[squid-users] SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR

Alex Rousskov rousskov at measurement-factory.com
Wed Apr 10 21:13:22 UTC 2024 

On 2024-04-10 16:22, Jonathan Lee wrote:
> Could it be related to this ??
> 
> "WARNING: Failed to decode EC parameters '/etc/dh-parameters.2048'. 
> error:1E08010C:DECODER routines::unsupported”

I do not know the answer to your question. I speculate that it could be 
related: Depending on various factors, without those DH parameters, 
Squid may not be able to communicate with clients. See WARNING in tls-dh 
description in squid.conf.documented.

I know that others are reporting similar WARNINGs during v6 upgrades and 
dislike the letters "EC" those messages use. I am not going to debate 
the best choice of letters for this message, but I can tell you that, in 
the cases I investigated, the message was caused by a mismatch between 
squid.conf tls-dh=... option value and DH parameter file contents:

* To Squid, tls-dh=curve:filename format implies that the keytype is 
"EC". These two letters are then fed to an OpenSSL function that 
configures related TLS state. OpenSSL then fails if tls-dh filename 
contains DH parameters produced with "openssl dhparam" command. I have 
seen these failures in tests.

* To Squid, tls-dh=filename format (i.e. format without the curve name 
prefix) implies that the keytype is "DC". These two letters are then fed 
to an OpenSSL function that configured related TLS state. OpenSSL then 
probably fails if tls-dh filename contains DH parameters produced with 
"openssl ecparam" command. I have not tested this use case.

* The failing checks and their messages are specific to Squids built 
with OpenSSL v3. It is possible that Squids built with OpenSSL v1 just 
silently fail (at runtime), but I have not checked that theory.


FWIW, this poorly categorized message indicates a configuration _error_. 
AFAICT, Squid code should be adjusted to _quit_ (i.e. reject bad 
configuration) after discovering this error instead of continuing as if 
nothing bad happened.

I recommend addressing the underlying cause, even if this message is 
unrelated to SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417.


HTH,

Alex.


>> On Apr 10, 2024, at 08:38, Alex Rousskov 
>> <rousskov at measurement-factory.com> wrote:
>>
>> On 2024-04-10 10:50, Jonathan Lee wrote:
>>
>>> I am getting the following error in 6.6 after a upgrade from 5.8 does 
>>> anyone know what this is caused by?
>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR
>>
>>    $ openssl errstr A000417
>>    error:0A000417:SSL routines::sslv3 alert illegal parameter
>>
>> I think I have seen that error code before, but I do not recall the 
>> exact circumstances. Sorry! The error happens when Squid tries to 
>> accept (or peek at) a TLS connection from the client. Might be 
>> prohibited TLS version/feature, TLS greasing, or non-TLS traffic? Try 
>> examining client TLS Hello packet(s) in Wireshark.
>>
>> Alex.
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> https://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list