Re: [squid-users] Prefer or force ipv6 usage on dual stack interface
Hello Rasmus, squid has implemented the happy eyeballs algorithm, so squid uses the best protocol to reach the server. More infos about happy eyeball can be found here: https://datatracker.ietf.org/doc/html/rfc8305 On Tue, Jul 16, Rasmus Horndrup wrote: > Hi, > On a dual stack network interface I’m interested in using squid as a ipv6 > only forward proxy. > My general understanding was that squid will prefer to use ipv6 whenever > available, but I’m having issues with squid seemingly preferring ipv4 in some > cases. > > I have two examples, where it proceeds using IPv6 for the first and IPv4 for > the second. > > From the looks of it, they both successfully receive A and records, but > how can I basically force squid to use IPv6? > > Resolves to IPv6: > - > CONNECT www.google.com:443 HTTP/1.1 > Host: www.google.com:443 > Proxy-Authorization: Basic cHJpY2VzaGFwZTpwcmljZXNoYXBlMTIz > User-Agent: curl/8.6.0 > Proxy-Connection: Keep-Alive > > > -- > 2024/07/16 14:08:58.089 kid1| 14,3| Address.cc(389) lookupHostIP: Given > Non-IP 'www.google.com': Name or service not known > 2024/07/16 14:08:58.089 kid1| 14,3| ipcache.cc(732) ipcache_gethostbyname: > ipcache_gethostbyname: 'www.google.com', flags=1 > 2024/07/16 14:08:58.090 kid1| 14,3| ipcache.cc(313) ipcacheRelease: > ipcacheRelease: Releasing entry for 'www.google.com' > 2024/07/16 14:08:58.090 kid1| 14,3| Address.cc(389) lookupHostIP: Given > Non-IP 'www.google.com': Name or service not known > 2024/07/16 14:08:58.090 kid1| 14,4| ipcache.cc(610) ipcache_nbgethostbyname: > www.google.com > 2024/07/16 14:08:58.090 kid1| 14,3| Address.cc(389) lookupHostIP: Given > Non-IP 'www.google.com': Name or service not known > 2024/07/16 14:08:58.090 kid1| 14,5| ipcache.cc(670) ipcache_nbgethostbyname_: > ipcache_nbgethostbyname: MISS for 'www.google.com' > 2024/07/16 14:08:58.090 kid1| 78,3| dns_internal.cc(1793) idnsALookup: > idnsALookup: buf is 32 bytes for www.google.com, id = 0xfc67 > 2024/07/16 14:08:58.090 kid1| 78,3| dns_internal.cc(1729) > idnsSendSlaveQuery: buf is 32 bytes for www.google.com, id = 0x147d > 2024/07/16 14:08:58.090 kid1| 14,4| ipcache.cc(610) ipcache_nbgethostbyname: > www.google.com > 2024/07/16 14:08:58.090 kid1| 14,3| Address.cc(389) lookupHostIP: Given > Non-IP 'www.google.com': Name or service not known > 2024/07/16 14:08:58.090 kid1| 14,5| ipcache.cc(670) ipcache_nbgethostbyname_: > ipcache_nbgethostbyname: MISS for 'www.google.com' > 2024/07/16 14:08:58 pinger| Pinger exiting. > 2024/07/16 14:08:58.117 kid1| 78,3| dns_internal.cc(1319) idnsRead: idnsRead: > starting with FD 10 > 2024/07/16 14:08:58.117 kid1| 78,3| dns_internal.cc(1365) idnsRead: idnsRead: > FD 10: received 144 bytes from [2001:4860:4860::]:53 > 2024/07/16 14:08:58.117 kid1| 78,3| dns_internal.cc(1172) idnsGrokReply: > idnsGrokReply: QID 0x147d, 4 answers > 2024/07/16 14:08:58.117 kid1| 78,6| dns_internal.cc(1105) > idnsCallbackOneWithAnswer: 4 records for 0x648c0dbd80d8 > 2024/07/16 14:08:58.117 kid1| 14,3| ipcache.cc(480) ipcacheParse: 4 answers > for www.google.com > 2024/07/16 14:08:58.117 kid1| 14,5| ipcache.cc(549) updateTtl: use first 300 > from RR TTL 300 > 2024/07/16 14:08:58.117 kid1| 14,3| ipcache.cc(535) addGood: www.google.com > #1 [2607:f8b0:4004:c07::93] > 2024/07/16 14:08:58.117 kid1| 14,3| ipcache.cc(535) addGood: www.google.com > #2 [2607:f8b0:4004:c07::6a] > 2024/07/16 14:08:58.117 kid1| 14,3| ipcache.cc(535) addGood: www.google.com > #3 [2607:f8b0:4004:c07::67] > 2024/07/16 14:08:58.117 kid1| 14,3| ipcache.cc(535) addGood: www.google.com > #4 [2607:f8b0:4004:c07::68] > 2024/07/16 14:08:58.117 kid1| 78,6| dns_internal.cc(1105) > idnsCallbackOneWithAnswer: 4 records for 0x648c0dbdca68 > 2024/07/16 14:08:58.117 kid1| 14,3| ipcache.cc(480) ipcacheParse: 4 answers > for www.google.com > 2024/07/16 14:08:58.117 kid1| 14,5| ipcache.cc(549) updateTtl: use first 300 > from RR TTL 300 > 2024/07/16 14:08:58.117 kid1| 14,3| ipcache.cc(535) addGood: www.google.com > #1 [2607:f8b0:4004:c07::93] > 2024/07/16 14:08:58.117 kid1| 14,3| ipcache.cc(535) addGood: www.google.com > #2 [2607:f8b0:4004:c07::6a] > 2024/07/16 14:08:58.117 kid1| 14,3| ipcache.cc(535) addGood: www.google.com > #3 [2607:f8b0:4004:c07::67] > 2024/07/16 14:08:58.117 kid1| 14,3| ipcache.cc(535) addGood: www.google.com > #4 [2607:f8b0:4004:c07::68] > 2024/07/16 14:08:58.129 kid1| 78,3| dns_internal.cc(1319) idnsRead: idnsRead: > starting with FD 10 > 2024/07/16 14:08:58.129 kid1| 78,3| dns_internal.cc(1365) idnsRead: idnsRead: > FD 10: received 128 bytes from [2001:4860:4860::]:53 > 2024/07/16 14:08:58.129 kid1| 78,3| dns_internal.cc(1172) idnsGrokReply: > idnsGrokReply: QID 0xfc67, 6 answers > 2024/07/16 14:08:58.129 kid1| 78,6| dns_internal.cc(1105) > idnsCallbackOneWithAnswer: last 6 records for 0x648c0dbd80d8 > 2024/07/16 14:08:58.129 kid1| 14,3| ipcache.cc(480) ipcacheParse: 6 answers > for www.google.com >
Re: [squid-users] Howto enable openssl option UNSAFE_LEGACY_RENEGOTIATION ?
Hello Alex, thank you for your answer! On Mon, Jun 10, Alex Rousskov wrote: > On 2024-06-10 08:10, Dieter Bloms wrote: > > > I have activated ssl_bump and must activate the UNSAFE_LEGACY_RENEGOTIATION > > option to enable access to https://cisco.com. > > The web server does not support secure renegotiation. > > > > I have tried to set the following options, but squid does not recognize any > > of them: > > > > tls_outgoing_options options=UNSAFE_LEGACY_RENEGOTIATION > > > > or > > > > tls_outgoing_options options=ALLOW_UNSAFE_LEGACY_RENEGOTIATION > > > > and > > > > tls_outgoing_options options=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION > > > > but no matter which syntax I use, I always get the message during squid-k > > parse: > > > > “2024/06/10 14:08:17| ERROR: Unknown TLS option > > ALLOW_UNSAFE_LEGACY_RENEGOTIATION” > > > > How can I activate secure renegotiation for squid? > > To set an OpenSSL connection option that Squid does not know by name, use > that option hex value (based on your OpenSSL sources). For example: > > # SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is defined to be > # SSL_OP_BIT(18) which is equal to (1 << 18) or 0x4 in hex. > tls_outgoing_options options=0x4 > > Disclaimer: I have not tested the above and do not know whether adding that > option achieves what you want to achieve. I've added that option like: tls_outgoing_options options=0x4 capath=/etc/ssl/certs min-version=1.2 cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA:AES256-SHA:AES128-SHA:@SECLEVEL=1 but no change. I tried 0x4 (for SSL_OP_LEGACY_SERVER_CONNECT), but also without any change. I use a debian bookworm container and when I use openssl s_client without -legacy_server_connect I can't established a tls connection --snip-- root@tarski:/# openssl s_client -connect cisco.com:443 CONNECTED(0003) 4097F217F17F:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../ssl/statem/extensions.c:893: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5177 bytes and written 322 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher: Session-ID: 869B4016868DFF23D1DAB3A33F99F9879274C1F62FD45BF9DF839B27735FC72C Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1718090662 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- root@tarski:/# --snip-- but when I add the -legacy_server_connect option I can as shown here: --snip-- --- root@cdxiaphttpproxy04:/# openssl s_client -legacy_server_connect -connect cisco.com:443 CONNECTED(0003) depth=2 C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1 verify return:1 depth=1 C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1 verify return:1 depth=0 C = US, ST = California, L = San Jose, O = Cisco Systems Inc., CN = www.cisco.com verify return:1 --- Certificate chain 0 s:C = US, ST = California, L = San Jose, O = Cisco Systems Inc., CN = www.cisco.com i:C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Nov 14 05:48:20 2023 GMT; NotAfter: Nov 13 05:47:20 2024 GMT 1 s:C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1 i:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Dec 12 16:56:15 2019 GMT; NotAfter: Dec 12 16:56:15 2029 GMT 2 s:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1 i:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1 a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 v:NotBefore: Jan 16 18:12:23 2014 GMT; NotAfter: Jan 16 18:12:23 2034 GMT --- Server certificate -BEGIN CERTIFICATE- MIIHkDCCBnigAwIBAgIQQAGLzF+ffeG2bq2GaN2HuTANBgkqhkiG9w0BAQsFADBy MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MS4wLAYDVQQLEyVIeWRy YW50SUQgVHJ1c3RlZCBDZXJ0aWZpY2F0ZSBTZXJ2aWNlMR8wHQYDVQQDExZIeWRy YW50SUQgU2VydmVyIENBIE8xMB4XDTIzMTExNDA1NDgyMFoXDTI0MTExMzA1NDcy MFowajELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcT CFNhbiBKb3NlMRswGQYDVQQKExJDaXNjbyBTeXN0ZW1zIEluYy4xFjAUBgNVBAMT DXd3dy5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5 CZi7tsogSJCAE5Zu78Z57FBC67OpK0OkIyVeixqKg57K/wqE4UF59GHHHVwOZhGv VgsD3jjiQOhxZbUJnaen0+cMH6s1lSRZtiIi2K/Z1Oy+1Gytpw2bYZTbuWHWk1/e VUgH8dS6
[squid-users] Howto enable openssl option UNSAFE_LEGACY_RENEGOTIATION ?
Hello, I have activated ssl_bump and must activate the UNSAFE_LEGACY_RENEGOTIATION option to enable access to https://cisco.com. The web server does not support secure renegotiation. I have tried to set the following options, but squid does not recognize any of them: tls_outgoing_options options=UNSAFE_LEGACY_RENEGOTIATION or tls_outgoing_options options=ALLOW_UNSAFE_LEGACY_RENEGOTIATION and tls_outgoing_options options=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION but no matter which syntax I use, I always get the message during squid-k parse: “2024/06/10 14:08:17| ERROR: Unknown TLS option ALLOW_UNSAFE_LEGACY_RENEGOTIATION” How can I activate secure renegotiation for squid? -- Regeards Dieter Bloms -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] deny_info URL not working
Hello, On Sat, May 11, Vilmondes Queiroz wrote: > deny_info http://example.com !authorized_ips does it works, if you add the http status code like: deny_info 307:http://example.com !authorized_ips -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] After upgrade from squid6.6 to 6.8 we have a lot of ICAP_ERR_OTHER and ICAP_ERR_GONE messages in icap logfiles
Hello Amos, thank you for your answer! I opened a bugreport https://bugs.squid-cache.org/show_bug.cgi?id=5353 with some debug infos attached. On Thu, Mar 14, Amos Jeffries wrote: > > On 12/03/24 04:31, Dieter Bloms wrote: > > Hello, > > > > after an upgrade from squid6.6 to squid6.8 on a debian bookworm we have a > > lot > > of messages from type: > > > > ICAP_ERR_GONE/000 > > ICAP_ERR_OTHER/200 > > ICAP_ERR_OTHER/408 > > ICAP_ERR_OTHER/204 > > > > and some of our users claim about bad performance and some get "empty > > pages". > > Unfortunately it is not deterministic, the page will appear the next > > time it is called up. I can't see anything conspicuous in the cache.log. > > > > Hmm, there was > <https://github.com/squid-cache/squid/commit/4658d0fc049738c2e6cd25fc0af10e820cf4c11a> > changing message I/O in particular. The behavioural changes from that might > have impacted ICAP in some unexpected way. > > Also, if you are using SSL-Bump to enable virus scanning then > <https://github.com/squid-cache/squid/commit/debf3f17be7761ea4992864a828f42ee773dfbaf> > might also be having effects. > > HTH > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > https://lists.squid-cache.org/listinfo/squid-users -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
[squid-users] After upgrade from squid6.6 to 6.8 we have a lot of ICAP_ERR_OTHER and ICAP_ERR_GONE messages in icap logfiles
Hello, after an upgrade from squid6.6 to squid6.8 on a debian bookworm we have a lot of messages from type: ICAP_ERR_GONE/000 ICAP_ERR_OTHER/200 ICAP_ERR_OTHER/408 ICAP_ERR_OTHER/204 and some of our users claim about bad performance and some get "empty pages". Unfortunately it is not deterministic, the page will appear the next time it is called up. I can't see anything conspicuous in the cache.log. There was no change to the virus scanner nor any change to the squid config during the upgrade. Here the icap spefific config lines from squid: --snip-- acl CONNECT method CONNECT acl withoutvirusscanner.dstnames dstdomain "/etc/squid/withoutvirusscanner.dstnames" acl audio rep_mime_type ^audio/ acl audio rep_mime_type ^video/ icap_enable on icap_preview_enable on icap_preview_size 128 icap_persistent_connections on icap_send_client_ip on icap_send_client_username on icap_service_failure_limit -1 icap_service_revival_delay 30 logformat icap_debug %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs %icap::From field. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] New Squid prefers IPv4
Hello Rob, On Mon, Feb 05, Rob van der Putten wrote: > After upgrading Squid from 3 to 5 the percentage of IPv6 reduced from 61% to > less then 1%. > Any ideas? yes, since squid5 the happy eyeball algorithm as described in rfc 8305 is used. If your ipv4 connectivity is better than ipv6 than ipv4 is used. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
[squid-users] does the logging of cache.log support the log modules like daemon, syslog, udp ...
Hello, I would like to run the squid in a Kubernetes environment. I can simply send the access.log outside the container with the syslog module. I have tried it with the cache.log, but unfortunately I don't see any log entries from the cache.log. The access.log lines are transmitted: --snip-- # send the logs to rsyslog (rsyslog will forward the logs to external syslog server) access_log syslog:local1.info keyvalue cache_log syslog:local2.info --snip-- Is it possible to send the cache.logs to the syslog socket /dev/log ? -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
[squid-users] 2 year old security bugs not fixed?
Hello, I stumbled across this page https://joshua.hu/squid-security-audit-35-0days-45-exploits and wonder if all these security holes are really still there. Can someone from the developers give a status? Thank you very much. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
[squid-users] trickeling support in squid as icap client
Hello, we are currently using the Squid with an ICAP virus scanner, which is capable of trickling. There are many manufacturers who support the ICAP protocol but not trickling. Therefore, in my opinion, it would make sense if squid supported trickeling as ICAP client. Then you could use any ICAP virus scanner independent from trickling support of the scanner. What do you think about the idea? -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] is it possible to restrict the use of websocket for security reason?
Hello, is it possible to restrict the use of websockets for seurity reason like prevent long-lived Websocket communication or define a limit for total size of transfered payload? -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] TLS client hello tls1.0 even with options "tls_outgoing_options min-version=1.2 options=NO_TLSv1:NO_TLSv1_1"
Hello, I've enabled sslbump and configured the following outgoing tls options: tls_outgoing_options min-version=1.2 options=NO_TLSv1:NO_TLSv1_1 cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA so for me it looks like squid must not use TLS1.1 or TLS1.0. But for some web sites like https://www.europarl.europa.eu/doceo/document/LIBE-OJ-2022-12-12-1_EN.html the first request is made with an tls1.0 client hello packet. When I reload the page the proxyserver sends a tls1.2 client hello and the website is shown as expected. So what option can be used to force a minimum tls1.2 client hello package every time? Here is a link to the pcap file with both variants: https://bloms.de/download/www.europarl.europa.eu.pcap -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] does squid 5.7 support HTTP/2 protocol
Hello, does squid 5.7 support the HTTP/2.0 protocol? >From https://wiki.squid-cache.org/Features/HTTP2 it seem some work seems to be done, but not all. But sometimes the docu is outdated, so I hope it is outdated and squid does support HTTP/2 -- Regdards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 5.7: can't access https://www.ilo.org/global/lang--en/index.htm with enabled sslbump, without sslbump it works
Hello Amos, On Sat, Nov 12, Amos Jeffries wrote: > On 12/11/2022 2:49 am, Dieter Bloms wrote: > > Hello, > > > > I'm using squid 5.7 with enabled sslbump and can't reach the website > > https://www.ilo.org/global/lang--en/index.htm > > I get an error of type ERR_INVALID_RESP, but when I disable sslbump the > > webcontent is shown in the browser. > > > > Can anybody confirm this and can tell me what causes this problem ? > > TLS is complicated. SSL-Bump even more so. It is unlikely everyone else has > exactly the same things occuring, even if they have the same squid.conf > settings. > > You need to look at what the ERR_INVALID_RESP actually says in wrong with > the server response. > The check Squid cache.log. You may need to set "debug_options 11,2" to get a > trace of the HTTP messages and see what is going on. Thank you for your reply! I've increased the debuglevel, but can't find any reason, why squid reponds with ERR_INVALID_RESP. Maybe someone with more knowledge can find the reason in the cache.log. It can be found here: https://bloms.de/download/cache.log.gz -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid 5.7: can't access https://www.ilo.org/global/lang--en/index.htm with enabled sslbump, without sslbump it works
Hello, I'm using squid 5.7 with enabled sslbump and can't reach the website https://www.ilo.org/global/lang--en/index.htm I get an error of type ERR_INVALID_RESP, but when I disable sslbump the webcontent is shown in the browser. Can anybody confirm this and can tell me what causes this problem ? -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] got error page type ERR_READ_ERROR, when a dnslabel can not be resolved
Hello Alex, thank you for the quick answer! On Mon, Oct 10, Alex Rousskov wrote: > On 10/10/22 04:05, Dieter Bloms wrote: > > > since squid 5.7 I get the error page of type ERR_READ_ERROR, when a dns > > label can not be resolved (for example https://dnslabeldoesnotexist.com/). > > I expect the error page of type ERR_DNS_FAIL instead of ERR_READ_ERROR. > > > > Can somebody confirm this behavior ? > > I cannot quickly confirm or deny that specific behavior in v5, but I > recently spotted[1] bugs/deficiencies in error relaying master/v6-based code > that result in ERR_READ_ERROR instead of ERR_DNS_FAIL or, at the very least, > ERR_CANNOT_FORWARD. Sounds like v5 needs similar fixes. > > Do you use SslBump to handle that HTTPS site? yes, sslbump is enabled on our proxy server. -- regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] got error page type ERR_READ_ERROR, when a dnslabel can not be resolved
Hello, since squid 5.7 I get the error page of type ERR_READ_ERROR, when a dns label can not be resolved (for example https://dnslabeldoesnotexist.com/). I expect the error page of type ERR_DNS_FAIL instead of ERR_READ_ERROR. Can somebody confirm this behavior ? -- Regards Dieter Bloms -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] got many messages after upgrade from 4.16 to 5.1: assertion failed: Transients.cc:221: "old == e"
Hello, I did an upgrade from squid 4.16 and got many messages like: assertion failed: Transients.cc:221: "old == e" and it seems, that the childs crash and restart: --snip-- 2021/09/20 04:37:47 kid2| assertion failed: Transients.cc:221: "old == e" current master transaction: master368193 2021/09/20 04:37:49 kid2| Set Current Directory to /var/cache/squid 2021/09/20 04:37:49 kid2| Starting Squid Cache version 5.1 for x86_64-pc-linux-gnu... 2021/09/20 04:37:49 kid2| Service Name: squid 2021/09/20 04:37:49 kid2| Process ID 63991 2021/09/20 04:37:49 kid2| Process Roles: worker 2021/09/20 04:37:49 kid2| With 1048576 file descriptors available --snip-- This proxy hasn't enabled sslbump and we don't use any cache directory. We only cache in memory for performance reason. Is this a known issue or shall I open a bugreport ? -- regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Proxy Authentication optional
Hello, I want to implement user authentication (kerberos) on an already existing proxysystem without user authenticaion. But I know that there are clients, which can't do any authentication. So is it possible to configure squid, that it ask for proxy authentication credentials, but if the client can't authenticate skip this acl and go on with the next acls ? I tried something like this, but without success: --snip-- # kerberos authentication auth_param negotiate program /usr/sbin/negotiate_kerberos_auth -s HTTP/www-proxy.mydomain -k /etc/squid/HTTP.keytab auth_param negotiate children 10 auth_param negotiate keep_alive on acl kerberosauth proxy_auth REQUIRED acl noauth_port localport 8880 acl give_access any-of kerberosauth noauth_port http_access allow give_access --snip-- -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Is it possible to force some dstdomain to ipv4 protocol without define an outgoing ip address ?
Hello, I use squid 4.15 and want to configure it to connect to some destinations via IPv4. I know about the tcp_outgoing_address option, but my outgoing ipv4 and ipv6 addresses changes every day. So is there an option like: acl myipv4onlydest dstdomain .example1.com .example2.com tcp_outgoing_protocol ipv4 myipv4onlydest -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL_Bump not working correctly for IP destiantions like https:/1.1.1.1/
Hello Alex, thank yout for the fast response. On Thu, May 20, Alex Rousskov wrote: > On 5/20/21 8:12 AM, Dieter Bloms wrote: > > > I've a working setup with squid 4.14 and enabled sslbump under debian > > buster. > > But when I try destinations like https://1.1.1.1/ I get an error > > ERR_CERT_COMMON_NAME_INVALID > > > > The alternate DNS Names in the certificate of the original webserver is: > > > > X509v3 Subject Alternative Name: > > DNS:cloudflare-dns.com, DNS:*.cloudflare-dns.com, DNS:one.one.one.one, > > IP Address:1.1.1.1, IP Address:1.0.0.1, IP Address:162.159.36.1, IP > > Address:162.159.46.1, IP Address:2606:4700:4700:0:0:0:0:, IP > > Address:2606:4700:4700:0:0:0:0:1001, IP Address:2606:4700:4700:0:0:0:0:64, > > IP Address:2606:4700:4700:0:0:0:0:6400 > > > > for the client using the proxy with sslbump it looks like: > > > > X509v3 Subject Alternative Name: > > DNS:1.1.1.1 > > > > so the SAN is a DNS and not an IP Address one. > > I think is has to be something like this: > > > > X509v3 Subject Alternative Name: > > IP Address:1.1.1.1 > > > > Can someone confirm this, or may I have a mistake in my squid configuration. > > If this happens on an otherwise successful HTTP response (not an error > page), then I would suspect a Squid bug (or insufficient support for > X509v3 extensions). The chrome browser shows me this error page, but you are right it is an error page of squid with SQUID_X509_V_ERR_DOMAIN_MISMATCH. So it looks like insufficient support for X509v3 extensions I filled a bug report https://bugs.squid-cache.org/show_bug.cgi?id=5130 > > Here some sslbum related details of my config: > > > > http_port MYIP:8080 ssl-bump generate-host-certificates=on > > dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem > > key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem > > http_port MYIP:8880 ssl-bump generate-host-certificates=on > > dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem > > key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem > > sslcrtd_program /usr/sbin/security_file_certgen -s > > /var/cache/squid/sslcert_db -M 32MB > > sslcrtd_children 32 startup=10 idle=3 > > tls_outgoing_options capath=/etc/ssl/certs min-version=1.2 > > ssl_bump peek step1 > > ssl_bump stare all > > ssl_bump bump all > > > > > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] SSL_Bump not working correctly for IP destiantions like https:/1.1.1.1/
Hello, I've a working setup with squid 4.14 and enabled sslbump under debian buster. But when I try destinations like https://1.1.1.1/ I get an error ERR_CERT_COMMON_NAME_INVALID The alternate DNS Names in the certificate of the original webserver is: X509v3 Subject Alternative Name: DNS:cloudflare-dns.com, DNS:*.cloudflare-dns.com, DNS:one.one.one.one, IP Address:1.1.1.1, IP Address:1.0.0.1, IP Address:162.159.36.1, IP Address:162.159.46.1, IP Address:2606:4700:4700:0:0:0:0:, IP Address:2606:4700:4700:0:0:0:0:1001, IP Address:2606:4700:4700:0:0:0:0:64, IP Address:2606:4700:4700:0:0:0:0:6400 for the client using the proxy with sslbump it looks like: X509v3 Subject Alternative Name: DNS:1.1.1.1 so the SAN is a DNS and not an IP Address one. I think is has to be something like this: X509v3 Subject Alternative Name: IP Address:1.1.1.1 Can someone confirm this, or may I have a mistake in my squid configuration. Here some sslbum related details of my config: http_port MYIP:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem http_port MYIP:8880 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem sslcrtd_program /usr/sbin/security_file_certgen -s /var/cache/squid/sslcert_db -M 32MB sslcrtd_children 32 startup=10 idle=3 tls_outgoing_options capath=/etc/ssl/certs min-version=1.2 ssl_bump peek step1 ssl_bump stare all ssl_bump bump all -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] chromium based browsers don't play a video, when sslbump is enabled
Hello Eliezer, I've tested with chrome 87.0.4280.141 and Edge 87.0.664.75. On Wed, Jan 20, Eliezer Croitoru wrote: > It's not clear if only Chromium or also a simple Chrome. > > Thanks, > Eliezer > > > Eliezer Croitoru > Tech Support > Mobile: +972-5-28704261 > Email: ngtech1...@gmail.com > Zoom: Coming soon > > > -Original Message- > From: squid-users On Behalf Of > Dieter Bloms > Sent: Wednesday, January 20, 2021 1:26 PM > To: squid-users@lists.squid-cache.org > Subject: [squid-users] chromium based browsers don't play a video, when > sslbump is enabled > > Hello, > > I use squid 4.13 with enabled sslbump. > Chromium based browsers like chrome and edge don't play this video > https://admin.wissen-ad.de/storage/TEST/Big_Buck_Bunny_1080_10s_30MB.mp4 > The firefox browser and the old internet explorer have no problems. > > When I disable sslbumping for this destination the chromium based > browsers work as well. > > Here are some parts of my config: > > --snip-- > http_port MYIP:8080 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem > key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem > sslcrtd_program /usr/sbin/security_file_certgen -s > /var/cache/squid/sslcert_db -M 32MB > sslcrtd_children 32 startup=10 idle=3 > tls_outgoing_options capath=/etc/ssl/certs min-version=1.2 > tls_outgoing_options > cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA:AES256-SHA:AES128-SHA:@SECLEVEL=1 > > acl nobumping dstdomain "/etc/squid/nohttpsscan.domains" > ssl_bump splice nobumping > ssl_bump bump all > --snip-- > > with wget or curl I can download the mp4 file in both cases (with and without > sslbump) > > Can anybody try to view the video in a chromium based browser with enabled > sslbump ? > > Thank you very much. > > > -- > Regards > > Dieter > > -- > I do not get viruses because I do not use MS software. > If you use Outlook then please do not put my email address in your > address-book so that WHEN you get a virus it won't use my address in the > From field. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] chromium based browsers don't play a video, when sslbump is enabled
Hello, I use squid 4.13 with enabled sslbump. Chromium based browsers like chrome and edge don't play this video https://admin.wissen-ad.de/storage/TEST/Big_Buck_Bunny_1080_10s_30MB.mp4 The firefox browser and the old internet explorer have no problems. When I disable sslbumping for this destination the chromium based browsers work as well. Here are some parts of my config: --snip-- http_port MYIP:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem sslcrtd_program /usr/sbin/security_file_certgen -s /var/cache/squid/sslcert_db -M 32MB sslcrtd_children 32 startup=10 idle=3 tls_outgoing_options capath=/etc/ssl/certs min-version=1.2 tls_outgoing_options cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA:AES256-SHA:AES128-SHA:@SECLEVEL=1 acl nobumping dstdomain "/etc/squid/nohttpsscan.domains" ssl_bump splice nobumping ssl_bump bump all --snip-- with wget or curl I can download the mp4 file in both cases (with and without sslbump) Can anybody try to view the video in a chromium based browser with enabled sslbump ? Thank you very much. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Incomplete Certificate Chain for wiki.squid-cache.org
Hello Amos, On Thu, Jan 14, Amos Jeffries wrote: > On 13/01/21 11:27 pm, Dieter Bloms wrote: > > Hello, > > > > the wiki of squid cache project (wiki.squid-cache.org) has an incomplete > > certificate chain. > > I can't access the website with enabled sslbump and tlsv1.3 support, > > because squid isn't able to download the missing intermediate > > certificate on its own. > > What version of Squid are you using? we use squid 4.13 and it works for tls version <1.3 > These certificates generated by LetsEncrypt use the AIA mechanism which > latest Squid versions should be downloading intermediate certs as-needed. but for tls1.3 it doesn't work, because the certificate is encrypted. Please have a look at the bugreport https://bugs.squid-cache.org/show_bug.cgi?id=5067 -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Incomplete Certificate Chain for wiki.squid-cache.org
Hello, the wiki of squid cache project (wiki.squid-cache.org) has an incomplete certificate chain. I can't access the website with enabled sslbump and tlsv1.3 support, because squid isn't able to download the missing intermediate certificate on its own. The administrator of that website should add the intermediate certificate. More infos can be see here: https://www.ssllabs.com/ssltest/analyze.html?d=wiki.squid%2dcache.org -- Regards Dieter Bloms -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid doesn't fetch the intermediate certificate for some sites
Hello Matus, thank you for your answer. On Tue, Jul 21, Matus UHLAR - fantomas wrote: > On 21.07.20 09:41, Dieter Bloms wrote: > > we use the sslbump feature and it works very well. > > But some sites can't be reached because of missing intermediate > > certificate. > > > > In squid.conf we have configured the following parameters: > > > > --snip-- > > # allow fetching of missing intermediate certificates > > acl fetch_intermediate_certificate transaction_initiator > > certificate-fetching > > http_access allow fetch_intermediate_certificate > > cache allow fetch_intermediate_certificate > > cache deny all > > --snip-- > > > > and fetching the intermediate certificate works for sites like: > > https://incomplete-chain.badssl.com/ > > > > but for some sites like https://mycase.cloudapps.cisco.com/ > > squid doesn't fetch the intermediate certificate and returns > > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY > > > > In my eyes the certificate of mycase.cloudapps.cisco.com contains an AiA > > record. > > > > output of openssl on certificate of mycase.cloudapps.cisco.com > > --snip-- > >Authority Information Access: > >CA Issuers - URI:http://trust.quovadisglobal.com/hydsslg2.crt > >OCSP - URI:http://ocsp.quovadisglobal.com > > --snip-- > > > > so does anybody see what's the reason, why squid doesn't download the > > intermediate certificate for mycase.cloudapps.cisco.com ? > > squid can't download certificates other than the website provides. that's not true: from site: https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit "Squid-4 is capable of downloading missing intermediate CA certificates, like popular browsers do." > if a website does not provide valid certificate chain, it's up to the client > to produce an error. With browser, you can allow the certificate explicitly. with ssbump the browser doesn't see the origin webserver certificate, but sees the squid created one. > It is also possible that browser has the intermediace certificate > remembered. as I already wrote, we use sslbump. > testing certificate for mycase.cloudapps.cisco.com shows only one > certificate I can see: > > Certificate chain > 0 s:C = US, ST = California, L = San Jose, O = "Cisco Systems, Inc.", CN = > mycase.cloudapps.cisco.com > i:C = US, O = HydrantID (Avalanche Cloud Corporation), CN = HydrantID SSL > ICA G2 > > the HydrantID SSL ICA G2 certificate seems to be missing here. > > > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Windows 2000: 640 MB ought to be enough for anybody > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid doesn't fetch the intermediate certificate for some sites
Hello, we use the sslbump feature and it works very well. But some sites can't be reached because of missing intermediate certificate. In squid.conf we have configured the following parameters: --snip-- # allow fetching of missing intermediate certificates acl fetch_intermediate_certificate transaction_initiator certificate-fetching http_access allow fetch_intermediate_certificate cache allow fetch_intermediate_certificate cache deny all --snip-- and fetching the intermediate certificate works for sites like: https://incomplete-chain.badssl.com/ but for some sites like https://mycase.cloudapps.cisco.com/ squid doesn't fetch the intermediate certificate and returns X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY In my eyes the certificate of mycase.cloudapps.cisco.com contains an AiA record. output of openssl on certificate of mycase.cloudapps.cisco.com --snip-- Authority Information Access: CA Issuers - URI:http://trust.quovadisglobal.com/hydsslg2.crt OCSP - URI:http://ocsp.quovadisglobal.com --snip-- so does anybody see what's the reason, why squid doesn't download the intermediate certificate for mycase.cloudapps.cisco.com ? -- Regards Dieter Bloms -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] print errormessage (like %E in ERR_* pages) in squid logfile ?
Hello, more and more clients aren't browser but are programs, which call a restapi through our squid proxy. Those clients aren't able to show the errorpage (ERR_*) from proxy in case the request wasn't successful for any reason. I added %err_code and %err_detail, but %err_detail is filled with "-" sign all the time in the logfiles. For example: If the connection to a webserver fails %err_code is filled with ERR_CONNECT_FAIL, but %err_detail is filled with "-" instead of the messages "(110) Connection %timed out" Is it possible to log the error message like %E in the error pages ? Thank you very much. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] get no content for https://wiki.squid-cache.org/SquidFaq/SquidLogs
Hello, i get no contewnt for https://wiki.squid-cache.org/SquidFaq/SquidLogs. I get 504 Gaterway Timeout: --snip-- Gateway Timeout The gateway did not receive a timely response from the upstream server or application. Apache/2.4.18 (Ubuntu) Server at wiki.squid-cache.org Port 443 --snip-- -- Regards Dieter Bloms -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] sometimes intermediate certificates were not downloaded when using sslbump
Hello Louis, thank you for your answer. It is not my webserver. Am a user who wants to connect to the webserver. I know that the certificate chain is incomplete. As far as I know squid should be able to fetch the missing intermediate certificates on its own with the help of Authority Information Access (AIA) to get the complete list. So squid should be able to verify the server certificate even the webserver doesn't deliver the intermediate certificates. On Wed, Apr 08, L.P.H. van Belle wrote: > This is a simple one. > > The certificate chain of that website is incorrect. > As shown here : > https://www.ssllabs.com/ssltest/analyze.html?d=www.formulare%2dbfinv.de > > > Check you webserver first and correct you ciphers in your apache webserver. > > Greetz, > > Louis > > > > -Oorspronkelijk bericht- > > Van: squid-users > > [mailto:squid-users-boun...@lists.squid-cache.org] Namens Dieter Bloms > > Verzonden: woensdag 8 april 2020 13:37 > > Aan: squid-users@lists.squid-cache.org > > Onderwerp: [squid-users] sometimes intermediate certificates > > were not downloaded when using sslbump > > > > Hello, > > > > I use a self compiled squid 4.10 compiled as follow: > > > > ~# squid --version > > Squid Cache: Version 4.10 > > Service Name: squid > > > > This binary uses OpenSSL 1.1.1d 10 Sep 2019. For legal > > restrictions on distribution see > > https://www.openssl.org/source/license.html > > > > configure options: '--prefix=/usr' '--sysconfdir=/etc/squid' > > '--bindir=/usr/sbin' '--sbindir=/usr/sbin' > > '--localstatedir=/var' '--libexecdir=/usr/sbin' > > '--datadir=/usr/share/squid' '--mandir=/usr/share/man' > > '--with-default-user=squid' '--with-filedescriptors=131072' > > '--with-logdir=/var/log/squid' '--disable-auto-locale' > > '--disable-auth-negotiate' '--disable-auth-ntlm' > > '--disable-eui' '--disable-carp' '--disable-htcp' > > '--disable-ident-lookups' '--disable-loadable-modules' > > '--disable-translation' '--disable-wccp' '--disable-wccpv2' > > '--enable-async-io=128' '--enable-auth' > > '--enable-auth-basic=LDAP NCSA' '--enable-auth-digest=LDAP > > file' '--enable-epoll' '--enable-log-daemon-helpers=file' > > '--enable-icap-client' '--enable-inline' '--enable-snmp' > > '--enable-disk-io=AIO,DiskThreads,IpcIo,Blocking' > > '--enable-storeio=ufs,aufs,rock' '--enable-referer-log' > > '--enable-useragent-log' '--enable-large-cache-files' > > '--enable-removal-policies=lru,heap' > > '--enable-follow-x-forwarded-for' '--enable-ssl-crtd' '--with-openssl' > > > > in squid.conf I set following acl at the very benning of acl section: > > > > # allow fetching of missing intermediate certificates > > acl fetch_intermediate_certificate transaction_initiator > > certificate-fetching > > cache allow fetch_intermediate_certificate > > cache deny all > > http_access allow fetch_intermediate_certificate > > > > and squid fetches intermediate certificates for websites > > like: https://incomplete-chain.badssl.com/ > > But squid doesn't fetch the intermediate certificates for the > > site https://www.formulare-bfinv.de/ > > and I don't know why. > > > > I checked all AiA entries in the certificates and it looks good to me. > > > > Can anybody try the site https://www.formulare-bfinv.de/ with > > enabled sslbump, > > so I can see whether my installation is broken or the > > webserver configuration isn't correct ? > > > > Thank you very much. > > > > -- > > Best regards > > > > Dieter Bloms > > > > -- > > I do not get viruses because I do not use MS software. > > If you use Outlook then please do not put my email address in your > > address-book so that WHEN you get a virus it won't use my > > address in the > > From field. > > ___ > > squid-users mailing list > > squid-users@lists.squid-cache.org > > http://lists.squid-cache.org/listinfo/squid-users > > > -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] sometimes intermediate certificates were not downloaded when using sslbump
Hello, I use a self compiled squid 4.10 compiled as follow: ~# squid --version Squid Cache: Version 4.10 Service Name: squid This binary uses OpenSSL 1.1.1d 10 Sep 2019. For legal restrictions on distribution see https://www.openssl.org/source/license.html configure options: '--prefix=/usr' '--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--mandir=/usr/share/man' '--with-default-user=squid' '--with-filedescriptors=131072' '--with-logdir=/var/log/squid' '--disable-auto-locale' '--disable-auth-negotiate' '--disable-auth-ntlm' '--disable-eui' '--disable-carp' '--disable-htcp' '--disable-ident-lookups' '--disable-loadable-modules' '--disable-translation' '--disable-wccp' '--disable-wccpv2' '--enable-async-io=128' '--enable-auth' '--enable-auth-basic=LDAP NCSA' '--enable-auth-digest=LDAP file' '--enable-epoll' '--enable-log-daemon-helpers=file' '--enable-icap-client' '--enable-inline' '--enable-snmp' '--enable-disk-io=AIO,DiskThreads,IpcIo,Blocking' '--enable-storeio=ufs,aufs,rock' '--enable-referer-log' '--enable-useragent-log' '--enable-large-cache-files' '--enable-removal-policies=lru,heap' '--enable-follow-x-forwarded-for' '--enable-ssl-crtd' '--with-openssl' in squid.conf I set following acl at the very benning of acl section: # allow fetching of missing intermediate certificates acl fetch_intermediate_certificate transaction_initiator certificate-fetching cache allow fetch_intermediate_certificate cache deny all http_access allow fetch_intermediate_certificate and squid fetches intermediate certificates for websites like: https://incomplete-chain.badssl.com/ But squid doesn't fetch the intermediate certificates for the site https://www.formulare-bfinv.de/ and I don't know why. I checked all AiA entries in the certificates and it looks good to me. Can anybody try the site https://www.formulare-bfinv.de/ with enabled sslbump, so I can see whether my installation is broken or the webserver configuration isn't correct ? Thank you very much. -- Best regards Dieter Bloms -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] sslbump with pkcs11 possible ?
Hello, I have a working setup with openssl, which use softhsm as pkcs11 backend. I can sign csr requests with openssl command line tool. Now I want to use this mechanism for squid ssl-bump. Is it possible to use the pkcs11 mechanism with squid and openssl ? I tried someting like: http_port MYIP:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cacert.pem key=pkcs11:id=10 tls-dh=/etc/squid/dhparams.pem but squid claims: --snip-- 2020/02/12 13:50:35| Initializing https:// proxy context 2020/02/12 13:50:35| Initializing http_port MYIP:3128 TLS contexts 2020/02/12 13:50:35| Using certificate in /etc/squid/cacert.pem 2020/02/12 13:50:35| Using certificate chain in /etc/squid/cacert.pem 2020/02/12 13:50:35| Adding issuer CA: /CN=dietershttpsca 2020/02/12 13:50:35| Using key in pkcs11:id=10 2020/02/12 13:50:35| WARNING: 'HTTP_port MYIP:3128' missing private key in 'pkcs11:id=10' 2020/02/12 13:50:35| storeDirWriteCleanLogs: Starting... 2020/02/12 13:50:35| Finished. Wrote 0 entries. 2020/02/12 13:50:35| Took 0.00 seconds ( 0.00 entries/sec). 2020/02/12 13:50:35| FATAL: No valid signing certificate configured for HTTP_port MYIP:3128 2020/02/12 13:50:35| Squid Cache (Version 4.10): Terminated abnormally. CPU Usage: 0.816 seconds = 0.812 user + 0.004 sys Maximum Resident Size: 42240 KB Page faults with physical i/o: 0 --snip-- does anybody know, whether squid supports it and if yes how to configure it ? -- regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] sslbump with squid 4.9 and websockets doesn't work
Hello, I use squid 4.9 with enabled sslbump and it works great for the most websites. There are some websites, which use websockets like web.whatsapp.com and can not be reached with enabled sslbump. When I exclude this destination from sslbump, I get the qrcode, which can be scanned with the smartphone. But if I've enabled sslbump, the qrcode doesn't appear and the browser seems to hang. The Debugging window of my chrome browser reports stalled access to the uri wss://web.whatsapp.com/ws Does anybody know how to enable wss support in squid, so the website can be reached even sslbump is enabled ? I know, that I can disable sslbump for his site, but there are more and more site, which uses websockets wss:// So I want to use an generic solution, without putting them one by one in a list. Thank you very much. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] AIA fetching in squid
Hello, On Wed, Feb 06, Yann Girardin wrote: > I am using ssl bump and it's work fine a lot of SSL sites, but some of > those are misconfigured and squid won't succeed to get the correct > certificate, and give me the following error : > SEC_ERROR_UNKNOWN_ISSUER > > Looking on the internet I understand that this is a SSL server > misconfiguration, but I know that some browser like safari, and chrome > are implementing the AIA fetching to get the missing certificates > using the information store in the authority information access of the > certificate. > > Is there a way to activate this AIA fetching in squid or do i have to > implement it myself using a helper with the sslcrtvalidator_program ? I've added these few lines: --snip-- acl fetch_intermediate_certificate transaction_initiator certificate-fetching http_access allow fetch_intermediate_certificate cache allow fetch_intermediate_certificate cache deny all --snip-- -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] can't access https://www.finanzamt.bayern.de/ with sslbump (other sites works well)
Hello,
I've compiled squid 4.5 with openssl1.1 as shipped with debian9.
Sslbump works fine for all sides, but I can't access only one site
https://www.finanzamt.bayern.de/
and don't know the reason.
Ssllabs gives "A".
Here are the squid compile options:
--snip--
Squid Cache: Version 4.5
Service Name: squid
This binary uses OpenSSL 1.1.0j 20 Nov 2018. For legal restrictions on
distribution see https://www.openssl.org/source/license.html
configure options: '--build=x86_64-linux-gnu' '--includedir=${prefix}/include'
'--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info'
'--sysconfdir=/etc' '--libexecdir=${prefix}/lib/dv-squid4' '--srcdir=.'
'--disable-maintainer-mode' '--disable-dependency-tracking'
'--disable-silent-rules' '--prefix=/usr' '--sysconfdir=/etc/squid'
'--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var'
'--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--mandir=/usr/share/man'
'--with-default-user=squid' '--with-filedescriptors=65536'
'--disable-auto-locale' '--disable-auth-negotiate' '--disable-auth-ntlm'
'--disable-eui' '--disable-carp' '--disable-htcp' '--disable-ident-lookups'
'--disable-loadable-modules' '--disable-translation' '--disable-wccp'
'--disable-wccpv2' '--enable-async-io=128' '--enable-auth'
'--enable-auth-basic=LDAP NCSA' '--enable-auth-digest=LDAP file'
'--enable-epoll' '--enable-log-daemon-helpers=file' '--enable-icap-client'
'--enable-inline' '--enable-snmp'
'--enable-disk-io=AIO,DiskThreads,IpcIo,Blocking'
'--enable-storeio=ufs,aufs,rock' '--enable-referer-log'
'--enable-useragent-log' '--enable-large-cache-files'
'--enable-removal-policies=lru,heap' '--enable-follow-x-forwarded-for'
'--enable-ssl-crtd' '--with-openssl' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g
-O2 -fdebug-prefix-map=/usr/src/packages/BUILD=. -fstack-protector-strong
-Wformat -Werror=format-security' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now'
'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2
-fdebug-prefix-map=/usr/src/packages/BUILD=. -fstack-protector-strong -Wformat
-Werror=format-security' --enable-ltdl-convenience
--snip--
The access.log looks like:
--snip--
1546962078.461 4726 x.x.x.x NONE/200 0 CONNECT www.finanzamt.bayern.de:443 -
HIER_DIRECT/193.34.207.31 -
1546962078.472 0 x.x.x.x NONE/500 8495 GET
https://www.finanzamt.bayern.de/ - HIER_NONE/- text/html
--snip--
no entries in cache.log
Can anybody try this site to see whether it is my local installation, or the
webserver.
Thank you very much.
--
Regards
Dieter
--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Support for DistributionPoints in the dynamic creates certificate via sslbump
Hello, we use the sslbump feature of squid, and it works very well. One of our http clients expect a CRL distribution point in the dynamic generated certificate. I've setup a http server, which delivers this crl list, but don't know how to configure squid to set this distribution point in every dynamic gererated certificate. Does anybody know whether squid support this feature ? Thank you very much. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid 4.1 works great ;)
Hi, I run squid4.1 for several days in production and have to say it works pretty good. It is stable and it downloads the missing intermediate certificates automatically. Great work! Thank you very much for this version. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] can squid use dns server on random port(non-53)?
Hello, On Tue, Jun 26, Gordon Hsiao wrote: > checked the manual it seems I can only set dnsserver with a new IP, is it > possible to make squid support non-standard DNS port, e.g. 5353? maybe you can use a dns resolver like unbound, dnscache, dnsmasq, which can be configure to listen on localhost port 53, so only squid can access it via localhost and no other servers. These dns resolvers can be configure to use a non standard port like 5353 for the destination dns servers. But in the past I've never seen a dns server listening on port 5353, so maybe the setup is a little broken. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] native ftp and proxy authentication
Hello Alex, thank you for your answer! On Fri, Dec 15, Alex Rousskov wrote: > On 12/15/2017 03:53 AM, Dieter Bloms wrote: > > > I use the native ftp support of squid-4.0.22 and it works well without proxy > > authentication. > > > I want to enable the proxy authentication, but don't know how to login > > to the proxy with the native ftp client. > > Does your native FTP client support FTP proxy authentication? No it doesn't. So it would be nice to have a solution, which works with every ftp client. I think about an option in squid.conf where I can configure the login schema, like proxyuser@ftpuser@ftpserver for the user login and proxypass@ftppass for the password. > > Without proxy authentication the string ftpuser@ftpserver works fine. > > When I enable proxy-authentication, then I have to enter the proxy > > credentials, but don't know how to do it. > > "How to give FTP client credentials for proxy authentication" seems like > a question for your FTP client support forum, not squid-users. We do not > even know what FTP client you use. Did I misunderstand the question? I want a genric solution, so that every ftp client can use the ftp proxy support of squid. At the moment I have to use a commercial ftp client which doesn't have any proxy option. > > I tried "proxyuser@ftpuser@ftpserver" for username, but it doesn't work. > > IIRC, proxyuser@ftpuser@ftpserver tells Squid to go to ftpserver using > proxyuser@ftpuser as the user name/login. Yes, and it would be nice to configure squid, so squid extract the proxy authentication from this string. > > Is there any support for native ftp protocol and proxy authentication ? > > I doubt there is native FTP proxy authentication support in Squid, but > to be sure, it would be great to know how that works from the FTP client > point of view. In other words, when an FTP client supports FTP proxy > authentication, what does it send to the FTP proxy (i.e., to Squid)? It doesn't have proxy support, it only sends the USER and PASS string. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] native ftp and proxy authentication
Hello, I use the native ftp support of squid-4.0.22 and it works well without proxy authentication. I want to enable the proxy authentication, but don't know how to login to the proxy with the native ftp client. Without proxy authentication the string ftpuser@ftpserver works fine. When I enable proxy-authentication, then I have to enter the proxy credentials, but don't know how to do it. I tried "proxyuser@ftpuser@ftpserver" for username, but it doesn't work. Is there any support for native ftp protocol and proxy authentication ? -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] get many logentries "ACL is used in context without an ALE state. Assuming mismatch" after upgrade from 3.5 to 4.0.21 when using external helper
Hello, I used external helper with squid 3.5.xx several years without any problem. Now I tried to upgrade to squid 4.0.21 and squid seems to work fine, but I get many logentries like: --snip-- 2017/09/14 07:43:12 kid3| WARNING: blockhostsdomain ACL is used in context without an ALE state. Assuming mismatch. 2017/09/14 07:43:12 kid3| WARNING: blockhostsip ACL is used in context without an ALE state. Assuming mismatch. 2017/09/14 07:44:12 kid4| WARNING: blockhostsdomain ACL is used in context without an ALE state. Assuming mismatch. 2017/09/14 07:44:12 kid4| WARNING: blockhostsip ACL is used in context without an ALE state. Assuming mismatch. --snip-- when I switched the acls to a file list, the warnings are gone. my acls for external helpers look like: external_acl_type blockhostiptype ttl=3600 negative_ttl=3600 grace=50 children-max=10 children-startup=2 %DST /usr/bin/dnsbl-ip.pl bl acl blockhostsip external blockhostiptype external_acl_type blockhostdomaintype ttl=3600 negative_ttl=3600 grace=50 children-max=10 children-startup=2 %DST /usr/bin/dnsbl.pl dbl acl blockhostsdomain external blockhostdomaintype when I replaced to above lines with this two, the warnings are gone: acl blockhostsip dst "/etc/squid/blockhosts.ips" acl blockhostsdomain dstdomain "/etc/squid/blockhosts.domains" but I want to use the external helpers, because the lists were updated many times a day and a reconfigure of squid has an impact of 2-3 seconds. As I said before, squid works fine and checks the acls, but I get many warnings in the cache.log and don't know the cause of it. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] customize timeformat in error pages
Hello,
I want to customize the time format for %t in my error pages.
For the logfiles it is in strftime format like %{%d.%m:%Y %H:%M:%S}tl,
but when I put it in my error page templates like %{%d.%m:%Y %H:%M:%S}t,
squid doesn't consider it.
Is there any way to define the timeformat for %t in the error pages ?
Thank you very much!
--
Regards
Dieter
--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Huge amount of time_wait connections after upgrade from v2 to v3
Hi Ivan, On Tue, Jun 06, Ivan Larionov wrote: > We recently updated from squid v2 to v3 and now see huge increase in > connections in TIME_WAIT state on our squid servers (verified that this is > clients connections). I can confirm that since 3.5.22 to our ICAP scanners. with 3.5.21 we had no problems on SLES11 SP4 operating system. We did some tests with RHEL7 and we had much less TIME_WAIT. Do you use an older operation system ? -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] custom error pages with stylesheets doesn't work for me
Hello Alex, On Thu, May 18, Alex Rousskov wrote: > On 05/18/2017 03:17 AM, Dieter Bloms wrote: > > > I wrote some custom error pages and activated style sheets in the header of > > the error pages like: > > > > > > %l > > > > > > In the squid.conf file I set err_page_stylesheet to my stylesheet file and > > I restarted squid. > > My expectation was, that the content of this style sheet file will be > > included in the error page at the %l position. > > Your expectation was correct. > > > > But the place between and is empty. > > Does anybody know how can I insert the content of the style sheet file to > > the error pages? > > The steps you described above appear correct to me. Did you check for > errors in cache.log when starting Squid? Squid should complain if it > cannot load err_page_stylesheet but, unfortunately, Squid thinks that > you do not really care much about style and keeps running despite any > loading failures. > > Temporary renaming the stylesheet file (so that Squid cannot load it) > will help you test whether you are looking for errors in the right place. thank you for the hint. Squid had no read permission to this file. After right permissions it worked. But there was _no_ error message in the cache log file. I found the wrong permission with the help of strace command. It would be nice, when squid drop a note, that it can't read the file. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] custom error pages with stylesheets doesn't work for me
Hello, I use squid 3.5.25 compiled with following options: Squid Cache: Version 3.5.25 Service Name: squid configure options: '--prefix=/usr' '--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--mandir=/usr/share/man' '--with-default-user=squid' '--with-filedescriptors=24576' '--disable-auto-locale' '--disable-auth-negotiate' '--disable-auth-ntlm' '--disable-eui' '--disable-carp' '--disable-htcp' '--disable-ident-lookups' '--disable-loadable-modules' '--disable-translation' '--disable-wccp' '--disable-wccpv2' '--enable-async-io=128' '--enable-auth' '--enable-auth-basic=LDAP NCSA' '--enable-auth-digest=LDAP file' '--enable-epoll' '--enable-log-daemon-helpers=file' '--enable-icap-client' '--enable-snmp' '--enable-disk-io=AIO,DiskThreads,IpcIo,Blocking' '--enable-storeio=aufs,rock' '--enable-referer-log' '--enable-useragent-log' '--enable-large-cache-files' '--enable-removal-policies=lru,heap' '--enable-external-acl-helpers=session' '--enable-follow-x-forwarded-for' '--enable-ssl-crtd' '--disable-strict-error-checking' '--with-openssl=/opt/dv-openssl1' 'CFLAGS= -O2 -fPIE -fPIC -DSQUID_USE_SSLGETCERTIFICATE_HACK=1' 'LDFLAGS= -fPIC -pie' 'CPPFLAGS= -O2 -fPIE -fPIC -DSQUID_USE_SSLGETCERTIFICATE_HACK=1' I wrote some custom error pages and activated style sheets in the header of the error pages like: %l In the squid.conf file I set err_page_stylesheet to my stylesheet file and I restarted squid. My expectation was, that the content of this style sheet file will be included in the error page at the %l position. But the place between and is empty. Does anybody know how can I insert the content of the style sheet file to the error pages ? -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] assertion failed: client_side.cc:819: "areAllContextsForThisConnection()" after upgrade from 3.5.8 to 3.5.11
Hello, I did an upgrade from 3.5.8 to 3.5.11 and now sometimes I get the message: assertion failed: client_side.cc:819: "areAllContextsForThisConnection()" in cache.log and squid dies. Is this a known problem or shall I create a bugreport ? -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid3 Support for TLS 1.1 and TLS 1.2
Hi, On Fri, Nov 06, Fullyrealized LLC wrote: > I have been trying to bolster my pfsense systems and found one > difficulty with squid3. I cant figure out how to allow for support of > tls 1.1 and 1.2. It supports tls 1 of course but the new reports from > qualys give a "C" for such. I am wondering if there is a way to add > support for the newer TLS 1.1 and 1.2 to Squid3 reverse proxy. Can > anyone help? it depends on you openssl version. If you use an old 0.9.x version tls1.1 and above is not supported. You have to use openssl 1.x.x to get support for it. -- regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
Hallo Marcus, On Thu, Sep 17, Marcus Kool wrote: > I just tried accessing https://banking.postbank.de/ > using Squid 3.5.8 and Chrome. > I also got the ERR_CONNECTION_CLOSED error. thank you for testing, so I think the fault is not my config. May it be a bug in squid or openssl, or maybe the webserver ? > Then I changed the Squid configuration and added ".postbank.de" in our list > of banks (acl tls_server_is_bank) to prevent bumping. ... > And tried to access https://banking.postbank.de again from Chrome and the > site works normal. ok, without sslbump the website works for me, but what is the reason that sslbump to this site doesn't work ? -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
Hello Amos, thank you for your hints. On Thu, Sep 17, Amos Jeffries wrote: > > the relevant part ist: > > > > --snip-- > > acl nodecryptdomains dstdomain "/etc/squid/nodecrypt.domains" > > http_port MYIP:8080 ssl-bump cert=/etc/squid/ca.pem key=/etc/squid/ca.key > > generate-host-certificates=on dhparams=/etc/squid/dhparams.pem > > > Replace these... > > > ssl_bump none nodecryptdomains > > ssl_bump server-first all > > ... with: > > acl nodecrypt ssl::server_name "/etc/squid/nodecrypt.domains" > acl step1 at_step SslBump1 > ssl_bump peek step1 > ssl_bump splice nodecrypt > ssl_bump bump all > > Maybe also remove the nodecryptdomains ACL. Depends on whether you use > it anywhere else. I've changed my config, but same results. SSLBump works so far, only the site banking.postbank.de makes trouble. My chrome browser says "ERR_CONNECTION_CLOSED" and in the squid log looks like: --snip-- 1442473894.771 49 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442473894.832 49 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442473895.074 48 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442473895.134 47 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442473895.193 45 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - --snip-- here the ssl relevant part of my squid.conf --snip-- http_port MYIP:8080 ssl-bump cert=/etc/squid/ca.pem key=/etc/squid/ca.key generate-host-certificates=on dhparams=/etc/squid/dhparams.pem ssl_bump peek step1 ssl_bump bump all sslproxy_capath /etc/ssl/certs sslproxy_options NO_SSLv2:NO_SSLv3:ALL sslproxy_cipher ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL --snip-- so it would be nice, if anybody with enabled sslbump on squid3.5.8 can do a GET Request to https://banking.postbank.de/ to see if that works. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
Hello Antony, On Wed, Sep 16, Antony Stone wrote: > On Wednesday 16 September 2015 at 15:39:35, Dieter Bloms wrote: > > > I did an upgrade of my squid from 3.4.13 to 3.5.8 and most sites are > > accessible via HTTPS and sslbump enable. > > But I can't get any access to the destination > > https://banking.postbank.de, which is accessible with 3.4.13. > > I use the same config for both squid versions. > > 1. What is that configuration (squid.conf without comments or blank lines, > please)? the relevant part ist: --snip-- acl nodecryptdomains dstdomain "/etc/squid/nodecrypt.domains" http_port MYIP:8080 ssl-bump cert=/etc/squid/ca.pem key=/etc/squid/ca.key generate-host-certificates=on dhparams=/etc/squid/dhparams.pem ssl_bump none nodecryptdomains ssl_bump server-first all sslproxy_capath /etc/ssl/certs sslproxy_options NO_SSLv2:NO_SSLv3:ALL sslproxy_cipher ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL sslproxy_cert_error deny all --snip-- the destination banking.postbank.de is not listed in the /etc/squid/nodecrypt.domains file with squid-3.4.13 the logs look like: --snip-- 1442410263.639 23 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 7531 GET https://banking.postbank.de/rai/rai/image/pb-logo.png - HIER_DIRECT/62.153.105.15 image/png 1442410263.737 20 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 986 GET https://banking.postbank.de/rai/rai/css/image/rgn-sprite.png - HIER_DIRECT/62.153.105.15 image/png 1442410263.738 20 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 1066 GET https://banking.postbank.de/rai/rai/css/image/fld-input.png - HIER_DIRECT/62.153.105.15 image/png 1442410263.739 22 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 4181 GET https://banking.postbank.de/rai/rai/css/image/rgn-noise.png - HIER_DIRECT/62.153.105.15 image/png 1442410263.751 33 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 27373 GET https://banking.postbank.de/rai/rai/css/type/pb_medium_cnd-webfont.woff - HIER_DIRECT/62.153.105.15 application/x-font-woff 1442410263.822 22 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 1877 GET https://banking.postbank.de/rai/rai/css/image/aside-shadow.png - HIER_DIRECT/62.153.105.15 image/png 1442410263.823 23 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 8047 GET https://banking.postbank.de/rai/rai/css/image/action-links.png - HIER_DIRECT/62.153.105.15 image/png --snip-- with squid 3.5.8 the logs look like: --snip-- 1442410295.266 32 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410295.297 28 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410295.328 29 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410300.379 43 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410300.420 39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410300.460 38 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410300.500 37 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410330.548 39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410330.590 39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410330.629 36 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - --snip-- > 2. What differences do you get in the log files between the two versions when > you try to access that site? > > This information may give us something to go on in helping with your problem. > > > Regards, > > > Antony. > > -- > "Black holes are where God divided by zero." > > - Steven Wright > >Please reply to the list; > please *don't* CC me. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] howto disable tls compression when using sslbump in squid-3.5.5 between squid and https webserver ?
Hello, I use squid 3.5.5 and use the sslbump feature. When I activate sslbump, the browsertest on www.ssllabs.com ( https://www.ssllabs.com/ssltest/viewMyClient.html ) says TLS compression is activated and insecure. I use openssl 1.0.1m on my proxyserver I tried some settings like: sslproxy_flags No_Compression but squid claims FATAL: Unknown ssl flag 'No_Compression'. Is it possible to disable TLS compression for the connection from squid to the webserver when sslbump is used ? Thank you very much. -- Regards Dieter Bloms -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid doesn't do a fallback from ipv6 to ipv4, if the ipv6 connect fails
Hello Amos, On Sat, Dec 20, Amos Jeffries wrote: When I do a http://ssl.ratsinfo-online.net/ the fallback from ipv6 to ipv4 works fine, but when I do a https://ssl.ratsinfo-online.net/ squid tries ipv6 only and doesn't do a fallback to ipv4. I would be nice, if you can try it on your dial stack setup. Thank you. It takes me 10-20 sec to receive any response on the very first DNS lookup for that domain. After which all responses are quite fast for a few minutes. Then repeat with the slow lookup. Like you say it responds with 1 IPv4 and 1 IPv6. Which is not too many, and none actually failing to resolve. So DNS is reasonable even with the occasional delay. I am seeing approx 40-90% packet loss on several of the NTT.net transit hops between me and the site in IPv4. Not sure if that is related in any way related to your access path. My current colo provider blocks network measurements from end-servers (but only on v6) so I cant adequately test the v6 connectivity anymore. But your log entry indicates that probably a TCP SYN handshake did not finish over either IP version. with https squid doesn't try to connect the webserver over ipv4 (verfied with tcpdump). So I think you can test the missing failover from ipv6 to ipv4, if a connect over ipv6 isn't possible with https connection. Again with http the failover from ipv6 to ipv4 occur, only https is a problem. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid doesn't do a fallback from ipv6 to ipv4, if the ipv6 connect fails
Hello, we use squid 3.4.9 as proxy for our company with ipv4 and ipv6 dual stack. It works good, but if a destination has an A and record and the webserver isn't reachable via ipv6, squid generates an error page instead of trying a connection via ipv4. One example is the url: https://ssl.ratsinfo-online.net/pirna-ri/logon.asp where squid tries to reach the webside via the ip 2001:8d8:87c:5f00::6e:72d6, but without success, because it isn't reachable. Now I want, that squid does a fallback to ipv4 after connect_timeout, but squid returns an error page (ERR_CONNECT_FAIL) to the client. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
