[squid-users] assertion failed: client_side.h:364: "sslServerBump == srvBump"

Amos Jeffries squid3 at treenet.co.nz
Mon Feb 23 01:36:48 UTC 2015


On 23/02/2015 11:00 a.m., Private Sender wrote:
> Hello,
> 
> I keep getting this same error, regardless of what version of squid I'm
> running (3.5.2 currently).
> 
> Anyone have any ideas?
> 
> Output from log:
> 
> 2015/02/22 13:30:22 kid1| assertion failed: client_side.h:364:
> "sslServerBump == srvBump"

This needs a big report. Christos may or may not be aware of it already.

...
> 2015/02/22 13:30:26 kid1| ERROR: No forward-proxy ports configured.
> 2015/02/22 13:30:26 kid1| Finished loading MIME types and icons.


Squid generates URLs for clients to fetch icons etc directly from eth
proxy. Now that we are being strict about what types of traffci work n a
NATO intercept port, it needs a forward-proxy port aconfigured to
receive these requests.

The officially registered port is 3128 so these are fixed by:
   http_port 3128



> 2015/02/22 13:30:26 kid1| HTCP Disabled.
> 2015/02/22 13:30:26 kid1| Pinger socket opened on FD 28
> 2015/02/22 13:30:26 kid1| Squid plugin modules loaded: 0
> 2015/02/22 13:30:26 kid1| Adaptation support is on
> 2015/02/22 13:30:26 kid1| Accepting NAT intercepted SSL bumped HTTPS
> Socket connections at local=0.0.0.0:443 remote=[::] FD 26 flags=41

The Squid listening port number has nothing to do with the port-80/443
clients are sending to and this type of config will cause nasty bugs
if/when the machine runs a proper web server.

Its best to use a random port of your own selection outside the 0-1024
well-known port range. Its only needed between the NAT firewall and
Squid so can (and SHOULD) be firewalled to prevent remote access
directly to it.



> 2015/02/22 13:30:26| pinger: Initialising ICMP pinger ...
> 2015/02/22 13:30:26|  icmp_sock: (1) Operation not permitted
> 2015/02/22 13:30:26| pinger: Unable to start ICMP pinger.
> 2015/02/22 13:30:26| FATAL: pinger: Unable to open any ICMP sockets.

Your "pinger" binary is not installed with suid (aka root as owner).


> 2015/02/22 13:30:26 kid1| Done reading /mnt/squid1 swaplog (3374 entries)
> 2015/02/22 13:30:26 kid1| Finished rebuilding storage from disk.
> 2015/02/22 13:30:26 kid1|      3374 Entries scanned
> 2015/02/22 13:30:26 kid1|         0 Invalid entries.
> 2015/02/22 13:30:26 kid1|         0 With invalid flags.
> 2015/02/22 13:30:26 kid1|      3374 Objects loaded.
> 2015/02/22 13:30:26 kid1|         0 Objects expired.
> 2015/02/22 13:30:26 kid1|         0 Objects cancelled.
> 2015/02/22 13:30:26 kid1|         0 Duplicate URLs purged.
> 2015/02/22 13:30:26 kid1|         0 Swapfile clashes avoided.
> 2015/02/22 13:30:26 kid1|   Took 0.08 seconds (41055.72 objects/sec).
> 2015/02/22 13:30:26 kid1| Beginning Validation Procedure
> 2015/02/22 13:30:26 kid1|   Completed Validation Procedure
> 2015/02/22 13:30:26 kid1|   Validated 3374 Entries
> 2015/02/22 13:30:26 kid1|   store_swap_size = 54324.00 KB
> 2015/02/22 13:30:27 kid1| storeLateRelease: released 0 objects
> 
> Squid was built with these options:
> 
> root at squid:~/squid# squid -v
> Squid Cache: Version 3.5.2
> Service Name: squid
> configure options:  '--enable-ssl'

The "--enable-ssl'" directive is obsolete. You can simplify by removing
it. The --with-openssl you have below does the same thing this used to.

> '--enable-ssl-crtd' '--enable-icmp'
> '--enable-linux-netfilter' '--disable-ipv6' '--with-openssl'

NP: its time to stop using that IPv6 directove. Squid works fine nowdays
on a properly configured network. Even if its configured to be IPv4-only.

> '--with-large-files' '--prefix=/usr' '--localstatedir=/var'
> '--libexecdir=/lib/squid' '--srcdir=.' '--datadir=/share/squid'
> '--sysconfdir=/etc/squid' '--with-default-user=proxy'
> '--with-logdir=/var/log' '--with-pidfile=/var/run/squid.pid'
> '--enable-icap-client'
> 
> SSLBump works, the problem is this error seems to crash the daemon,
> and forces a reload.
> 

Not much help sorry. The SSL_Bump fixes available today are almost all
in 3.5.2.

Amos



More information about the squid-users mailing list