<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div><blockquote type="cite"><div style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><blockquote type="cite"><div style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><blockquote type="cite">I do not recommend changing your configuration at this time. I recommend rereading my earlier recommendation and following that instead: "As the next step in triage, I recommend determining what that CA is in these cases (e.g., by capturing raw TLS packets and matching them with connection information from A000417 error messages in cache.log or %err_detail in access.log)."<br></blockquote></div></blockquote></div></blockquote></div><div><br></div>Ok I went back to 5.8 and ran the following command after I removed the changes I used does this help this is ran on the firewall side itself. <div><br></div><div> openssl s_client -connect <a href="http://foxnews.com:443">foxnews.com:443</a></div><div><br></div><div><pre style="box-sizing: border-box; overflow: auto; font-family: Menlo, Monaco, Consolas, "Courier New", monospace; font-size: 13px; padding: 9.5px; margin-top: 0px; margin-bottom: 10px; line-height: 1.428571; color: rgb(51, 51, 51); word-break: break-all; overflow-wrap: break-word; background-color: rgb(245, 245, 245); border: 1px solid rgb(204, 204, 204); border-radius: 4px; caret-color: rgb(51, 51, 51);">depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = US, ST = New York, L = New York, O = "Fox News Network, LLC", CN = wildcard.foxnews.com
verify return:1
CONNECTED(00000004)
---
Certificate chain
0 s:C = US, ST = New York, L = New York, O = "Fox News Network, LLC", CN = wildcard.foxnews.com
i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
1 s:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA</pre></div><div><br></div><div><pre style="box-sizing: border-box; overflow: auto; font-family: Menlo, Monaco, Consolas, "Courier New", monospace; font-size: 13px; padding: 9.5px; margin-top: 0px; margin-bottom: 10px; line-height: 1.428571; color: rgb(51, 51, 51); word-break: break-all; overflow-wrap: break-word; background-color: rgb(245, 245, 245); border: 1px solid rgb(204, 204, 204); border-radius: 4px; caret-color: rgb(51, 51, 51);">-----END CERTIFICATE-----
subject=C = US, ST = New York, L = New York, O = "Fox News Network, LLC", CN = wildcard.foxnews.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4198 bytes and written 393 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE</pre><div><br></div><div>Does that help I am not going to pretend I understand TLS options I do understand how the SSL ciphers work and certificates but all the different options and kinds are what is confusing me. I did not seem to have this error before.</div><div><br></div><div><br></div><div>Should I regenerate a new certificate for the new version of Squid and redeploy them all to hosts again? I used this method in the past and it worked for a long time after I imported it. I am wondering if this is outdated now</div><div><br></div><div><strong style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 21px;">openssl req -x509 -new -nodes -key myProxykey.key -sha256 -days 365 -out myProxyca.pem</strong></div><div><br></div><div><br><blockquote type="cite"><div>On Jul 4, 2024, at 15:13, Jonathan Lee <jonathanlee571@gmail.com> wrote:</div><br class="Apple-interchange-newline"><div><meta http-equiv="content-type" content="text/html; charset=utf-8"><div style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">Sorry <div><br></div><div><pre id="pconf" name="pconf" wrap="hard" readonly="" style="box-sizing: border-box; overflow: auto; font-family: Menlo, Monaco, Consolas, "Courier New", monospace; font-size: 13px; padding: 9.5px; margin-top: 0px; margin-bottom: 10px; line-height: 1.428571; color: rgb(51, 51, 51); word-break: break-all; overflow-wrap: break-word; background-color: rgb(245, 245, 245); border: 1px solid rgb(204, 204, 204); border-radius: 4px; caret-color: rgb(51, 51, 51);">tls_outgoing_options cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE</pre><div><br></div><div>Would I add this here?</div><div><br><blockquote type="cite"><div>On Jul 4, 2024, at 15:12, Jonathan Lee <jonathanlee571@gmail.com> wrote:</div><br class="Apple-interchange-newline"><div><meta http-equiv="content-type" content="text/html; charset=utf-8"><div style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">I know before I could use <div><br></div><div><pre id="pconf" name="pconf" wrap="hard" readonly="" style="box-sizing: border-box; overflow: auto; font-family: Menlo, Monaco, Consolas, "Courier New", monospace; font-size: 13px; padding: 9.5px; margin-top: 0px; margin-bottom: 10px; line-height: 1.428571; color: rgb(51, 51, 51); word-break: break-all; overflow-wrap: break-word; background-color: rgb(245, 245, 245); border: 1px solid rgb(204, 204, 204); border-radius: 4px; caret-color: rgb(51, 51, 51);">tls_outgoing_options cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS</pre><div><br></div><div>However with the update I am seeing </div><div><br></div><div>ERROR: Unsupported TLS option SINGLE_ECDH_USE</div><div><br></div><div>I found researching in <a href="http://lists-squid-cache.org/">lists-squid-cache.org</a> that someone solved this with appending TLS13-AES-256-CGM-SHA384 to the ciphers. </div><div><br></div><div>I am thinking this is my issue also.</div><div><br></div><div>I see that error over and over when I run "squid -k parse”</div><div><br></div><div>Do I append this to the options cipher list?</div><div><br></div><div>Jonathan Lee</div><div><br><blockquote type="cite"><div>On Jul 4, 2024, at 14:45, Alex Rousskov <rousskov@measurement-factory.com> wrote:</div><br class="Apple-interchange-newline"><div><div>On 2024-07-04 15:37, Jonathan Lee wrote:<br><br><blockquote type="cite">in Squid.conf I have nothing with that detective.<br></blockquote><br>Sounds good; sslproxy_cert_sign default should work OK in most cases. I mentioned signUntrusted algorithm so that you can discover (from the corresponding sslproxy_cert_sign documentation) which CA/certificate Squid uses in which SslBump use case. Triage is often easier if folks share the same working theory, and my current working theory suggests that we are looking at a (default) signUntrusted use case.<br><br>The solution here probably does _not_ involve changing sslproxy_cert_sign configuration, but, to make progress, I need more info to confirm this working theory and describe next steps.<br><br><br><blockquote type="cite">Yes I am using SSL bump with this configuration..<br></blockquote><br>Noted, thank you.<br><br><br><blockquote type="cite">So would I use this directive <br></blockquote><br>I do not recommend changing your configuration at this time. I recommend rereading my earlier recommendation and following that instead: "As the next step in triage, I recommend determining what that CA is in these cases (e.g., by capturing raw TLS packets and matching them with connection information from A000417 error messages in cache.log or %err_detail in access.log)."<br><br><br>HTH,<br><br>Alex.<br><br><br><blockquote type="cite"><blockquote type="cite">On Jul 4, 2024, at 09:56, Alex Rousskov wrote:<br><br>On 2024-07-04 12:11, Jonathan Lee wrote:<br><blockquote type="cite">failure while accepting a TLS connection on conn5887 local=192.168.1.1:3128<br>SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417<br></blockquote><br>A000417 is an "unknown CA" alert sent by client to Squid while the client is trying to establish a TLS connection to/through Squid. The client does not trust the Certificate Authority that signed the certificate that was used for that TLS connection.<br><br>As the next step in triage, I recommend determining what that CA is in these cases (e.g., by capturing raw TLS packets and matching them with connection information from A000417 error messages in cache.log or %err_detail in access.log).<br><br>If you use SslBump for port 3128 traffic, then one of the possibilities here is that Squid is using an unknown-to-client CA to report an origin server that Squid itself does not trust (see signUntrusted in squid.conf.documented). In those cases, logging a level-1 ERROR is a Squid bug because that expected/desirable outcome should be treated as success (and a successful TLS accept treated as an error!).<br><br><br>HTH,<br><br>Alex.<br></blockquote></blockquote><br><br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Is my main concern however I use the squid guard URL blocker<br>Sent from my iPhone<br><blockquote type="cite">On Jul 4, 2024, at 07:41, Alex Rousskov <rousskov@measurement-factory.com> wrote:<br><br>On 2024-07-03 13:56, Jonathan Lee wrote:<br><blockquote type="cite">Hello fellow Squid users does anyone know how to fix this issue?<br></blockquote><br>I counted about eight different "issues" in your cache.log sample. Most of them are probably independent. I recommend that you explicitly pick _one_, search mailing list archives for previous discussions about it, and then provide as many details about it as you can (e.g., what traffic causes it and/or matching access.log records).<br><br><br>HTH,<br><br>Alex.<br><br><br><blockquote type="cite">Squid - Cache Logs<br>Date-Time Message<br>31.12.1969 16:00:00<br>03.07.2024 10:54:34 kick abandoning conn7853 local=192.168.1.1:3128 remote=192.168.1.5:49710 FD 89 flags=1<br>31.12.1969 16:00:00<br>03.07.2024 10:54:29 kick abandoning conn7844 local=192.168.1.1:3128 remote=192.168.1.5:49702 FD 81 flags=1<br>03.07.2024 10:54:09 ERROR: failure while accepting a TLS connection on conn7648 local=192.168.1.1:3128 remote=192.168.1.5:49672 FD 44 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:54:09 ERROR: failure while accepting a TLS connection on conn7647 local=192.168.1.1:3128 remote=192.168.1.5:49670 FD 43 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:54:09 ERROR: failure while accepting a TLS connection on conn7646 local=192.168.1.1:3128 remote=192.168.1.5:49668 FD 34 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:53:04 ERROR: failure while accepting a TLS connection on conn7367 local=192.168.1.1:3128 remote=192.168.1.5:49627 FD 22 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:52:47 ERROR: failure while accepting a TLS connection on conn7345 local=192.168.1.1:3128 remote=192.168.1.5:49618 FD 31 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:52:38 ERROR: failure while accepting a TLS connection on conn7340 local=192.168.1.1:3128 remote=192.168.1.5:49616 FD 45 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1<br>03.07.2024 10:52:34 ERROR: failure while accepting a TLS connection on conn7316 local=192.168.1.1:3128 remote=192.168.1.5:49609 FD 45 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>31.12.1969 16:00:00<br>03.07.2024 10:51:55 WARNING: Error Pages Missing Language: en-us<br>31.12.1969 16:00:00<br>03.07.2024 10:51:55 ERROR: loading file 9;/usr/local/etc/squid/errors/en-us/ERR_ZERO_SIZE_OBJECT': (2) No such file or directory<br>03.07.2024 10:51:44 ERROR: failure while accepting a TLS connection on conn7102 local=192.168.1.1:3128 remote=192.168.1.5:49574 FD 34 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:51:28 ERROR: failure while accepting a TLS connection on conn7071 local=192.168.1.1:3128 remote=192.168.1.5:49568 FD 92 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:50:29 ERROR: failure while accepting a TLS connection on conn6944 local=192.168.1.1:3128 remote=192.168.1.5:49534 FD 101 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1<br>03.07.2024 10:49:54 ERROR: failure while accepting a TLS connection on conn6866 local=192.168.1.1:3128 remote=192.168.1.5:49519 FD 31 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:49:38 ERROR: failure while accepting a TLS connection on conn6809 local=192.168.1.1:3128 remote=192.168.1.5:49503 FD 31 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>31.12.1969 16:00:00<br>03.07.2024 10:49:32 ERROR: system call failure while accepting a TLS connection on conn6794 local=192.168.1.1:3128 remote=192.168.1.5:49496 FD 19 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_IO_ERR=5+errno=54<br>03.07.2024 10:49:24 ERROR: failure while accepting a TLS connection on conn6776 local=192.168.1.1:3128 remote=192.168.1.5:49481 FD 137 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1<br>03.07.2024 10:48:49 ERROR: failure while accepting a TLS connection on conn6440 local=192.168.1.1:3128 remote=192.168.1.5:49424 FD 16 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1<br>03.07.2024 10:48:49 ERROR: failure while accepting a TLS connection on conn6445 local=192.168.1.1:3128 remote=192.168.1.5:49426 FD 34 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:48:22 ERROR: failure while accepting a TLS connection on conn6035 local=192.168.1.1:3128 remote=192.168.1.5:49355 FD 226 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1<br>03.07.2024 10:48:09 ERROR: failure while accepting a TLS connection on conn5887 local=192.168.1.1:3128 remote=192.168.1.5:49318 FD 33 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:48:09 ERROR: failure while accepting a TLS connection on conn5875 local=192.168.1.1:3128 remote=192.168.1.5:49312 FD 216 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:48:09 ERROR: failure while accepting a TLS connection on conn5876 local=192.168.1.1:3128 remote=192.168.1.5:49314 FD 217 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:47:57 ERROR: failure while accepting a TLS connection on conn5815 local=192.168.1.1:3128 remote=192.168.1.5:49297 FD 201 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1<br>03.07.2024 10:47:54 ERROR: failure while accepting a TLS connection on conn5760 local=192.168.1.1:3128 remote=192.168.1.5:49289 FD 195 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1<br>03.07.2024 10:47:52 ERROR: failure while accepting a TLS connection on conn5717 local=192.168.1.1:3128 remote=192.168.1.5:49284 FD 195 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1<br>03.07.2024 10:47:50 ERROR: failure while accepting a TLS connection on conn5552 local=192.168.1.1:3128 remote=192.168.1.5:49268 FD 142 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1<br>31.12.1969 16:00:00<br>03.07.2024 10:47:34 kick abandoning conn5254 local=192.168.1.1:3128 remote=192.168.1.5:49209 FD 100 flags=1<br>31.12.1969 16:00:00<br>03.07.2024 10:47:21 kick abandoning conn5022 local=192.168.1.1:3128 remote=192.168.1.5:49167 FD 37 flags=1<br>31.12.1969 16:00:00<br>03.07.2024 10:47:21 kick abandoning conn5020 local=192.168.1.1:3128 remote=192.168.1.5:49165 FD 36 flags=1<br>31.12.1969 16:00:00<br>31.12.1969 16:00:00<br>31.12.1969 16:00:00<br>31.12.1969 16:00:00<br>31.12.1969 16:00:00<br>31.12.1969 16:00:00<br>31.12.1969 16:00:00<br>31.12.1969 16:00:00<br>31.12.1969 16:00:00<br>31.12.1969 16:00:00<br>03.07.2024 10:42:22 WARNING: Forwarding loop detected for:<br>03.07.2024 10:40:08 ERROR: failure while accepting a TLS connection on conn4955 local=192.168.1.1:3128 remote=192.168.1.5:52339 FD 98 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>31.12.1969 16:00:00<br>03.07.2024 10:39:52 kick abandoning conn4927 local=192.168.1.1:3128 remote=192.168.1.5:52331 FD 105 flags=1<br>03.07.2024 10:39:09 ERROR: failure while accepting a TLS connection on conn4846 local=192.168.1.1:3128 remote=192.168.1.5:52314 FD 19 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:38:14 ERROR: failure while accepting a TLS connection on conn4650 local=192.168.1.1:3128 remote=192.168.1.5:52274 FD 35 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1<br>03.07.2024 10:38:08 ERROR: failure while accepting a TLS connection on conn4645 local=192.168.1.1:3128 remote=192.168.1.5:52272 FD 35 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:38:04 ERROR: Unsupported TLS option SINGLE_ECDH_USE<br>03.07.2024 10:38:04 ERROR: Unsupported TLS option SINGLE_DH_USE<br>31.12.1969 16:00:00<br>31.12.1969 16:00:00<br>31.12.1969 16:00:00<br>31.12.1969 16:00:00<br>31.12.1969 16:00:00<br>_______________________________________________<br>squid-users mailing list<br>squid-users@lists.squid-cache.org<br>https://lists.squid-cache.org/listinfo/squid-users<br></blockquote><br></blockquote></blockquote><br></blockquote></blockquote><br></div></div></blockquote></div><br></div></div></div></blockquote></div><br></div></div></div></blockquote></div><br></div></body></html>