD 285:
>     > error:00000001:lib(0):func(0):reason(1) (1/0)
> 
>     > is this something to be worried about
> 
>     IMHO, you should worry about two things, at least:
> 
>     1) The fact that you did not know about Squid complaints, especially
>     frequent ones. I do not think that constantly watching "tail -f" is the
>     answer here, but something in your Squid administration approach should
>     change to prevent similar lack of problem awareness in the future.
> 
>     2) The fact that your Squid is complaining about something every second.
>     If the actual problem behind these errors does not deserve your
>     attention, then Squid should not be logging it at level 1 (and you
>     should complain that it does). Otherwise, the problem itself should be
>     addressed.
> 
>     As for the error itself, it looks like your Squid cannot negotiate TLS
>     with some client(s). I do not know whether it is Squid's fault or the
>     client's. Enabling "ALL,9" debugging for a few seconds should be
>     sufficient to identify the client (at least by its IP address), which
>     may be enough to understand why the negotiation fails (or to give you
>     enough information to collect more details for triage).
> 
> 
>     HTH,
> 
>     Alex.
>     _______________________________________________
>     squid-users mailing list
>     squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>     http://lists.squid-cache.org/listinfo/squid-users
>     <http://lists.squid-cache.org/listinfo/squid-users>
>

More information about the squid-users mailing list