[squid-users] ssl-bump connect issues

[Amos Jeffries]

On 23/05/22 17:41, Jernej Porenta wrote:
> 
> The logs show that clients did issue a CONNECT, however the connections 
> are stuck (and eventually timeout) and netstat is showing exactly 10 
> connections in SYN_SENT state towards npm registry. I am kinda puzzled, 
> where this number comes from.
> 

This sounds a bit like other situations where the sslcrtd_program helper 
has hung and stopped generating certificates.



> Big thank you in advance, br, Jernej
> 
> The "relevant" parts of my configurations are:
> 
> acl intermediate_fetching transaction_initiator certificate-fetching
> http_access allow intermediate_fetching

This is not all of the required http_access rules. Please list them all.


> http_port 80 ssl-bump generate-host-certificates=on 
> dynamic_cert_mem_cache_size=20MB 
> tls-cert=/etc/squid/certs/squid-self-signed.crt 
> tls-key=/etc/squid/certs/squid-self-signed.key 
> cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS 
> options=NO_TLSv1,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE 
> tls-dh=prime256v1:/etc/squid/certs/squid-self-signed_dhparam.pem 
> disable-pmtu-discovery=transparent
> 
> sslcrtd_program /usr/lib/squid/security_file_certgen -s 
> /var/spool/squid/ssl_db -M 20MB
> sslcrtd_children 8
> ssl_bump server-first all


This "server-first" action is outdated. Please upgrade. The modern 
equivalent would be:

   acl step1 at_step SslBump1
   ssl_bump peek step1
   ssl_bump bump cachedSites
   ssl_bump splice all


> sslproxy_cert_error deny all
> 

This may be hiding symptoms you need to figure the problem out. It is 
best to start with everything allowed and only deny the specific errors 
that are not relevant to the client(s).


> 
> # dns
> positive_dns_ttl 31 seconds
> negative_dns_ttl 30 seconds

These also may be the source of problems. They prevent Squid from 
obeying short-TTL on DNS responses typically used by repositories to 
load balance large amounts of traffic and/or server failure recovery.



HTH
Amos