[squid-users] Skype makes Squid with ssl_bump crash

Bruno de Paula Larini bruno.larini at riosoft.com.br
Thu Jun 9 19:20:49 UTC 2016 

Hi list.

I'm experiencing some crashes on Squid workers and eventually on the 
parent process while using a mixed authenticated/intercepted ssl_bump + 
Skype (7.21.0.100). After searching for some clues, I've found this:

Changes to squid-3.5.9 (17 Sep 2015):
     ...
     - Bug 4309: crash during Skype login
     ...

I'm running the exact Squid 3.5.9, provided by official Fedora 23 (x64) 
repositories and noticed this behavior only while using Skype.

My squid.conf contains the section below. If Skype isn't open or if it 
managed to authenticate without crashing the Squid main process then 
everything works normally. If I comment these lines, Skype won't affect 
Squid at all (not a single worker exits) and everything also works 
normally in the authenticated, non-intercepted mode. So, this only 
happens for whathever reason when it is trying to authenticate the Skype 
user. All other concurrent connections are terminated during the 
authentication.

If the bug has been addressed then maybe it is something I'm doing 
wrong? Or maybe this is a different one?
Thanks everyone!


/etc/squid/squid.conf
...
     http_port 192.168.0.1:3128 intercept
     https_port 192.168.0.1:3129 cert=/etc/squid/ssl/squidCA.pem 
key=/etc/squid/ssl/squidCA.key ssl-bump intercept 
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 
sslflags=NO_SESSION_REUSE

     acl http_intercept dstdom_regex -i "/etc/squid/allow-intercepted.txt"
     http_access allow SSL_ports
     http_access allow http_intercept
     http_access deny all

     acl step1 at_step SslBump1
     acl step2 at_step SslBump2
     acl step3 at_step SslBump3
     ssl_bump peek step1 all
     ssl_bump peek step2 all

     acl https_intercept ssl::server_name_regex 
"/etc/squid/allow-intercepted.txt"
     ssl_bump splice step3 https_intercept
     ssl_bump terminate all

     sslproxy_capath /etc/ssl/certs
     sslproxy_options ALL

     sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db 
-M 4MB
     sslcrtd_children 5

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
/var/log/messages:

...
Jun  8 17:12:44 squidserver abrt-hook-ccpp: Process 23301 (squid) of 
user 23 killed by SIGABRT - dumping core
Jun  8 17:12:45 squidserver squid[23299]: Squid Parent: (squid-1) 
process 23301 exited due to signal 6 with status 0
Jun  8 17:12:45 squidserver abrt-server: Deleting problem directory 
ccpp-2016-06-08-17:12:44-23301 (dup of ccpp-2016-03-24-02:28:05-10168)
Jun  8 17:12:45 squidserver dbus[630]: [system] Activating service 
name='org.freedesktop.problems' (using servicehelper)
Jun  8 17:12:45 squidserver dbus[630]: [system] Successfully activated 
service 'org.freedesktop.problems'
Jun  8 17:12:48 squidserver squid[23299]: Squid Parent: (squid-1) 
process 23726 started
Jun  8 17:12:48 squidserver (squid-1): Ipc::Mem::Segment::open failed to 
shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory
Jun  8 17:12:48 squidserver squid[23299]: Squid Parent: (squid-1) 
process 23726 exited with status 1
Jun  8 17:12:51 squidserver squid[23299]: Squid Parent: (squid-1) 
process 23733 started
Jun  8 17:12:51 squidserver (squid-1): Ipc::Mem::Segment::open failed to 
shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory
Jun  8 17:12:51 squidserver squid[23299]: Squid Parent: (squid-1) 
process 23733 exited with status 1
Jun  8 17:12:54 squidserver squid[23299]: Squid Parent: (squid-1) 
process 23806 started
Jun  8 17:12:54 squidserver (squid-1): Ipc::Mem::Segment::open failed to 
shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory
Jun  8 17:12:54 squidserver squid[23299]: Squid Parent: (squid-1) 
process 23806 exited with status 1
Jun  8 17:12:57 squidserver squid[23299]: Squid Parent: (squid-1) 
process 23813 started
Jun  8 17:12:57 squidserver (squid-1): Ipc::Mem::Segment::open failed to 
shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory
Jun  8 17:12:57 squidserver squid[23299]: Squid Parent: (squid-1) 
process 23813 exited with status 1
Jun  8 17:13:00 squidserver squid[23299]: Squid Parent: (squid-1) 
process 23820 started
Jun  8 17:13:00 squidserver (squid-1): Ipc::Mem::Segment::open failed to 
shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory
Jun  8 17:13:00 squidserver squid[23299]: Squid Parent: (squid-1) 
process 23820 exited with status 1
Jun  8 17:13:00 squidserver squid[23299]: Squid Parent: (squid-1) 
process 23820 will not be restarted due to repeated, frequent failures
Jun  8 17:13:00 squidserver squid[23299]: Exiting due to repeated, 
frequent failures
Jun  8 17:13:00 squidserver systemd: squid.service: Main process exited, 
code=exited, status=1/FAILURE
Jun  8 17:13:00 squidserver squid: squid: ERROR: Could not send signal 
15 to process 23301: (3) No such process
Jun  8 17:13:00 squidserver systemd: squid.service: Control process 
exited, code=exited status=1
Jun  8 17:13:00 squidserver systemd: squid.service: Unit entered failed 
state.
Jun  8 17:13:00 squidserver systemd: squid.service: Failed with result 
'exit-code'.
...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
/var/log/squid/cache.log

...
2016/06/08 17:12:43 kid1| hold write on SSL connection on FD 29
2016/06/08 17:12:44 kid1| Closing HTTP port 192.168.0.1:8080
2016/06/08 17:12:44 kid1| Closing HTTP port 127.0.0.1:8080
2016/06/08 17:12:44 kid1| Closing HTTP port 192.168.0.1:3128
2016/06/08 17:12:44 kid1| Closing HTTPS port 192.168.0.1:3129
2016/06/08 17:12:44 kid1| storeDirWriteCleanLogs: Starting...
2016/06/08 17:12:44 kid1|   Finished.  Wrote 61 entries.
2016/06/08 17:12:44 kid1|   Took 0.00 seconds (291866.03 entries/sec).
2016/06/08 17:12:48 kid1| Set Current Directory to /var/spool/squid
2016/06/08 17:12:48 kid1| Starting Squid Cache version 3.5.9 for 
x86_64-redhat-linux-gnu...
2016/06/08 17:12:48 kid1| Service Name: squid
2016/06/08 17:12:48 kid1| Process ID 23726
2016/06/08 17:12:48 kid1| Process Roles: worker
2016/06/08 17:12:48 kid1| With 16384 file descriptors available
2016/06/08 17:12:48 kid1| Initializing IP Cache...
2016/06/08 17:12:48 kid1| DNS Socket created at [::], FD 9
2016/06/08 17:12:48 kid1| DNS Socket created at 0.0.0.0, FD 11
2016/06/08 17:12:48 kid1| Adding domain riosoft.local from /etc/resolv.conf
2016/06/08 17:12:48 kid1| Adding nameserver 192.168.0.7 from 
/etc/resolv.conf
2016/06/08 17:12:48 kid1| Adding nameserver 192.168.0.8 from 
/etc/resolv.conf
2016/06/08 17:12:48 kid1| helperOpenServers: Starting 5/5 'ssl_crtd' 
processes
...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Squid version and build flags:

[root at squidserver ~]# squid -v
Squid Cache: Version 3.5.9
Service Name: squid
configure options:  '--build=x86_64-redhat-linux-gnu' 
'--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' 
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' 
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' 
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec' 
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man' 
'--infodir=/usr/share/info' '--exec_prefix=/usr' 
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var' 
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' 
'--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' 
'--disable-dependency-tracking' '--enable-eui' 
'--enable-follow-x-forwarded-for' '--enable-auth' 
'--enable-auth-basic=DB,LDAP,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' 
'--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP' 
'--enable-auth-negotiate=kerberos' 
'--enable-external-acl-helpers=LDAP_group,time_quota,session,unix_group,wbinfo_group' 
'--enable-storeid-rewrite-helpers=file' '--enable-cache-digests' 
'--enable-cachemgr-hostname=localhost' '--enable-delay-pools' 
'--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' 
'--enable-linux-netfilter' '--enable-removal-policies=heap,lru' 
'--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' 
'--enable-storeio=aufs,diskd,ufs,rock' '--enable-diskio' 
'--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' 
'--with-default-user=squid' '--with-dl' '--with-openssl' 
'--with-pthreads' '--disable-arch-native' '--with-pic' 
'build_alias=x86_64-redhat-linux-gnu' 
'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall 
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions 
-fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches 
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic 
-fPIC' 'LDFLAGS=-Wl,-z,relro 
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld -pie -Wl,-z,relro 
-Wl,-z,now -Wl,--warn-shared-textrel' 'CXXFLAGS=-O2 -g -pipe -Wall 
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions 
-fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches 
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic 
-fPIC' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'

OpenSSL: openssl-1.0.2h-1.fc23.x86_64

More information about the squid-users mailing list