[squid-users] HTTPS woes

Alex Rousskov rousskov at measurement-factory.com
Thu Apr 20 00:21:05 UTC 2017 

On 04/19/2017 05:35 PM, Olly Lennox wrote:

> I can confirm that disabling the ssl sesison cache seems to have resolved the issue.

Great!


> I found another post which references this patch to resolve the issue:
> http://www.squid-cache.org/Versions/v4/changesets/squid-4-13984.patch

I am not sure that patch is related to any issues I have talked about.
What "another post" did you find?


> I check and the /dev/shm directory does exist with 777 permissions so
> from what I can see the OS should support it. I'm out of my depth
> here so maybe there is more to it but I can't see why squid couldn't
> write to this location.

Forget about my "OS environment is not compatible" theory (at least for
now). I now see that Squid is failing while trying to _open_ that memory
segment as opposed to failing while _creating_ it.

Did Squid try to create it? Set debug_options to "ALL,3 54,9" and search
for "shm_" and "ssl_session_cache" in cache.log for more clues.

Alex.



> ________________________________
> From: Alex Rousskov <rousskov at measurement-factory.com>
> To: "'squid-users at squid-cache. org'" <squid-users at squid-cache.org> 
> Cc: Olly Lennox <oliver at lennox-it.uk>
> Sent: Thursday, 20 April 2017, 0:13
> Subject: Re: [squid-users] HTTPS woes
> 
> 
> 
> On 04/19/2017 04:48 PM, Olly Lennox wrote:
> 
>> After further investigation the problem is something to do with permissions related to ssl_crtd.
> 
> No, it is not (or at least not yet).
> 
> 
>> I can run squid as root but using the default account (proxy?) it
>> won't run and is giving this error in cache.log:
> 
>> 2017/04/19 23:43:54 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' processes
>> FATAL: Ipc::Mem::Segment::open failed to shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory
> 
> The FATAL line is unrelated to the ssl_crtd line above it (this is one
> of several problems with FATAL error handling in Squid).
> 
> 
>> I've checked the file and folder permissions across all aspects of
>> squid and everything I can see is owned by proxy:proxy so not sure
>> where it is failing.
> 
> Squid is failing when trying to open a shared memory segment used for
> storing SSL sessions. This probably means two things:
> 
> 1. Your OS environment is not compatible with Squid shared memory needs
> (e.g., missing /dev/shm/ or equivalent). More info at
> http://wiki.squid-cache.org/Features/SmpScale#Ipc::Mem::Segment::create_failed_to_shm_open.28....29:_.282.29_No_such_file_or_directory
> 
> 2. There is a bug in Squid: Squid should not create shared memory
> segments when running in non-SMP mode. Please consider reporting this
> bug if it has not been reported already. At the expense of losing SSL
> session resumption capabilities, you should be able to work around this
> bug by disabling the session cache:
> http://www.squid-cache.org/Doc/config/sslproxy_session_cache_size/
> 
> 
> HTH,
> 
> Alex.
> 
> 
> 
>> acl SSL_ports port 443 
>> acl Safe_ports port 80        # http 
>> acl Safe_ports port 21        # ftp 
>> acl Safe_ports port 443        # https 
>> acl Safe_ports port 70        # gopher 
>> acl Safe_ports port 210        # wais 
>> acl Safe_ports port 1025-65535    # unregistered ports 
>> acl Safe_ports port 280        # http-mgmt 
>> acl Safe_ports port 488        # gss-http 
>> acl Safe_ports port 591        # filemaker 
>> acl Safe_ports port 777        # multiling http 
>> acl CONNECT method CONNECT 
>>
>> http_access deny !Safe_ports 
>> http_access deny CONNECT !SSL_ports 
>> http_access allow all 
>>
>> http_port 3130 
>>
>> http_port 3128 intercept 
>> https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3 dhparams=/etc/squid3/ssl_cert/dhparam.pem 
>>
>> acl step1 at_step SslBump1 
>> ssl_bump peek step1 
>> ssl_bump bump all 
>> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE 
>> sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS 
>> sslproxy_cafile /etc/squid/ssl_cert/mozcacert.pem 
>>
>> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB 
>> sslcrtd_children 8 startup=1 idle=1 
>>
>> coredump_dir /var/spool/squid 
>>
>> # Add any of your own refresh_pattern entries above these. 
>> refresh_pattern ^ftp:        1440    20%    10080 
>> refresh_pattern ^gopher:    1440    0%    1440 
>> refresh_pattern -i (/cgi-bin/|\?) 0    0%    0 
>> refresh_pattern .        0    20%    4320 
>>
>> cache_dir ufs /cache 400 16 256

More information about the squid-users mailing list