[squid-users] Squid Cache Issues migration from 5.8 to 6.6

Alex Rousskov rousskov at measurement-factory.com
Thu Jul 4 21:45:29 UTC 2024 

On 2024-07-04 15:37, Jonathan Lee wrote:

> in Squid.conf I have nothing with that detective.

Sounds good; sslproxy_cert_sign default should work OK in most cases. I 
mentioned signUntrusted algorithm so that you can discover (from the 
corresponding sslproxy_cert_sign documentation) which CA/certificate 
Squid uses in which SslBump use case. Triage is often easier if folks 
share the same working theory, and my current working theory suggests 
that we are looking at a (default) signUntrusted use case.

The solution here probably does _not_ involve changing 
sslproxy_cert_sign configuration, but, to make progress, I need more 
info to confirm this working theory and describe next steps.


> Yes I am using SSL bump with this configuration..

Noted, thank you.


> So would I use this directive 

I do not recommend changing your configuration at this time. I recommend 
rereading my earlier recommendation and following that instead: "As the 
next step in triage, I recommend determining what that CA is in these 
cases (e.g., by capturing raw TLS packets and matching them with 
connection information from A000417 error messages in cache.log or 
%err_detail in access.log)."


HTH,

Alex.


>> On Jul 4, 2024, at 09:56, Alex Rousskov wrote:
>>
>> On 2024-07-04 12:11, Jonathan Lee wrote:
>>> failure while accepting a TLS connection on conn5887 
>>> local=192.168.1.1:3128
>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417
>>
>> A000417 is an "unknown CA" alert sent by client to Squid while the 
>> client is trying to establish a TLS connection to/through Squid. The 
>> client does not trust the Certificate Authority that signed the 
>> certificate that was used for that TLS connection.
>>
>> As the next step in triage, I recommend determining what that CA is in 
>> these cases (e.g., by capturing raw TLS packets and matching them with 
>> connection information from A000417 error messages in cache.log or 
>> %err_detail in access.log).
>>
>> If you use SslBump for port 3128 traffic, then one of the 
>> possibilities here is that Squid is using an unknown-to-client CA to 
>> report an origin server that Squid itself does not trust (see 
>> signUntrusted in squid.conf.documented). In those cases, logging a 
>> level-1 ERROR is a Squid bug because that expected/desirable outcome 
>> should be treated as success (and a successful TLS accept treated as 
>> an error!).
>>
>>
>> HTH,
>>
>> Alex.


>>> Is my main concern however I use the squid guard URL blocker
>>> Sent from my iPhone
>>>> On Jul 4, 2024, at 07:41, Alex Rousskov 
>>>> <rousskov at measurement-factory.com> wrote:
>>>>
>>>> On 2024-07-03 13:56, Jonathan Lee wrote:
>>>>> Hello fellow Squid users does anyone know how to fix this issue?
>>>>
>>>> I counted about eight different "issues" in your cache.log sample. 
>>>> Most of them are probably independent. I recommend that you 
>>>> explicitly pick _one_, search mailing list archives for previous 
>>>> discussions about it, and then provide as many details about it as 
>>>> you can (e.g., what traffic causes it and/or matching access.log 
>>>> records).
>>>>
>>>>
>>>> HTH,
>>>>
>>>> Alex.
>>>>
>>>>
>>>>> Squid - Cache Logs
>>>>> Date-Time    Message
>>>>> 31.12.1969 16:00:00
>>>>> 03.07.2024 10:54:34    kick abandoning 
>>>>> conn7853 local=192.168.1.1:3128 remote=192.168.1.5:49710 FD 89 flags=1
>>>>> 31.12.1969 16:00:00
>>>>> 03.07.2024 10:54:29    kick abandoning 
>>>>> conn7844 local=192.168.1.1:3128 remote=192.168.1.5:49702 FD 81 flags=1
>>>>> 03.07.2024 10:54:09    ERROR: failure while accepting a TLS 
>>>>> connection on conn7648 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:49672 FD 44 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>> 03.07.2024 10:54:09    ERROR: failure while accepting a TLS 
>>>>> connection on conn7647 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:49670 FD 43 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>> 03.07.2024 10:54:09    ERROR: failure while accepting a TLS 
>>>>> connection on conn7646 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:49668 FD 34 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>> 03.07.2024 10:53:04    ERROR: failure while accepting a TLS 
>>>>> connection on conn7367 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:49627 FD 22 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>> 03.07.2024 10:52:47    ERROR: failure while accepting a TLS 
>>>>> connection on conn7345 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:49618 FD 31 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>> 03.07.2024 10:52:38    ERROR: failure while accepting a TLS 
>>>>> connection on conn7340 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:49616 FD 45 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>> 03.07.2024 10:52:34    ERROR: failure while accepting a TLS 
>>>>> connection on conn7316 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:49609 FD 45 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>> 31.12.1969 16:00:00
>>>>> 03.07.2024 10:51:55    WARNING: Error Pages Missing Language: en-us
>>>>> 31.12.1969 16:00:00
>>>>> 03.07.2024 10:51:55    ERROR: loading file 
>>>>> 9;/usr/local/etc/squid/errors/en-us/ERR_ZERO_SIZE_OBJECT': (2) No 
>>>>> such file or directory
>>>>> 03.07.2024 10:51:44    ERROR: failure while accepting a TLS 
>>>>> connection on conn7102 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:49574 FD 34 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>> 03.07.2024 10:51:28    ERROR: failure while accepting a TLS 
>>>>> connection on conn7071 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:49568 FD 92 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>> 03.07.2024 10:50:29    ERROR: failure while accepting a TLS 
>>>>> connection on conn6944 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:49534 FD 101 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>> 03.07.2024 10:49:54    ERROR: failure while accepting a TLS 
>>>>> connection on conn6866 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:49519 FD 31 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>> 03.07.2024 10:49:38    ERROR: failure while accepting a TLS 
>>>>> connection on conn6809 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:49503 FD 31 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>> 31.12.1969 16:00:00
>>>>> 03.07.2024 10:49:32    ERROR: system call failure while accepting a 
>>>>> TLS connection on conn6794 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:49496 FD 19 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_IO_ERR=5+errno=54
>>>>> 03.07.2024 10:49:24    ERROR: failure while accepting a TLS 
>>>>> connection on conn6776 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:49481 FD 137 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>> 03.07.2024 10:48:49    ERROR: failure while accepting a TLS 
>>>>> connection on conn6440 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:49424 FD 16 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>> 03.07.2024 10:48:49    ERROR: failure while accepting a TLS 
>>>>> connection on conn6445 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:49426 FD 34 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>> 03.07.2024 10:48:22    ERROR: failure while accepting a TLS 
>>>>> connection on conn6035 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:49355 FD 226 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>> 03.07.2024 10:48:09    ERROR: failure while accepting a TLS 
>>>>> connection on conn5887 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:49318 FD 33 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>> 03.07.2024 10:48:09    ERROR: failure while accepting a TLS 
>>>>> connection on conn5875 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:49312 FD 216 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>> 03.07.2024 10:48:09    ERROR: failure while accepting a TLS 
>>>>> connection on conn5876 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:49314 FD 217 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>> 03.07.2024 10:47:57    ERROR: failure while accepting a TLS 
>>>>> connection on conn5815 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:49297 FD 201 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>> 03.07.2024 10:47:54    ERROR: failure while accepting a TLS 
>>>>> connection on conn5760 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:49289 FD 195 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>> 03.07.2024 10:47:52    ERROR: failure while accepting a TLS 
>>>>> connection on conn5717 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:49284 FD 195 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>> 03.07.2024 10:47:50    ERROR: failure while accepting a TLS 
>>>>> connection on conn5552 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:49268 FD 142 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>> 31.12.1969 16:00:00
>>>>> 03.07.2024 10:47:34    kick abandoning 
>>>>> conn5254 local=192.168.1.1:3128 remote=192.168.1.5:49209 FD 100 flags=1
>>>>> 31.12.1969 16:00:00
>>>>> 03.07.2024 10:47:21    kick abandoning 
>>>>> conn5022 local=192.168.1.1:3128 remote=192.168.1.5:49167 FD 37 flags=1
>>>>> 31.12.1969 16:00:00
>>>>> 03.07.2024 10:47:21    kick abandoning 
>>>>> conn5020 local=192.168.1.1:3128 remote=192.168.1.5:49165 FD 36 flags=1
>>>>> 31.12.1969 16:00:00
>>>>> 31.12.1969 16:00:00
>>>>> 31.12.1969 16:00:00
>>>>> 31.12.1969 16:00:00
>>>>> 31.12.1969 16:00:00
>>>>> 31.12.1969 16:00:00
>>>>> 31.12.1969 16:00:00
>>>>> 31.12.1969 16:00:00
>>>>> 31.12.1969 16:00:00
>>>>> 31.12.1969 16:00:00
>>>>> 03.07.2024 10:42:22    WARNING: Forwarding loop detected for:
>>>>> 03.07.2024 10:40:08    ERROR: failure while accepting a TLS 
>>>>> connection on conn4955 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:52339 FD 98 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>> 31.12.1969 16:00:00
>>>>> 03.07.2024 10:39:52    kick abandoning 
>>>>> conn4927 local=192.168.1.1:3128 remote=192.168.1.5:52331 FD 105 flags=1
>>>>> 03.07.2024 10:39:09    ERROR: failure while accepting a TLS 
>>>>> connection on conn4846 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:52314 FD 19 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>> 03.07.2024 10:38:14    ERROR: failure while accepting a TLS 
>>>>> connection on conn4650 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:52274 FD 35 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>> 03.07.2024 10:38:08    ERROR: failure while accepting a TLS 
>>>>> connection on conn4645 local=192.168.1.1:3128 
>>>>> remote=192.168.1.5:52272 FD 35 flags=1: 
>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>> 03.07.2024 10:38:04    ERROR: Unsupported TLS option SINGLE_ECDH_USE
>>>>> 03.07.2024 10:38:04    ERROR: Unsupported TLS option SINGLE_DH_USE
>>>>> 31.12.1969 16:00:00
>>>>> 31.12.1969 16:00:00
>>>>> 31.12.1969 16:00:00
>>>>> 31.12.1969 16:00:00
>>>>> 31.12.1969 16:00:00
>>>>> _______________________________________________
>>>>> squid-users mailing list
>>>>> squid-users at lists.squid-cache.org
>>>>> https://lists.squid-cache.org/listinfo/squid-users
>>>>
>>
>

More information about the squid-users mailing list