[squid-users] Squid Cache Issues migration from 5.8 to 6.6
Alex Rousskov
rousskov at measurement-factory.com
Fri Jul 5 13:10:54 UTC 2024
On 2024-07-04 19:02, Jonathan Lee wrote:
>>>> I do not recommend changing your configuration at this time. I
>>>> recommend rereading my earlier recommendation and following that
>>>> instead: "As the next step in triage, I recommend determining what
>>>> that CA is in these cases (e.g., by capturing raw TLS packets and
>>>> matching them with connection information from A000417 error
>>>> messages in cache.log or %err_detail in access.log)."
>
> Ok I went back to 5.8 and ran the following command after I removed the
> changes I used does this help this is ran on the firewall side itself.
>
> openssl s_client -connect foxnews.com:443
>
> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
Did the above connection go through Squid? Sorry, I do not know whether
"on the firewall side itself" implies a "yes" or "no" answer in this
test case.
> Does that help
It does not hurt, but it is not the information I have requested for the
next triage step: I asked about the certificate corresponding to the
A000417 error message in Squid v6.6. You are sharing the certificate
corresponding to either a direct connection to the origin server or the
certificate corresponding to a problem-free connection through Squid v5.8.
> Should I regenerate a new certificate for the new version of Squid and
> redeploy them all to hosts again?
IMHO, on this thread, you should follow the recommended triage steps. If
those recommendations are problematic, please discuss.
Alex.
>>>> On Jul 4, 2024, at 14:45, Alex Rousskov
>>>> <rousskov at measurement-factory.com> wrote:
>>>>
>>>> On 2024-07-04 15:37, Jonathan Lee wrote:
>>>>
>>>>> in Squid.conf I have nothing with that detective.
>>>>
>>>> Sounds good; sslproxy_cert_sign default should work OK in most
>>>> cases. I mentioned signUntrusted algorithm so that you can discover
>>>> (from the corresponding sslproxy_cert_sign documentation) which
>>>> CA/certificate Squid uses in which SslBump use case. Triage is often
>>>> easier if folks share the same working theory, and my current
>>>> working theory suggests that we are looking at a (default)
>>>> signUntrusted use case.
>>>>
>>>> The solution here probably does _not_ involve changing
>>>> sslproxy_cert_sign configuration, but, to make progress, I need more
>>>> info to confirm this working theory and describe next steps.
>>>>
>>>>
>>>>> Yes I am using SSL bump with this configuration..
>>>>
>>>> Noted, thank you.
>>>>
>>>>
>>>>> So would I use this directive
>>>>
>>>> I do not recommend changing your configuration at this time. I
>>>> recommend rereading my earlier recommendation and following that
>>>> instead: "As the next step in triage, I recommend determining what
>>>> that CA is in these cases (e.g., by capturing raw TLS packets and
>>>> matching them with connection information from A000417 error
>>>> messages in cache.log or %err_detail in access.log)."
>>>>
>>>>
>>>> HTH,
>>>>
>>>> Alex.
>>>>
>>>>
>>>>>> On Jul 4, 2024, at 09:56, Alex Rousskov wrote:
>>>>>>
>>>>>> On 2024-07-04 12:11, Jonathan Lee wrote:
>>>>>>> failure while accepting a TLS connection on conn5887
>>>>>>> local=192.168.1.1:3128
>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417
>>>>>>
>>>>>> A000417 is an "unknown CA" alert sent by client to Squid while the
>>>>>> client is trying to establish a TLS connection to/through Squid.
>>>>>> The client does not trust the Certificate Authority that signed
>>>>>> the certificate that was used for that TLS connection.
>>>>>>
>>>>>> As the next step in triage, I recommend determining what that CA
>>>>>> is in these cases (e.g., by capturing raw TLS packets and matching
>>>>>> them with connection information from A000417 error messages in
>>>>>> cache.log or %err_detail in access.log).
>>>>>>
>>>>>> If you use SslBump for port 3128 traffic, then one of the
>>>>>> possibilities here is that Squid is using an unknown-to-client CA
>>>>>> to report an origin server that Squid itself does not trust (see
>>>>>> signUntrusted in squid.conf.documented). In those cases, logging a
>>>>>> level-1 ERROR is a Squid bug because that expected/desirable
>>>>>> outcome should be treated as success (and a successful TLS accept
>>>>>> treated as an error!).
>>>>>>
>>>>>>
>>>>>> HTH,
>>>>>>
>>>>>> Alex.
>>>>
>>>>
>>>>>>> Is my main concern however I use the squid guard URL blocker
>>>>>>> Sent from my iPhone
>>>>>>>> On Jul 4, 2024, at 07:41, Alex Rousskov
>>>>>>>> <rousskov at measurement-factory.com> wrote:
>>>>>>>>
>>>>>>>> On 2024-07-03 13:56, Jonathan Lee wrote:
>>>>>>>>> Hello fellow Squid users does anyone know how to fix this issue?
>>>>>>>>
>>>>>>>> I counted about eight different "issues" in your cache.log
>>>>>>>> sample. Most of them are probably independent. I recommend that
>>>>>>>> you explicitly pick _one_, search mailing list archives for
>>>>>>>> previous discussions about it, and then provide as many details
>>>>>>>> about it as you can (e.g., what traffic causes it and/or
>>>>>>>> matching access.log records).
>>>>>>>>
>>>>>>>>
>>>>>>>> HTH,
>>>>>>>>
>>>>>>>> Alex.
>>>>>>>>
>>>>>>>>
>>>>>>>>> Squid - Cache Logs
>>>>>>>>> Date-Time Message
>>>>>>>>> 31.12.1969 16:00:00
>>>>>>>>> 03.07.2024 10:54:34 kick abandoning
>>>>>>>>> conn7853 local=192.168.1.1:3128 remote=192.168.1.5:49710 FD 89
>>>>>>>>> flags=1
>>>>>>>>> 31.12.1969 16:00:00
>>>>>>>>> 03.07.2024 10:54:29 kick abandoning
>>>>>>>>> conn7844 local=192.168.1.1:3128 remote=192.168.1.5:49702 FD 81
>>>>>>>>> flags=1
>>>>>>>>> 03.07.2024 10:54:09 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn7648 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:49672 FD 44 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>>>> 03.07.2024 10:54:09 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn7647 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:49670 FD 43 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>>>> 03.07.2024 10:54:09 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn7646 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:49668 FD 34 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>>>> 03.07.2024 10:53:04 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn7367 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:49627 FD 22 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>>>> 03.07.2024 10:52:47 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn7345 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:49618 FD 31 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>>>> 03.07.2024 10:52:38 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn7340 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:49616 FD 45 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>>>>>> 03.07.2024 10:52:34 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn7316 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:49609 FD 45 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>>>> 31.12.1969 16:00:00
>>>>>>>>> 03.07.2024 10:51:55 WARNING: Error Pages Missing Language: en-us
>>>>>>>>> 31.12.1969 16:00:00
>>>>>>>>> 03.07.2024 10:51:55 ERROR: loading file
>>>>>>>>> �9;/usr/local/etc/squid/errors/en-us/ERR_ZERO_SIZE_OBJECT': (2)
>>>>>>>>> No such file or directory
>>>>>>>>> 03.07.2024 10:51:44 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn7102 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:49574 FD 34 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>>>> 03.07.2024 10:51:28 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn7071 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:49568 FD 92 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>>>> 03.07.2024 10:50:29 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn6944 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:49534 FD 101 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>>>>>> 03.07.2024 10:49:54 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn6866 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:49519 FD 31 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>>>> 03.07.2024 10:49:38 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn6809 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:49503 FD 31 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>>>> 31.12.1969 16:00:00
>>>>>>>>> 03.07.2024 10:49:32 ERROR: system call failure while
>>>>>>>>> accepting a TLS connection on conn6794 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:49496 FD 19 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_IO_ERR=5+errno=54
>>>>>>>>> 03.07.2024 10:49:24 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn6776 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:49481 FD 137 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>>>>>> 03.07.2024 10:48:49 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn6440 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:49424 FD 16 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>>>>>> 03.07.2024 10:48:49 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn6445 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:49426 FD 34 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>>>> 03.07.2024 10:48:22 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn6035 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:49355 FD 226 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>>>>>> 03.07.2024 10:48:09 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn5887 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:49318 FD 33 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>>>> 03.07.2024 10:48:09 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn5875 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:49312 FD 216 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>>>> 03.07.2024 10:48:09 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn5876 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:49314 FD 217 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>>>> 03.07.2024 10:47:57 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn5815 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:49297 FD 201 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>>>>>> 03.07.2024 10:47:54 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn5760 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:49289 FD 195 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>>>>>> 03.07.2024 10:47:52 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn5717 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:49284 FD 195 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>>>>>> 03.07.2024 10:47:50 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn5552 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:49268 FD 142 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>>>>>> 31.12.1969 16:00:00
>>>>>>>>> 03.07.2024 10:47:34 kick abandoning
>>>>>>>>> conn5254 local=192.168.1.1:3128 remote=192.168.1.5:49209 FD 100
>>>>>>>>> flags=1
>>>>>>>>> 31.12.1969 16:00:00
>>>>>>>>> 03.07.2024 10:47:21 kick abandoning
>>>>>>>>> conn5022 local=192.168.1.1:3128 remote=192.168.1.5:49167 FD 37
>>>>>>>>> flags=1
>>>>>>>>> 31.12.1969 16:00:00
>>>>>>>>> 03.07.2024 10:47:21 kick abandoning
>>>>>>>>> conn5020 local=192.168.1.1:3128 remote=192.168.1.5:49165 FD 36
>>>>>>>>> flags=1
>>>>>>>>> 31.12.1969 16:00:00
>>>>>>>>> 31.12.1969 16:00:00
>>>>>>>>> 31.12.1969 16:00:00
>>>>>>>>> 31.12.1969 16:00:00
>>>>>>>>> 31.12.1969 16:00:00
>>>>>>>>> 31.12.1969 16:00:00
>>>>>>>>> 31.12.1969 16:00:00
>>>>>>>>> 31.12.1969 16:00:00
>>>>>>>>> 31.12.1969 16:00:00
>>>>>>>>> 31.12.1969 16:00:00
>>>>>>>>> 03.07.2024 10:42:22 WARNING: Forwarding loop detected for:
>>>>>>>>> 03.07.2024 10:40:08 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn4955 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:52339 FD 98 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>>>> 31.12.1969 16:00:00
>>>>>>>>> 03.07.2024 10:39:52 kick abandoning
>>>>>>>>> conn4927 local=192.168.1.1:3128 remote=192.168.1.5:52331 FD 105
>>>>>>>>> flags=1
>>>>>>>>> 03.07.2024 10:39:09 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn4846 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:52314 FD 19 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>>>> 03.07.2024 10:38:14 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn4650 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:52274 FD 35 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>>>>>>>>> 03.07.2024 10:38:08 ERROR: failure while accepting a TLS
>>>>>>>>> connection on conn4645 local=192.168.1.1:3128
>>>>>>>>> remote=192.168.1.5:52272 FD 35 flags=1:
>>>>>>>>> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1
>>>>>>>>> 03.07.2024 10:38:04 ERROR: Unsupported TLS option
>>>>>>>>> SINGLE_ECDH_USE
>>>>>>>>> 03.07.2024 10:38:04 ERROR: Unsupported TLS option SINGLE_DH_USE
>>>>>>>>> 31.12.1969 16:00:00
>>>>>>>>> 31.12.1969 16:00:00
>>>>>>>>> 31.12.1969 16:00:00
>>>>>>>>> 31.12.1969 16:00:00
>>>>>>>>> 31.12.1969 16:00:00
>>>>>>>>> _______________________________________________
>>>>>>>>> squid-users mailing list
>>>>>>>>> squid-users at lists.squid-cache.org
>>>>>>>>> https://lists.squid-cache.org/listinfo/squid-users
>>>>>>>>
>>>>>>
>>>>
>>>
>>
>
More information about the squid-users
mailing list