[squid-users] assertion failed: store.cc "EBIT_TEST(flags, ENTRY_ABORTED)"

Amos Jeffries squid3 at treenet.co.nz
Tue Jun 6 02:38:46 UTC 2017


On 04/06/17 19:27, alexander lunev wrote:
> Hello everyone!
> I have two almost identical cache servers, both FreeBSD 10.3, both 
> running latest squid-3.2.25 from ports in transparent mode, one runs 
> OK and another is throwing this error:

Do you mean 3.5.25?  (3.2 series ended at 3.2.14)

>
>
> 2017/06/04 10:19:08 kid1| storeLateRelease: released 0 objects
> 2017/06/04 10:19:19 kid1| assertion failed: store.cc:1086: 
> "EBIT_TEST(flags, ENTRY_ABORTED)"
>

If you can obtain an updated stack/back-trace from that assertion it 
would be a help in identifying how it is happening. 
<http://wiki.squid-cache.org/SquidFaq/BugReporting> has info on how to 
report this type of bug, and how to obtain traces from production 
proxies with minimal service impact if you need it.



> After this squid is exiting.
>
> Beside some default configuration config contains:
>
> http_port 127.0.0.1:3127
> http_port  127.0.0.1:3128 intercept
> https_port 127.0.0.1:3129 intercept ssl-bump 
> options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off 
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 
> cert=/usr/local/etc/squid/squid.pem key=/usr/local/etc/squid/squid.key
>
> sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s 
> /usr/local/etc/squid/ssl_db -M 4MB
> sslcrtd_children 35
>
> cache deny all
> url_rewrite_program /usr/local/bin/squidGuard -c 
> /usr/local/etc/squid/squidGuard.conf
>
>
> # Leave coredumps in the first cache dir
> coredump_dir /var/squid/cache
> #ssl_bump client-first all
>
> always_direct allow all

You can/should remove that above line. It is unnecessary for bumping 
since 3.1 series.

>
> acl step1 at_step SslBump1
> acl ssldomains ssl::server_name "/usr/local/etc/squid/ssldomains.txt"
> ssl_bump peek step1
> ssl_bump bump ssldomains
> ssl_bump splice all
>
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
>

You should definitely remove both the above lines. They are hiding many 
potential TLS/SSL problems from *you* (not your users). The errors which 
may appear are real security problems with potentially major impacts on 
your users. They should usually be solved in ways other than simply 
hiding ones head in the sand.


>
> Why is this and how it can be fixed?
>

Something being cached is not being aborted when it was supposed to have 
been. More details are needed, please follow the instructions above.

Amos



More information about the squid-users mailing list