[squid-users] Squid 4.4 security_file_certgen helpers crashing

johnr johnrefwe at mail.com
Thu Dec 27 21:30:45 UTC 2018


Hi, 

I am having trouble running squid 4.4 on ubuntu 14.04. I have successfully
built squid, and it runs fine if I'm not trying to SSL bump, but once I SSL
bump traffic, it starts crashing.

I've tried various ssl bump configurations with the same net result, so I
don't believe the configuration is relevant, but here it is:
sslcrtd_children 2 startup=2 idle=1
http_port 3129 ssl-bump generate-host-certificates=on
cert=/home/ssl_bump.pem
acl step1 at_step SslBump1
ssl_bump stare step1
ssl_bump bump all

After browsing to a https site, squid crashes and I find the following in
the cache log:
2018/12/27 21:15:40 kid1| WARNING:
/usr/local/squid/libexec/security_file_certgen -s
/usr/local/squid/var/cache/squid/ssl_db -M 4MB #Hlpr1 exited
2018/12/27 21:15:40 kid1| FATAL: The
/usr/local/squid/libexec/security_file_certgen -s
/usr/local/squid/var/cache/squid/ssl_db -M 4MB helpers are crashing too
rapidly, need help!

I ran the security_gen_helper under GDB and it seems to be crashing here:
https://github.com/squid-cache/squid/blob/master/src/ssl/gadgets.cc#L218

My squid version output is as follows:
Squid Cache: Version 4.4
Service Name: squid

This binary uses OpenSSL 1.0.1f 6 Jan 2014. For legal restrictions on
distribution see https://www.openssl.org/source/license.html

configure options:  '--disable-arch-native' '--disable-dependency-tracking'
'--disable-eui' '--enable-auth'
'--enable-basic-auth-helpers=getpwnam,LDAP,PAM'
'--enable-digest-auth-helpers=password'
'--enable-external-acl-helpers=file_userip,unix_group'
'--enable-follow-x-forwarded-for' '--enable-ssl-crtd' '--with-openssl'
'--disable-ipv6'

I specifically mention ubuntu 14.04, because I compiled and ran squid 4.4 on
ubuntu 18.04 with the same config and it ran successfully. I was
successfully able to run squid 4.3 on ubuntu 14.04 and 18.04, so I think
this might be something newly introduced in the code? I saw a commit
supporting a newer version of openssl, I wonder if that may have mistakenly
broken support for older versions of openssl?

Thank you for any help!



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html


More information about the squid-users mailing list