[squid-users] Skype makes Squid with ssl_bump crash
Bruno de Paula Larini
bruno.larini at riosoft.com.br
Thu Jun 9 19:20:49 UTC 2016
Hi list.
I'm experiencing some crashes on Squid workers and eventually on the
parent process while using a mixed authenticated/intercepted ssl_bump +
Skype (7.21.0.100). After searching for some clues, I've found this:
Changes to squid-3.5.9 (17 Sep 2015):
...
- Bug 4309: crash during Skype login
...
I'm running the exact Squid 3.5.9, provided by official Fedora 23 (x64)
repositories and noticed this behavior only while using Skype.
My squid.conf contains the section below. If Skype isn't open or if it
managed to authenticate without crashing the Squid main process then
everything works normally. If I comment these lines, Skype won't affect
Squid at all (not a single worker exits) and everything also works
normally in the authenticated, non-intercepted mode. So, this only
happens for whathever reason when it is trying to authenticate the Skype
user. All other concurrent connections are terminated during the
authentication.
If the bug has been addressed then maybe it is something I'm doing
wrong? Or maybe this is a different one?
Thanks everyone!
/etc/squid/squid.conf
...
http_port 192.168.0.1:3128 intercept
https_port 192.168.0.1:3129 cert=/etc/squid/ssl/squidCA.pem
key=/etc/squid/ssl/squidCA.key ssl-bump intercept
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslflags=NO_SESSION_REUSE
acl http_intercept dstdom_regex -i "/etc/squid/allow-intercepted.txt"
http_access allow SSL_ports
http_access allow http_intercept
http_access deny all
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 all
acl https_intercept ssl::server_name_regex
"/etc/squid/allow-intercepted.txt"
ssl_bump splice step3 https_intercept
ssl_bump terminate all
sslproxy_capath /etc/ssl/certs
sslproxy_options ALL
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db
-M 4MB
sslcrtd_children 5
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
/var/log/messages:
...
Jun 8 17:12:44 squidserver abrt-hook-ccpp: Process 23301 (squid) of
user 23 killed by SIGABRT - dumping core
Jun 8 17:12:45 squidserver squid[23299]: Squid Parent: (squid-1)
process 23301 exited due to signal 6 with status 0
Jun 8 17:12:45 squidserver abrt-server: Deleting problem directory
ccpp-2016-06-08-17:12:44-23301 (dup of ccpp-2016-03-24-02:28:05-10168)
Jun 8 17:12:45 squidserver dbus[630]: [system] Activating service
name='org.freedesktop.problems' (using servicehelper)
Jun 8 17:12:45 squidserver dbus[630]: [system] Successfully activated
service 'org.freedesktop.problems'
Jun 8 17:12:48 squidserver squid[23299]: Squid Parent: (squid-1)
process 23726 started
Jun 8 17:12:48 squidserver (squid-1): Ipc::Mem::Segment::open failed to
shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory
Jun 8 17:12:48 squidserver squid[23299]: Squid Parent: (squid-1)
process 23726 exited with status 1
Jun 8 17:12:51 squidserver squid[23299]: Squid Parent: (squid-1)
process 23733 started
Jun 8 17:12:51 squidserver (squid-1): Ipc::Mem::Segment::open failed to
shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory
Jun 8 17:12:51 squidserver squid[23299]: Squid Parent: (squid-1)
process 23733 exited with status 1
Jun 8 17:12:54 squidserver squid[23299]: Squid Parent: (squid-1)
process 23806 started
Jun 8 17:12:54 squidserver (squid-1): Ipc::Mem::Segment::open failed to
shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory
Jun 8 17:12:54 squidserver squid[23299]: Squid Parent: (squid-1)
process 23806 exited with status 1
Jun 8 17:12:57 squidserver squid[23299]: Squid Parent: (squid-1)
process 23813 started
Jun 8 17:12:57 squidserver (squid-1): Ipc::Mem::Segment::open failed to
shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory
Jun 8 17:12:57 squidserver squid[23299]: Squid Parent: (squid-1)
process 23813 exited with status 1
Jun 8 17:13:00 squidserver squid[23299]: Squid Parent: (squid-1)
process 23820 started
Jun 8 17:13:00 squidserver (squid-1): Ipc::Mem::Segment::open failed to
shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory
Jun 8 17:13:00 squidserver squid[23299]: Squid Parent: (squid-1)
process 23820 exited with status 1
Jun 8 17:13:00 squidserver squid[23299]: Squid Parent: (squid-1)
process 23820 will not be restarted due to repeated, frequent failures
Jun 8 17:13:00 squidserver squid[23299]: Exiting due to repeated,
frequent failures
Jun 8 17:13:00 squidserver systemd: squid.service: Main process exited,
code=exited, status=1/FAILURE
Jun 8 17:13:00 squidserver squid: squid: ERROR: Could not send signal
15 to process 23301: (3) No such process
Jun 8 17:13:00 squidserver systemd: squid.service: Control process
exited, code=exited status=1
Jun 8 17:13:00 squidserver systemd: squid.service: Unit entered failed
state.
Jun 8 17:13:00 squidserver systemd: squid.service: Failed with result
'exit-code'.
...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
/var/log/squid/cache.log
...
2016/06/08 17:12:43 kid1| hold write on SSL connection on FD 29
2016/06/08 17:12:44 kid1| Closing HTTP port 192.168.0.1:8080
2016/06/08 17:12:44 kid1| Closing HTTP port 127.0.0.1:8080
2016/06/08 17:12:44 kid1| Closing HTTP port 192.168.0.1:3128
2016/06/08 17:12:44 kid1| Closing HTTPS port 192.168.0.1:3129
2016/06/08 17:12:44 kid1| storeDirWriteCleanLogs: Starting...
2016/06/08 17:12:44 kid1| Finished. Wrote 61 entries.
2016/06/08 17:12:44 kid1| Took 0.00 seconds (291866.03 entries/sec).
2016/06/08 17:12:48 kid1| Set Current Directory to /var/spool/squid
2016/06/08 17:12:48 kid1| Starting Squid Cache version 3.5.9 for
x86_64-redhat-linux-gnu...
2016/06/08 17:12:48 kid1| Service Name: squid
2016/06/08 17:12:48 kid1| Process ID 23726
2016/06/08 17:12:48 kid1| Process Roles: worker
2016/06/08 17:12:48 kid1| With 16384 file descriptors available
2016/06/08 17:12:48 kid1| Initializing IP Cache...
2016/06/08 17:12:48 kid1| DNS Socket created at [::], FD 9
2016/06/08 17:12:48 kid1| DNS Socket created at 0.0.0.0, FD 11
2016/06/08 17:12:48 kid1| Adding domain riosoft.local from /etc/resolv.conf
2016/06/08 17:12:48 kid1| Adding nameserver 192.168.0.7 from
/etc/resolv.conf
2016/06/08 17:12:48 kid1| Adding nameserver 192.168.0.8 from
/etc/resolv.conf
2016/06/08 17:12:48 kid1| helperOpenServers: Starting 5/5 'ssl_crtd'
processes
...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Squid version and build flags:
[root at squidserver ~]# squid -v
Squid Cache: Version 3.5.9
Service Name: squid
configure options: '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr'
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--exec_prefix=/usr'
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid'
'--disable-dependency-tracking' '--enable-eui'
'--enable-follow-x-forwarded-for' '--enable-auth'
'--enable-auth-basic=DB,LDAP,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam'
'--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP'
'--enable-auth-negotiate=kerberos'
'--enable-external-acl-helpers=LDAP_group,time_quota,session,unix_group,wbinfo_group'
'--enable-storeid-rewrite-helpers=file' '--enable-cache-digests'
'--enable-cachemgr-hostname=localhost' '--enable-delay-pools'
'--enable-epoll' '--enable-icap-client' '--enable-ident-lookups'
'--enable-linux-netfilter' '--enable-removal-policies=heap,lru'
'--enable-snmp' '--enable-ssl' '--enable-ssl-crtd'
'--enable-storeio=aufs,diskd,ufs,rock' '--enable-diskio'
'--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio'
'--with-default-user=squid' '--with-dl' '--with-openssl'
'--with-pthreads' '--disable-arch-native' '--with-pic'
'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic
-fPIC' 'LDFLAGS=-Wl,-z,relro
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld -pie -Wl,-z,relro
-Wl,-z,now -Wl,--warn-shared-textrel' 'CXXFLAGS=-O2 -g -pipe -Wall
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic
-fPIC' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
OpenSSL: openssl-1.0.2h-1.fc23.x86_64
More information about the squid-users
mailing list