[squid-users] Squid 6.2 with WCCP
Alex Rousskov
rousskov at measurement-factory.com
Mon Aug 21 13:34:09 UTC 2023
On 8/21/23 05:06, Callum Haywood wrote:
> We are currently testing Squid 6.2 with WCCP. Running on Ubuntu 20.04.6
> LTS with a GRE tunnel to a Cisco 2821.
>
> We are seeing the following errors in the logs:
>
> 2023/08/18 10:13:02| ERROR: Ignoring WCCPv2 message: check failed: duplicate security definition
> exception location: wccp2.cc(1254) wccp2HandleUdp
> I have built Squid 4.15 on the same host and using the same config the
> Cisco is able to see Squid, send traffic, and there are no WCCP errors
> in the logs.
>
> I have done a diff between the wccp2.cc source in 4.15 and 6.2 and see
> that there are quite a few changes. In the release notes I see "WCCP:
> Validate packets better".
FWIW, that change is present in Squid v4.17 as well.
> Does anyone understand what is causing these errors? Are there any known
> issues or patches in progress?
A few years ago, several serious problems were discovered in WCCP code,
including security vulnerabilities:
https://github.com/squid-cache/squid/security/advisories/GHSA-rgf3-9v3p-qp82
Some of the WCCP bugs were fixed without testing; developers fixing
those bugs could not easily test WCCP. Some of the old WCCP bugs
remained and some of the new fixes were buggy.
Today, WCCP code remains problematic. If your customers rely on WCCP,
consider investing into revamping that neglected and buggy feature.
Current Squid v4-v6 releases appear to be missing the following WCCP fix
in master/v7 (but it will probably not address the "duplicate security
definition" issue you are facing):
https://github.com/squid-cache/squid/commit/478eba2a3392c46b12cd5abf433ac4442d7515b7
HTH,
Alex.
More information about the squid-users
mailing list