[squid-users] SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR
Jonathan Lee
jonathanlee571 at gmail.com
Wed Apr 10 21:26:17 UTC 2024
I think they also did fail silently in the older version because the error logs were not present for previous packages that I used. At one point all error logs were removed in a package and I had to create a linker file to see the basic errors. Squid 6.6 comes with the error logs I could not see, previously 5.8 and prior it would create many blank logs that had no information.
In 5.8 the squid -k parse did not show the
WARNING: Failed to decode EC parameters '/etc/dh-parameters.2048'. error:1E08010C:DECODER routines::unsupported
However it did show this in 5.8, 5.9, and now in 6.6 if I delete the options it no longer lists the error.
2024/04/10 14:21:48| ERROR: Unsupported TLS option SINGLE_DH_USE
2024/04/10 14:21:48| ERROR: Unsupported TLS option SINGLE_ECDH_USE
It works I can block URLS that is what I am confused about it shows hit 304 and refreshes in 5.9 however 6.6 it kick abandons my connections
5.8 is my everything bagel version it just works however like you said is the errors not showing as it is slow at times
> On Apr 10, 2024, at 14:13, Alex Rousskov <rousskov at measurement-factory.com> wrote:
>
> On 2024-04-10 16:22, Jonathan Lee wrote:
>> Could it be related to this ??
>> "WARNING: Failed to decode EC parameters '/etc/dh-parameters.2048'. error:1E08010C:DECODER routines::unsupported”
>
> I do not know the answer to your question. I speculate that it could be related: Depending on various factors, without those DH parameters, Squid may not be able to communicate with clients. See WARNING in tls-dh description in squid.conf.documented.
>
> I know that others are reporting similar WARNINGs during v6 upgrades and dislike the letters "EC" those messages use. I am not going to debate the best choice of letters for this message, but I can tell you that, in the cases I investigated, the message was caused by a mismatch between squid.conf tls-dh=... option value and DH parameter file contents:
>
> * To Squid, tls-dh=curve:filename format implies that the keytype is "EC". These two letters are then fed to an OpenSSL function that configures related TLS state. OpenSSL then fails if tls-dh filename contains DH parameters produced with "openssl dhparam" command. I have seen these failures in tests.
>
> * To Squid, tls-dh=filename format (i.e. format without the curve name prefix) implies that the keytype is "DC". These two letters are then fed to an OpenSSL function that configured related TLS state. OpenSSL then probably fails if tls-dh filename contains DH parameters produced with "openssl ecparam" command. I have not tested this use case.
>
> * The failing checks and their messages are specific to Squids built with OpenSSL v3. It is possible that Squids built with OpenSSL v1 just silently fail (at runtime), but I have not checked that theory.
>
>
> FWIW, this poorly categorized message indicates a configuration _error_. AFAICT, Squid code should be adjusted to _quit_ (i.e. reject bad configuration) after discovering this error instead of continuing as if nothing bad happened.
>
> I recommend addressing the underlying cause, even if this message is unrelated to SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417.
>
>
> HTH,
>
> Alex.
>
>
>>> On Apr 10, 2024, at 08:38, Alex Rousskov <rousskov at measurement-factory.com> wrote:
>>>
>>> On 2024-04-10 10:50, Jonathan Lee wrote:
>>>
>>>> I am getting the following error in 6.6 after a upgrade from 5.8 does anyone know what this is caused by?
>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR
>>>
>>> $ openssl errstr A000417
>>> error:0A000417:SSL routines::sslv3 alert illegal parameter
>>>
>>> I think I have seen that error code before, but I do not recall the exact circumstances. Sorry! The error happens when Squid tries to accept (or peek at) a TLS connection from the client. Might be prohibited TLS version/feature, TLS greasing, or non-TLS traffic? Try examining client TLS Hello packet(s) in Wireshark.
>>>
>>> Alex.
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> https://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240410/e664f688/attachment.htm>
More information about the squid-users
mailing list