<div dir="ltr">I recently upgraded to Squid v3.5.13 and am encountering at least two errors when processing certain HTTPS connections. I am not sure if it is a bug or a configuration error on my part.<div><br></div><div>The first error I am seeing is when <a href="http://shutterfly.com">shutterfly.com</a> is accessed by a user. The issue occurs regardless of whether I splice or bump the site. A user can browse to the page, but if they click on anything on the site, squid encounters a fault. The system does not crash; it recovers, but the proxy is down for about 30 seconds. Note that this occurs in regular forward proxy mode, not intercept mode.</div><div><br></div><div>My knowledge of SSL is somewhat limited, so I am not sure if I have misconfigured things in a way that creates the problem. Two questions I have are (a) to apply ECDH properly, must an optional cipher be chosen for the tls-dh option? and (b) to properly apply ECDH, do I have to recreate the dhparam file using an ECDH cipher (I'm currently using the dhparam file that I previously had)?</div><div><br></div><div>Separate from the above (or perhaps related), the second issue I am also seeing are odd errors in the cache.log that are causing squid to fault and recover. I am not yet sure which sites are causing the issue, but I am seeing the following error: FATAL: dying from an unhandled exception: !theConsumer. This error seems to be consistently preceded by "Error negotiating SSL on FD 25: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (1/-1/0)".</div>
<div><br></div><div><div>The prior version I was running was v3.5.12 and I know that version had no problems when accessing <a href="http://shutterfly.com">shutterfly.com</a> nor the odd FATAL message I am seeing with the below configuration.</div></div><div><br></div><div>Following is more detailed info for the first problem I am encountering above with <a href="http://shutterfly.com">shutterfly.com</a>. Please let me know additional information is needed.</div><div><br></div><div>Cache.log extracts when accessing <a href="http://shutterfly.com">shutterfly.com</a>:</div><div>--------------------------------------------------------------------</div>
<p class=""><span class="">2016/01/12 22:39:59 kid1| Error negotiating SSL on FD 91: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (1/-1/0)</span></p>
<p class=""><span class="">2016/01/12 22:39:59 kid1| Error negotiating SSL on FD 98: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (1/-1/0)</span></p>
<p class=""><span class="">2016/01/12 22:39:59 kid1| Error negotiating SSL on FD 89: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (1/-1/0)</span></p>
<p class=""><span class="">2016/01/12 22:40:02 kid1| Error negotiating SSL on FD 62: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)</span></p>
<p class=""><span class="">2016/01/12 22:40:02 kid1| Error negotiating SSL on FD 63: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)</span></p>
<p class=""><span class="">2016/01/12 22:40:03 kid1| Error negotiating SSL on FD 56: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (1/-1/0)</span></p>
<p class=""><span class="">2016/01/12 22:40:03 kid1| Error negotiating SSL on FD 56: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (1/-1/0)</span></p>
<div>2016/01/12 22:40:03 kid1| Error negotiating SSL on FD 58: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (1/-1/0) </div><div><br></div><div><div><br></div><div>Extracts from my squid.conf file:</div><div>----------------------------------------------</div><div><br></div>http_port <a href="http://127.0.0.1:3128">127.0.0.1:3128</a><br><br>http_port <a href="http://192.168.10.1:3128">192.168.10.1:3128</a> ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=cert.pem tls-dh=cert.dhparam.pem<br><br>http_port <a href="http://192.168.10.1:3129">192.168.10.1:3129</a> intercept disable-pmtu-discovery=transparent name=http_icept<br><br>https_port <a href="http://192.168.10.1:3130">192.168.10.1:3130</a> intercept disable-pmtu-discovery=transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=cert.pem tls-dh=cert.dhparam.pem name=https_icept<br><br>sslcrtd_program /usr/lib/squid/ssl_crtd -s /disk/dyn-certs/sslcrtd_db -M 4MB<br><br>...<br><br>ssl_bump peek SSL_Step1 !dont_peek_or_stare mynet<br><br>ssl_bump splice dont_bump_me mynet<br><br>ssl_bump bump mynet<br><br>ssl_bump terminate all<br><br><br># Various SSL Proxy Config Stuff<br><br>sslproxy_cert_error allow broken_certs<br><br>sslproxy_cert_error deny all<br><br>sslproxy_cert_sign_hash sha256<br><br>sslproxy_capath /etc/ssl/certs/<br><br>sslproxy_foreign_intermediate_certs /etc/ssl/certs/<br><br>sslproxy_options No_Compression,NO_TLSv1,NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE<br><br>sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS</div><div><br></div><div>------------------------</div><div><br></div><div>Thanks,</div><div><br></div><div> Dave<br><div class="gmail_signature">___________________________________________________________<br>Dave Marcos<br></div>
</div></div>