<div dir="ltr"><div>Hi Amos,</div><div><br></div><div>Upgrading to Squid 4.1 resolved the issue. I had to run</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>/usr/lib64/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB</div></blockquote><div><br></div><div>to get squid to start. But after that all worked well. We'll do a bit more testing before we roll out to our production servers.<br></div><div><br></div><div>Thanks very much for your help.<br></div><div><br></div><div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Regards,</div><div><br></div><div><div dir="ltr" style="margin-left:0pt" align="left"><table style="border:none;border-collapse:collapse"><colgroup><col width="181"><col width="229"></colgroup><tbody><tr style="height:0pt"><td style="border-left:solid #ffffff 1pt;border-right:solid #4a86e8 1pt;border-bottom:solid #ffffff 1pt;border-top:solid #ffffff 1pt;vertical-align:top;padding:5pt 5pt 5pt 5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap"><span style="border:none;display:inline-block;overflow:hidden;width:167px;height:130px"><img src="https://lh4.googleusercontent.com/PjzOtuo8wRwonOYtyjVEsTHphPFdwgM8H79UkQ5H--uLWS_Wje0pIvRFGgiiaYF8CohhfacA5LpIBIck7fEou91YR_e95GyEd53ubLzjKbgTVaqvhdESRKKiWZqDxUYAmOApJr47" style="margin-left:0px;margin-top:0px" width="167" height="130"></span></span></p></td><td style="border-left:solid #4a86e8 1pt;border-right:solid #ffffff 1pt;border-bottom:solid #ffffff 1pt;border-top:solid #ffffff 1pt;vertical-align:top;padding:5pt 5pt 5pt 5pt;overflow:hidden"><p dir="ltr" style="line-height:1.728;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:#2e80b5;background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap">David Mills</span></p><p dir="ltr" style="line-height:1.728;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap">Senior DevOps Engineer</span></p><br><p dir="ltr" style="line-height:1.44;margin-right:5pt;margin-top:0pt;margin-bottom:5pt"><span style="font-size:9pt;font-family:Arial;color:#3388cc;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap"> </span><span style="font-size:9pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap">E: </span><span style="font-size:9pt;font-family:Arial;color:#2e80b5;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap"><a href="mailto:david.mills@acusensus.com" target="_blank">david.mills@acusensus.com</a></span></p><p dir="ltr" style="line-height:1.44;margin-right:5pt;margin-top:0pt;margin-bottom:5pt"><span style="font-size:9pt;font-family:Arial;color:#3388cc;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap"> </span><span style="font-size:9pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap">M:</span><span style="font-size:9pt;font-family:Arial;color:#3388cc;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap"> </span><span style="font-size:9pt;font-family:Arial;color:#2e80b5;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap">+61 411 513 404</span></p><p dir="ltr" style="line-height:1.44;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap"> W:</span><a href="http://acusensus.com/" style="text-decoration:none" target="_blank"><span style="font-size:9pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre;white-space:pre-wrap"> </span><span style="font-size:9pt;font-family:Arial;color:#1155cc;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre;white-space:pre-wrap">acusensus.com</span></a></p><br></td></tr></tbody></table></div><br><br></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, 18 Jul 2021 at 16:45, Amos Jeffries <<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 16/07/21 4:38 pm, David Mills wrote:<br>
> Hi Amos,<br>
> <br>
> sorry for the big delay here - I've had lots of other things to attend <br>
> to. It turned on the logging you suggested. For a failed "apt update" <br>
> attempt on the client I get the following attached access.log and cache.log.<br>
> <br>
> Are any of the lines<br>
> <br>
>     2021/07/16 04:28:01.423 kid1| 83,5| bio.cc(396) adjustSSL: Extension<br>
>     13 does not supported!<br>
> <br>
>     ...<br>
> <br>
>     20212021/07/16 04:28:32.465 kid1| 83,2| client_side.cc(3749)<br>
>     Squid_SSL_accept: Error negotiating SSL connection on FD 11: Aborted<br>
>     by client: 5<br>
>     ...<br>
> <br>
>     2021/07/16 04:28:02.452 kid1| Error negotiating SSL on FD 17:<br>
>     error:140920F8:SSL routines:ssl3_get_server_hello:unknown cipher<br>
>     returned (1/-1/0)<br>
> <br>
>     ...<br>
> <br>
>     2021/07/16 04:28:01.413 kid1| 83,2| client_side.cc(4293)<br>
>     clientPeekAndSpliceSSL: SSL_accept failed.<br>
> <br>
> <br>
> important?<br>
> <br>
<br>
Very. It means the libssl Squid is built with and using is not able to <br>
understand the TLS the server is sending.<br>
<br>
Squid-4 should be more tolerant of this particular issue, or at least <br>
able to follow the on_unsupported_protocol directive when it is encountered.<br>
<br>
Older Squid depend more directly on the library TLS parsing - which <br>
cannot handle unknown values well.<br>
<br>
Amos<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>

<br>
<font size="2">DISCLAIMER: Acusensus puts the privacy and security of its clients, its data and information at the core of everything we do. The information contained in this email (including attachments) is intended only for the use of the person(s) to whom it is addressed to, as it may be confidential and contain legally privileged information. If you have received this email in error, please delete all copies and notify the sender immediately. Any views or opinions presented are
solely those of the author and do not necessarily represent the views of Acusensus
Pty Ltd. Please consider the environment
before printing this email.</font>