[squid-users] any problems problem with sslBump

[Linos]

Hi,
i am using Squid 3.1.15 server, i have enabled ssl-bump and dynamic ssl cert
generation with this line:

http_port 3150 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/www.example.com.pem

always_direct allow all
ssl_bump allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid_ssl_db -M 4MB
sslcrtd_children 5

It works fine but i have two minor problems:

1) Internet explorer keeps giving me security questions about invalid
certificates after i have imported my authority (i can see the authority in
intermediate CA tab inside certs), i have installed the same authority in
Firefox and i don't have this problem, how could i fix this?

2) Gmail only works in plain old HTML mode, the standard versions keeps 
loading
for ever, all other google apps works great and other ssl sites too, only gmail
fails to load the standard version.

Regards,
Miguel Angel.

[squid-users] 3.1.x compile errors using ssl_crtd

[Linos]

Hi,
i am using Ubuntu Server 12.04 with libssl-dev 1.0.1 and i can't compile
squid, i have downloaded the last daily auto-generated release (that should have
this bug fixed) but i still have the same problem.

./configure --enable-ssl --enable-ssl-crtd
make

(after a while)
/bin/bash ../../libtool --tag=CXX   --mode=link g++ -Wall -Wpointer-arith
-Wwrite-strings -Wcomments -Werror -fhuge-objects -D_REENTRANT -g -O2  -g -o
ssl_crtd ssl_crtd.o certificate_db.o -lssl -lcrypto -lsslutil
../../compat/libcompat.la ../../lib/libmiscutil.a
libtool: link: g++ -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror
-fhuge-objects -D_REENTRANT -g -O2 -g -o ssl_crtd ssl_crtd.o certificate_db.o
-lssl -lcrypto -lsslutil ../../compat/.libs/libcompat.a ../../lib/libmiscutil.a
g++: warning: switch '-fhuge-objects' is no longer supported
/usr/bin/ld: cannot find -lsslutil
collect2: ld returned 1 exit status

I have tried to add .libs/libsslutil.a to the linker line in src/ssl/Makefile
the direct path .libs/libsslutil.a but i get the original bug error after this
change:

libtool: link: g++ -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror
-fhuge-objects -D_REENTRANT -g -O2 -g -o ssl_crtd ssl_crtd.o certificate_db.o
-lssl -lcrypto .libs/libsslutil.a ../../compat/.libs/libcompat.a
../../lib/libmiscutil.a
g++: warning: switch '-fhuge-objects' is no longer supported
../../lib/libmiscutil.a(MemPool.o): In function `MemPools::flushMeters()':
/tmp/squid-3.1.19-20120526-r10446/lib/MemPool.cc:224: undefined reference to
`squid_curtime'
/tmp/squid-3.1.19-20120526-r10446/lib/MemPool.cc:225: undefined reference to
`squid_curtime'
/tmp/squid-3.1.19-20120526-r10446/lib/MemPool.cc:223: undefined reference to
`squid_curtime'
../../lib/libmiscutil.a(MemPoolChunked.o): In function
`MemPoolChunked::deallocate(void*, bool)':
/tmp/squid-3.1.19-20120526-r10446/lib/MemPoolChunked.cc:357: undefined reference
to `squid_curtime'
../../lib/libmiscutil.a(MemPoolChunked.o): In function
`MemPoolChunked::convertFreeCacheToChunkFreeCache()':
/tmp/squid-3.1.19-20120526-r10446/lib/MemPoolChunked.cc:380: undefined reference
to `squid_curtime'
../../lib/libmiscutil.a(MemPoolChunked.o):/tmp/squid-3.1.19-20120526-r10446/lib/MemPoolChunked.cc:406:
more undefined references to `squid_curtime' follow
collect2: ld returned 1 exit status

I don't know how to fix and i am in a hurry with this problem :(

Thanks.

Regards,
Miguel Angel.

Re: [squid-users] 3.1.x compile errors using ssl_crtd

[Linos]

El 28/05/12 01:13, Amos Jeffries escribió:
> 
> 
> The dependencies seem a bit out of sync with the library linkage order.
> 
> I think it should actually be "ssl/libsslutil.la $(SSLLIB)"
> 
> Amos

Thanks Amos,
I am not sure if i have understood you correctly but i have tried with:

ssl_crtd_LDADD = ssl/libsslutil.la $(SSLLIB) -lsslutil ../../compat/libcompat.la
../../lib/libmiscutil.a

that fails with:
libtool: link: cannot find the library `ssl/libsslutil.la' or unhandled argument
`ssl/libsslutil.la'

and with:

ssl_crtd_LDADD = .libs/libsslutil.la $(SSLLIB) -lsslutil
../../compat/libcompat.la ../../lib/libmiscutil.a

that fails with the same error about "undefined reference to `squid_curtime'" as
before.

Regards,
Miguel Angel.

Re: [squid-users] 3.1.x compile errors using ssl_crtd

[Linos]

Hi,
i have installed the 3.2.0 beta version (the last daily auto-generated 
version)
because of the hurry and all it is working fine until now, thanks

Regards,
Miguel Angel.

El 28/05/12 01:13, Amos Jeffries escribió:
> On 28.05.2012 07:31, Linos wrote:
>> Hi,
>> i am using Ubuntu Server 12.04 with libssl-dev 1.0.1 and i can't compile
>> squid, i have downloaded the last daily auto-generated release (that
>> should have
>> this bug fixed) but i still have the same problem.
>>
>> ./configure --enable-ssl --enable-ssl-crtd
>> make
>>
>> (after a while)
>> /bin/bash ../../libtool --tag=CXX   --mode=link g++ -Wall -Wpointer-arith
>> -Wwrite-strings -Wcomments -Werror -fhuge-objects -D_REENTRANT -g -O2 -g -o
>> ssl_crtd ssl_crtd.o certificate_db.o -lssl -lcrypto -lsslutil
>> ../../compat/libcompat.la ../../lib/libmiscutil.a
>> libtool: link: g++ -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror
>> -fhuge-objects -D_REENTRANT -g -O2 -g -o ssl_crtd ssl_crtd.o certificate_db.o
>> -lssl -lcrypto -lsslutil ../../compat/.libs/libcompat.a
>> ../../lib/libmiscutil.a
>> g++: warning: switch '-fhuge-objects' is no longer supported
>> /usr/bin/ld: cannot find -lsslutil
>> collect2: ld returned 1 exit status
>>
>> I have tried to add .libs/libsslutil.a to the linker line in src/ssl/Makefile
>> the direct path .libs/libsslutil.a but i get the original bug error
>> after this
> 
> 
> The dependencies seem a bit out of sync with the library linkage order.
> 
> I think it should actually be "ssl/libsslutil.la $(SSLLIB)"
> 
> Amos

Re: [squid-users] 3.1.x compile errors using ssl_crtd

[Linos]

El 28/05/12 02:36, Linos escribió:
> El 28/05/12 01:13, Amos Jeffries escribió:
>>
>>
>> The dependencies seem a bit out of sync with the library linkage order.
>>
>> I think it should actually be "ssl/libsslutil.la $(SSLLIB)"
>>
>> Amos
> 
> Thanks Amos,
>   I am not sure if i have understood you correctly but i have tried with:
> 
> ssl_crtd_LDADD = ssl/libsslutil.la $(SSLLIB) -lsslutil 
> ../../compat/libcompat.la
> ../../lib/libmiscutil.a
> 
> that fails with:
> libtool: link: cannot find the library `ssl/libsslutil.la' or unhandled 
> argument
> `ssl/libsslutil.la'
> 
> and with:
> 
> ssl_crtd_LDADD = .libs/libsslutil.la $(SSLLIB) -lsslutil
> ../../compat/libcompat.la ../../lib/libmiscutil.a
> 
> that fails with the same error about "undefined reference to `squid_curtime'" 
> as
> before.
> 
> Regards,
> Miguel Angel.

And after a while using 3.2.0 beta squid have failed with:

2012/05/28 13:39:30| BUG: Orphan Comm::Connection: local=81.24.115.100:36137
remote=199.59.148.87:443 FD 105 flags=1
2012/05/28 13:39:30| NOTE: 1 Orphans since last started.
2012/05/28 13:39:30| assertion failed: comm.cc:1093: "isOpen(fd)"

So i don't have a working solution to use squid with sslbump in Ubuntu 12.04
still :-(

Regards,
Miguel Angel.

Re: [squid-users] SSL Sites bypass interception

[Linos]

El 29/05/12 10:32, Jambaz escribió:
> Hi to all , i have squid 3.1.19 it's working all for http , the "problem" is
> only when the sites that i have blocked use https , with https ( port 443 )
> the site likes facebook,google plus,twitter and also sites very dangerous
> bypass squid and go normally like squid doesn't exist...
> Which i have to use and to do , to intercept also ssl sites ?
> One solution is deny all ssl sitesbut i can't because https is also used
> for seriously sites ( and not for social ntworks ) and i only need to deny
> them and not the first...
> 
> Any reply will be appreciated 
> 
> Regards
> 

Hi,
i use squid witth ssl-bump for this, i need to intercept ssl 
connections to
block any ssl sites while letting people use other ssl enabled websites (like
gmail), you will need to install your own ca in the user browsers (if you don't
the number of dialogs about how insecure a site it is are a real nightmare),
this can be automated depending on what browser and OS you are using (windows +
ie very easy with active directory group policies), you will find any insights
in this links:

http://wiki.squid-cache.org/Features/SslBump
http://wiki.squid-cache.org/Features/DynamicSslCert
http://dvas0004.wordpress.com/2011/03/22/squid-transparent-ssl-interception/

Regards,
Miguel Angel.

Re: [squid-users] 3.1.x compile errors using ssl_crtd

[Linos]

El 28/05/12 14:59, Linos escribió:
> El 28/05/12 02:36, Linos escribió:
>> El 28/05/12 01:13, Amos Jeffries escribió:
>>>
>>>
>>> The dependencies seem a bit out of sync with the library linkage order.
>>>
>>> I think it should actually be "ssl/libsslutil.la $(SSLLIB)"
>>>
>>> Amos
>>
>> Thanks Amos,
>>  I am not sure if i have understood you correctly but i have tried with:
>>
>> ssl_crtd_LDADD = ssl/libsslutil.la $(SSLLIB) -lsslutil 
>> ../../compat/libcompat.la
>> ../../lib/libmiscutil.a
>>
>> that fails with:
>> libtool: link: cannot find the library `ssl/libsslutil.la' or unhandled 
>> argument
>> `ssl/libsslutil.la'
>>
>> and with:
>>
>> ssl_crtd_LDADD = .libs/libsslutil.la $(SSLLIB) -lsslutil
>> ../../compat/libcompat.la ../../lib/libmiscutil.a
>>
>> that fails with the same error about "undefined reference to 
>> `squid_curtime'" as
>> before.
>>
>> Regards,
>> Miguel Angel.
> 
> And after a while using 3.2.0 beta squid have failed with:
> 
> 2012/05/28 13:39:30| BUG: Orphan Comm::Connection: local=81.24.115.100:36137
> remote=199.59.148.87:443 FD 105 flags=1
> 2012/05/28 13:39:30| NOTE: 1 Orphans since last started.
> 2012/05/28 13:39:30| assertion failed: comm.cc:1093: "isOpen(fd)"
> 
> So i don't have a working solution to use squid with sslbump in Ubuntu 12.04
> still :-(
> 
> Regards,
> Miguel Angel.

I have created two bug reports, one for the compilation issue with 3.1.x and
other for this bug in 3.2.0 beta but i don't have still a working and stable
solution to use Squid with sslbump in Ubuntu 12.04, could something help me with
the compilation problem?

Would be a solution to install openssl 0.9.8 in /usr/local and compile 3.1.19
with it? Thanks!

Regards,
Miguel Angel.

Re: [squid-users] 3.1.x compile errors using ssl_crtd

[Linos]

El 29/05/12 15:43, Eliezer Croitoru escribió:
> well i have tried compiling squid 3.2.0.17 and it was built fine.
>
> i wrote a basic way to compile squid on ubuntu 10.04 and 12.04 with all the 
> dev
> dependencies required to compile it at:
>
> http://ubuntuforums.org/showpost.php?p=11958889&postcount=2
>
> Eliezer
>

I am using squid-3.2.0.17-20120527-r11561 (the last daily build) right now, it
compiles cleanly but have any bugs (well it is a beta version so it isn't
unexpected), i have reported one at 
http://bugs.squid-cache.org/show_bug.cgi?id=3556

So i can't compile stable versions and beta versions have bugs, given this is a
production machine i don't have still a working solution.

Regards,
Miguel Angel.

Re: [squid-users] 3.1.x compile errors using ssl_crtd

[Linos]

El 29/05/12 13:20, Linos escribió:
> El 28/05/12 14:59, Linos escribió:
>> El 28/05/12 02:36, Linos escribió:
>>> El 28/05/12 01:13, Amos Jeffries escribió:
>>>>
>>>>
>>>> The dependencies seem a bit out of sync with the library linkage order.
>>>>
>>>> I think it should actually be "ssl/libsslutil.la $(SSLLIB)"
>>>>
>>>> Amos
>>>
>>> Thanks Amos,
>>> I am not sure if i have understood you correctly but i have tried with:
>>>
>>> ssl_crtd_LDADD = ssl/libsslutil.la $(SSLLIB) -lsslutil 
>>> ../../compat/libcompat.la
>>> ../../lib/libmiscutil.a
>>>
>>> that fails with:
>>> libtool: link: cannot find the library `ssl/libsslutil.la' or unhandled 
>>> argument
>>> `ssl/libsslutil.la'
>>>
>>> and with:
>>>
>>> ssl_crtd_LDADD = .libs/libsslutil.la $(SSLLIB) -lsslutil
>>> ../../compat/libcompat.la ../../lib/libmiscutil.a
>>>
>>> that fails with the same error about "undefined reference to 
>>> `squid_curtime'" as
>>> before.
>>>
>>> Regards,
>>> Miguel Angel.
>>
>> And after a while using 3.2.0 beta squid have failed with:
>>
>> 2012/05/28 13:39:30| BUG: Orphan Comm::Connection: local=81.24.115.100:36137
>> remote=199.59.148.87:443 FD 105 flags=1
>> 2012/05/28 13:39:30| NOTE: 1 Orphans since last started.
>> 2012/05/28 13:39:30| assertion failed: comm.cc:1093: "isOpen(fd)"
>>
>> So i don't have a working solution to use squid with sslbump in Ubuntu 12.04
>> still :-(
>>
>> Regards,
>> Miguel Angel.
> 
> I have created two bug reports, one for the compilation issue with 3.1.x and
> other for this bug in 3.2.0 beta but i don't have still a working and stable
> solution to use Squid with sslbump in Ubuntu 12.04, could something help me 
> with
> the compilation problem?
> 
> Would be a solution to install openssl 0.9.8 in /usr/local and compile 3.1.19
> with it? Thanks!
> 
> Regards,
> Miguel Angel.

I have tried compiling 3.1.19 with openssl 0.9.8x installed in /usr/local but i
still have a compilation error:

/bin/bash ../../libtool --tag=CXX   --mode=link g++ -Wall -Wpointer-arith
-Wwrite-strings -Wcomments -Werror -fhuge-objects -D_REENTRANT -g -O2  -g -o
ssl_crtd ssl_crtd.o certificate_db.o -lssl -lcrypto -lsslutil
../../compat/libcompat.la ../../lib/libmiscutil.a
libtool: link: g++ -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror
-fhuge-objects -D_REENTRANT -g -O2 -g -o ssl_crtd ssl_crtd.o certificate_db.o
-lssl -lcrypto /tmp/squid-3.1.15/src/ssl/.libs/libsslutil.a
../../compat/.libs/libcompat.a ../../lib/libmiscutil.a
g++: warning: switch '-fhuge-objects' is no longer supported
../../lib/libmiscutil.a(MemPool.o): In function `MemPools::flushMeters()':
/tmp/squid-3.1.15/lib/MemPool.cc:224: undefined reference to `squid_curtime'
/tmp/squid-3.1.15/lib/MemPool.cc:225: undefined reference to `squid_curtime'
/tmp/squid-3.1.15/lib/MemPool.cc:223: undefined reference to `squid_curtime'
../../lib/libmiscutil.a(MemPoolChunked.o): In function
`MemPoolChunked::deallocate(void*, bool)':
/tmp/squid-3.1.15/lib/MemPoolChunked.cc:357: undefined reference to 
`squid_curtime'
../../lib/libmiscutil.a(MemPoolChunked.o): In function
`MemPoolChunked::convertFreeCacheToChunkFreeCache()':
/tmp/squid-3.1.15/lib/MemPoolChunked.cc:380: undefined reference to 
`squid_curtime'
../../lib/libmiscutil.a(MemPoolChunked.o):/tmp/squid-3.1.15/lib/MemPoolChunked.cc:406:
more undefined references to `squid_curtime' follow
collect2: ld returned 1 exit status
make[3]: *** [ssl_crtd] Error 1


so it seems it is not related with openssl 1.0.1

Regards,
Miguel Angel.

Re: [squid-users] 3.1.x compile errors using ssl_crtd

[Linos]

El 29/05/12 19:32, Eliezer Croitoru escribió:
> On 29/05/2012 17:23, Linos wrote:
>> El 29/05/12 15:43, Eliezer Croitoru escribió:
>>> well i have tried compiling squid 3.2.0.17 and it was built fine.
>>>
>>> i wrote a basic way to compile squid on ubuntu 10.04 and 12.04 with all the 
>>> dev
>>> dependencies required to compile it at:
>>>
>>> http://ubuntuforums.org/showpost.php?p=11958889&postcount=2
>>>
>>> Eliezer
>>>
>>
>> I am using squid-3.2.0.17-20120527-r11561 (the last daily build) right now, 
>> it
>> compiles cleanly but have any bugs (well it is a beta version so it isn't
>> unexpected), i have reported one at
>> http://bugs.squid-cache.org/show_bug.cgi?id=3556
>>
>> So i can't compile stable versions and beta versions have bugs, given this 
>> is a
>> production machine i don't have still a working solution.
>>
>> Regards,
>> Miguel Angel.
> as i wrote.. i have compiled the stable versions without any problem.
> can you share you squid.conf?
> 
> Eliezer
> 

you wrote that you compiled 3.2.0.17, like you can see here
http://www.squid-cache.org/Versions/ 3.2.0.17 it's a beta version, like i wrote
i have compiled this too and found any bugs in it.

I am not sure what it is the value of squid.conf in a compilation problem but
anyway this are the uncommented lines:

external_acl_type request_body children-max=20 %{Content-Length}
/etc/squid3/request_body_max_size.sh
acl request_max_aulas external request_body 104857
acl srv_aulas src 192.168.2.200/32
acl oficinas src 192.168.0.0/24
acl aulas1 src 192.168.2.0/24
acl aulas2 src 192.168.3.0/24
acl wifi_alumnos src 192.168.4.71-192.168.4.254/32
acl wifi_profesores src 192.168.4.1-192.168.4.70/32
acl hostsprohibidos src "/etc/squid3/hostsprohibidos"
acl urlaprobadas url_regex -i "/etc/squid3/urlaprobadas"
acl urlprohibidasaulas url_regex -i "/etc/squid3/urlprohibidasaulas"
acl urlprohibidasoficinas url_regex -i "/etc/squid3/urlprohibidasoficinas"
acl extensionesprohibidas url_regex -i "/etc/squid3/extensionesprohibidas"
acl whitenet src "/etc/squid3/whitehosts"
acl maniana time SMTWHFA 06:00-16:00
acl tarde time SMTWHFA 16:00-23:59 00:00-06:00
acl extensionestarde url_regex -i "/etc/squid3/extensionestarde"
acl msnmsg url_regex 
^http://gateway\.messenger\.hotmail\.com/gateway/gateway\.dll
acl msnmsg url_regex ^http://64\.4\.[^/]*/gateway/gateway\.dll
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny aulas1 request_max_aulas
http_access deny aulas2 request_max_aulas
http_access allow whitenet
http_access allow all urlaprobadas
http_access allow oficinas !urlprohibidasoficinas
http_access allow wifi_alumnos !urlprohibidasoficinas
http_access allow wifi_profesores !urlprohibidasoficinas
http_access allow aulas1 maniana !msnmsg !hostsprohibidos !urlprohibidasaulas
!extensionesprohibidas
http_access allow aulas2 maniana !msnmsg !hostsprohibidos !urlprohibidasaulas
!extensionesprohibidas
http_access allow aulas1 tarde !msnmsg !hostsprohibidos !urlprohibidasaulas
!extensionestarde
http_access allow aulas2 tarde !msnmsg !hostsprohibidos !urlprohibidasaulas
!extensionestarde
http_access deny all
http_port 3128 transparent
http_port 3150 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=16MB cert=/etc/squid3/ssl_cert/cert.pem
always_direct allow all
ssl_bump allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid_ssl_db -M 16MB
sslcrtd_children 16
memory_replacement_policy heap LFUDA
cache_replacement_policy heap LFUDA
cache_dir aufs /var/spool/squid3 15000 16 256
maximum_object_size 40960 KB
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern (Release|Packages(.gz)*)$  0   20% 2880
refresh_pattern .   0   20% 4320
store_avg_object_size 50 KB
delay_pools 2
delay_class 1 2# pool 1 is a class 2 pool
delay_class 2 2# pool 2 is a class 2 pool
delay_access 1 allow oficinas
delay_access 1 allow wifi_profesor

Re: [squid-users] 3.1.x compile errors using ssl_crtd

[Linos]

El 30/05/12 01:30, Amos Jeffries escribió:
> On 30.05.2012 09:23, Linos wrote:
>> El 29/05/12 19:32, Eliezer Croitoru escribió:
>>> On 29/05/2012 17:23, Linos wrote:
>>>> El 29/05/12 15:43, Eliezer Croitoru escribió:
>>>>> well i have tried compiling squid 3.2.0.17 and it was built fine.
>>>>>
>>>>> i wrote a basic way to compile squid on ubuntu 10.04 and 12.04 with all 
>>>>> the
>>>>> dev
>>>>> dependencies required to compile it at:
>>>>>
>>>>> http://ubuntuforums.org/showpost.php?p=11958889&postcount=2
>>>>>
>>>>> Eliezer
>>>>>
>>>>
>>>> I am using squid-3.2.0.17-20120527-r11561 (the last daily build) right 
>>>> now, it
>>>> compiles cleanly but have any bugs (well it is a beta version so it isn't
>>>> unexpected), i have reported one at
>>>> http://bugs.squid-cache.org/show_bug.cgi?id=3556
>>>>
>>>> So i can't compile stable versions and beta versions have bugs, given this 
>>>> is a
>>>> production machine i don't have still a working solution.
>>>>
>>>> Regards,
>>>> Miguel Angel.
>>> as i wrote.. i have compiled the stable versions without any problem.
>>> can you share you squid.conf?
>>>
>>> Eliezer
>>>
>>
>> you wrote that you compiled 3.2.0.17, like you can see here
>> http://www.squid-cache.org/Versions/ 3.2.0.17 it's a beta version,
>> like i wrote
>> i have compiled this too and found any bugs in it.
> 
> What do you mean by "found any bugs"?  I assumed it was a typo of "many bugs"
> earlier, but you have been using it consistently across multiple emails.

Sorry, i was trying to mean "some bugs", bad usage of "any" here :(

> 
>>
>> I am not sure what it is the value of squid.conf in a compilation problem but
>> anyway this are the uncommented lines:
>>
> 
> 
> Small audit check, not related to your current problems ...
> 
> 
>> external_acl_type request_body children-max=20 %{Content-Length}
>> /etc/squid3/request_body_max_size.sh
>> acl request_max_aulas external request_body 104857
>> acl srv_aulas src 192.168.2.200/32
>> acl oficinas src 192.168.0.0/24
>> acl aulas1 src 192.168.2.0/24
>> acl aulas2 src 192.168.3.0/24
>> acl wifi_alumnos src 192.168.4.71-192.168.4.254/32
>> acl wifi_profesores src 192.168.4.1-192.168.4.70/32
>> acl hostsprohibidos src "/etc/squid3/hostsprohibidos"
>> acl urlaprobadas url_regex -i "/etc/squid3/urlaprobadas"
>> acl urlprohibidasaulas url_regex -i "/etc/squid3/urlprohibidasaulas"
>> acl urlprohibidasoficinas url_regex -i "/etc/squid3/urlprohibidasoficinas"
>> acl extensionesprohibidas url_regex -i "/etc/squid3/extensionesprohibidas"
>> acl whitenet src "/etc/squid3/whitehosts"
>> acl maniana time SMTWHFA 06:00-16:00
>> acl tarde time SMTWHFA 16:00-23:59 00:00-06:00
>> acl extensionestarde url_regex -i "/etc/squid3/extensionestarde"
>> acl msnmsg url_regex
>> ^http://gateway\.messenger\.hotmail\.com/gateway/gateway\.dll
>> acl msnmsg url_regex ^http://64\.4\.[^/]*/gateway/gateway\.dll
>> acl SSL_ports port 443
>> acl Safe_ports port 80# http
>> acl Safe_ports port 21# ftp
>> acl Safe_ports port 443# https
>> acl Safe_ports port 70# gopher
>> acl Safe_ports port 210# wais
>> acl Safe_ports port 1025-65535# unregistered ports
>> acl Safe_ports port 280# http-mgmt
>> acl Safe_ports port 488# gss-http
>> acl Safe_ports port 591# filemaker
>> acl Safe_ports port 777# multiling http
>> acl CONNECT method CONNECT
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost
>> http_access deny aulas1 request_max_aulas
>> http_access deny aulas2 request_max_aulas
> 
> 
> NOTE:  CONNECT requests should never have a specific content-length size. They
> are tested by the http_access ACLs prior to ssl-bump unwrapping them. Look
> carefully at what your request_max_aulas helper does when it receives "-" or 
> no
> content-length. If it rejects a CONNECT it will be blocking ssl-bump from
> operating on that tunnel request.

I am checking for "-" in the helper so this should be not a problem.

>> http_acce

Re: [squid-users] Re: SSL Sites bypass interception

[Linos]

El 02/06/12 17:02, Jambaz escribió:
> Hi my friends , and thanks for your helps
Hi!, my replies are inline


> I have followed your suggest...but when i try to start squid it give me an
> error like:
> 
> FATAL: Bungled squid.conf line 48: http_port 3128 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
> cert=/etc/squid3/ssl_cert/cert.pem
> Squid Cache (Version 3.1.19): Terminated abnormally.
> CPU Usage: 0.004 seconds = 0.000 user + 0.004 sys
> Maximum Resident Size: 13488 KB
> Page faults with physical i/o: 0
I think this is the exact error you get when you have squid compiled without
"--enable-ssl --enable-ssl-crtd" configure switches.


> 
> From the guid that you have me posted , i have don't very well understand  ,
> when it tell me to prepare directory for caching certificates:
> 
> /usr/local/squid/libexec/ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db
> 
> i have to create first this directory or i have to use the directory in the
> squid.conf ?
You have to use this command "ssl_crtd" to get the directory created, later you
should be sure that the OS user that executes squid (proxy in debian for
example) have perms on this new created dir and after that you have to use it in
squid.conf.

> 
> i also don't found where i have to use this command   ./configure
> --enable-ssl --enable-ssl-crtd  , sorry for this question
This command have to be used with the source of squid before compile with make
and install with make install, i usually change the configure flags of the
debian or ubuntu source package and install it better than directly with make
but it is a matter of taste.

> here is my squid.conf
> 
> cache_access_log /var/log/squid/access.log
> cache_log /var/log/squid/cache.log
> cache_store_log /var/log/squid/store.log
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 
> acl to_localhost dst 127.0.0.0/8
> acl lan src 192.168.1.50/32 192.168.2.0/24
> auth_param ntlm children 30
> auth_param ntlm keep_alive on
> acl SSL_ports port 443# https
> acl Safe_ports port 25  # smtp
> acl Safe_ports port 80# http
> acl Safe_ports port 21# ftp
> acl Safe_ports port 111 # ftp 2
> acl Safe_ports port 443   # https
> acl Safe_ports port 70# gopher
> acl Safe_ports port 210   # wais
> acl Safe_ports port 1025-65535# unregistered ports
> acl Safe_ports port 280   # http-mgmt
> acl Safe_ports port 488   # gss-http
> acl Safe_ports port 591   # filemaker
> acl Safe_ports port 777   # multiling http
> acl Safe_ports port 631   # cups
> acl Safe_ports port 873   # rsync
> acl Safe_ports port 901   # SWAT
> acl Safe_ports port 3306# MySql
> acl Safe_ports port 9100# Stampante
> #acl broken_sites dstdomain .facebook.com
> acl purge method PURGE
> acl CONNECT method CONNECT
> #acl bad_url dstdomain "/etc/squid3/bad-sites.squid"
> #acl blockfiles urlpath_regex "/etc/squid3/blockfiles.squid"
> #ssl_bump deny broken_sites
> #ssl_bump allow all
> http_access allow lan
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> # http_access deny bad_url
> # http_access deny blockfiles
> # http_access deny reqmsn
> # http_reply_access deny repmsn
> http_access allow localhost
> http_access deny all
> http_port 3128 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=16MB cert=/etc/squid3/ssl_cert/cert.pem
> #http_port 3130 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=16MB cert=/etc/squid3/ssl_cert/cert.pem  
> ssl_bump allow all 
> always_direct allow all
> sslproxy_cert_error allow all 
> sslproxy_flags DONT_VERIFY_PEER 
> #sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
> /usr/local/squid/var/lib/ssl_db -M 4MB
> sslcrtd_children 32 
> icp_access allow lan
> icp_access deny all
> ie_refresh on
> visible_hostname localhost
> hosts_file /etc/hosts
> # dns_nameservers 192.168.2.100 192.168.2.101 151.99.125.1 151.99.125.3
> coredump_dir /var/spool/squid3
> maximum_object_size 16 MB
> cache_mem 32 MB
> cache_replacement_policy heap LFUDA
> memory_replacement_policy heap LFUDA
> cache_dir ufs /var/spool/squid 15000 16 256
> refresh_pattern ^ftp:   144020% 10080
> refresh_pattern ^gopher:14400%  1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
> refresh_pattern (Release|Packages(.gz)*)$   0   20% 2880
> refresh_pattern .   0   20% 4320
> store_avg_object_size 50 KB 
> url_rewrite_children 30
> redirect_program /usr/bin/squidGuard -c /etc/squid3/squidGuard.conf
> redirect_children 30
> 
> --
> View this message in context: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Sites-bypass-interce

[squid-users] transparent proxy myself?

[Linos]

Hi,
i have configured transparent proxy sometimes for the local network 
LAN, but
now i want to actually control the output traffic from the machine running the
squid itself without have to configure manually browsers and other network
programs, i can't get it to work using iptables, what rule should i be using?

Regards,
Miguel Angel.

Re: [squid-users] transparent proxy myself?

[Linos]

El 04/07/12 02:07, Amos Jeffries escribió:
> On 04.07.2012 07:05, Linos wrote:
>> Hi,
>> i have configured transparent proxy sometimes for the local network LAN, 
>> but
>> now i want to actually control the output traffic from the machine
>> running the
>> squid itself without have to configure manually browsers and other network
>> programs, i can't get it to work using iptables, what rule should i be using?
>>
>> Regards,
>> Miguel Angel.
> 
> 
> Sorry your message is not clear. What do you have setup? and what exactly are
> you trying to reach?
> 
> From what I gather;
>  you have a somewhat proper proxy configuration already in use and want to
> downgrade it to a full-blown MITM security attack on your clients instead?
> 
> This might help:
> http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers#Recommended_network_configuration
> 
> 
> Amos
> 

Yes, my message it's not clear, sorry, i will explain through examples, suppose
my Squid computer it's 192.168.1.254 and my lan 192.168.1.0/24, to get computers
in my lan use transparent proxy i do:

1) configure squid.conf http_port (in 192.168.1.254 Squid computer) in
"transparent" mode
2) i use 192.168.1.254 as gateway for computers in my lan
3) in Squid computer i use "iptables -t nat -A PREROUTING -i eth0 -p tcp --dport
80 -j REDIRECT --to-port 3128"

After that if, for example, the computer 192.168.1.2 browse the net the url
visited from there appear in access.log at Squid computer as usual without the
need to configure the browser of this computer to use the proxy, perfect.

What i don't know how to do it's intercept web traffic from a browser used in
192.168.1.254, i have one office where the Squid computer it's a desktop as well
and i would like to transparent proxy the browsers of the Squid machine itself.

Regards,
Miguel Angel.

[squid-users] problems with ssl_crtd

[Linos]

Hi,
i have been using Squid squid-3.2.0.17-20120527-r11561 in an Ubuntu 
Server
12.04 some time with ssl-bump without problems for a year, the ca cert expired
some days ago and with the new ca cert i installed squid 3.2.1 stable.

Now the proxy exists every time 10 or more users use https at the same time,
it's pretty strange, i have tried to downgrade to the old squid version but i
can't get the proxy to be stable no matter if using new or old version, i have
tried to recreate other cert just in case, same problem, i recreated too
squid_ssl_db and cache_dir, no matter what i do it keeps crashing, the cache log
read as this:


--
2012/09/19 11:58:00| Starting Squid Cache version 3.2.1 for 
x86_64-pc-linux-gnu...
2012/09/19 11:58:00| Process ID 30077
2012/09/19 11:58:00| Process Roles: master worker
2012/09/19 11:58:00| With 65535 file descriptors available
2012/09/19 11:58:00| Initializing IP Cache...
2012/09/19 11:58:00| DNS Socket created at [::], FD 4
2012/09/19 11:58:00| DNS Socket created at 0.0.0.0, FD 5
2012/09/19 11:58:00| Adding nameserver 80.58.61.250 from squid.conf
2012/09/19 11:58:00| Adding nameserver 8.8.8.8 from squid.conf
2012/09/19 11:58:00| helperOpenServers: Starting 5/10 'ssl_crtd' processes
2012/09/19 11:58:00| helperOpenServers: Starting 5/20 'request_body_max_size.sh'
processes
2012/09/19 11:58:00| Logfile: opening log daemon:/var/log/squid3/access.log
2012/09/19 11:58:00| Logfile Daemon: opening log /var/log/squid3/access.log
2012/09/19 11:58:00| Unlinkd pipe opened on FD 31
2012/09/19 11:58:00| Local cache digest enabled; rebuild/rewrite every 
3600/3600 sec
2012/09/19 11:58:00| Store logging disabled
2012/09/19 11:58:00| Swap maxSize 1536 + 262144 KB, estimated 312442 objects
2012/09/19 11:58:00| Target number of buckets: 15622
2012/09/19 11:58:00| Using 16384 Store buckets
2012/09/19 11:58:00| Max Mem  size: 262144 KB
2012/09/19 11:58:00| Max Swap size: 1536 KB
2012/09/19 11:58:00| Rebuilding storage in /mnt/squid/squid3 (clean log)
2012/09/19 11:58:00| Using Least Load store dir selection
2012/09/19 11:58:00| Set Current Directory to /mnt/squid/squid3
2012/09/19 11:58:00| Loaded Icons.
2012/09/19 11:58:00| HTCP Disabled.
2012/09/19 11:58:00| Squid plugin modules loaded: 0
2012/09/19 11:58:00| Adaptation support is off.
2012/09/19 11:58:00| Accepting NAT intercepted HTTP Socket connections at
local=0.0.0.0:3128 remote=[::] FD 36 flags=41
2012/09/19 11:58:00| Accepting SSL bumped HTTP Socket connections at
local=[::]:3150 remote=[::] FD 37 flags=9
2012/09/19 11:58:00| Store rebuilding is 16.55% complete
2012/09/19 11:58:00| Done reading /mnt/squid/squid3 swaplog (24167 entries)
2012/09/19 11:58:00| Finished rebuilding storage from disk.
2012/09/19 11:58:00| 24167 Entries scanned
2012/09/19 11:58:00| 0 Invalid entries.
2012/09/19 11:58:00| 0 With invalid flags.
2012/09/19 11:58:00| 24167 Objects loaded.
2012/09/19 11:58:00| 0 Objects expired.
2012/09/19 11:58:00| 0 Objects cancelled.
2012/09/19 11:58:00| 0 Duplicate URLs purged.
2012/09/19 11:58:00| 0 Swapfile clashes avoided.
2012/09/19 11:58:00|   Took 0.12 seconds (204025.29 objects/sec).
2012/09/19 11:58:00| Beginning Validation Procedure
2012/09/19 11:58:00|   Completed Validation Procedure
2012/09/19 11:58:00|   Validated 24167 Entries
2012/09/19 11:58:00|   store_swap_size = 732468.00 KB
2012/09/19 11:58:01| storeLateRelease: released 0 objects
(ssl_crtd): Cannot create ssl certificate or private key.
2012/09/19 12:03:20| WARNING: ssl_crtd #1 exited
2012/09/19 12:03:20| Too few ssl_crtd processes are running (need 1/10)
2012/09/19 12:03:20| Starting new helpers
2012/09/19 12:03:20| helperOpenServers: Starting 1/10 'ssl_crtd' processes
2012/09/19 12:03:20| client_side.cc(3477) sslCrtdHandleReply: "ssl_crtd" helper
return  reply
(ssl_crtd): Cannot create ssl certificate or private key.
2012/09/19 12:03:20| WARNING: ssl_crtd #2 exited
2012/09/19 12:03:20| Too few ssl_crtd processes are running (need 1/10)
2012/09/19 12:03:20| Closing HTTP port 0.0.0.0:3128
2012/09/19 12:03:20| Closing HTTP port [::]:3150
2012/09/19 12:03:20| storeDirWriteCleanLogs: Starting...
2012/09/19 12:03:20|   Finished.  Wrote 24195 entries.
2012/09/19 12:03:20|   Took 0.02 seconds (1321120.45 entries/sec).
FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

Squid Cache (Version 3.2.1): Terminated abnormally.
CPU Usage: 1.896 seconds = 0.740 user + 1.156 sys
Maximum Resident Size: 144640 KB
Page faults with physical i/o: 0
Memory usage for squid via mallinfo():
total space in arena:   18900 KB
Ordinary blocks:18674 KB 54 blks
Small blocks:   0 KB  1 blks
Holding blocks: 37552 KB  9 blks
Free Small blocks:  0 KB
Free Ordinary blocks: 225 KB
Total in use:   56226 KB 297%
Tota

Re: [squid-users] problems with ssl_crtd

[Linos]

On 19/09/12 15:30, Guy Helmer wrote:
> On Sep 19, 2012, at 5:44 AM, Linos  wrote:
> 
>> Hi,
>>  i have been using Squid squid-3.2.0.17-20120527-r11561 in an Ubuntu 
>> Server
>> 12.04 some time with ssl-bump without problems for a year, the ca cert 
>> expired
>> some days ago and with the new ca cert i installed squid 3.2.1 stable.
>>
>> Now the proxy exists every time 10 or more users use https at the same time,
>> it's pretty strange, i have tried to downgrade to the old squid version but i
>> can't get the proxy to be stable no matter if using new or old version, i 
>> have
>> tried to recreate other cert just in case, same problem, i recreated too
>> squid_ssl_db and cache_dir, no matter what i do it keeps crashing, the cache 
>> log
>> read as this:
>>
>>
>> --
>> 2012/09/19 11:58:00| Starting Squid Cache version 3.2.1 for 
>> x86_64-pc-linux-gnu...
>> 2012/09/19 11:58:00| Process ID 30077
>> 2012/09/19 11:58:00| Process Roles: master worker
>> 2012/09/19 11:58:00| With 65535 file descriptors available
>> 2012/09/19 11:58:00| Initializing IP Cache...
>> 2012/09/19 11:58:00| DNS Socket created at [::], FD 4
>> 2012/09/19 11:58:00| DNS Socket created at 0.0.0.0, FD 5
>> 2012/09/19 11:58:00| Adding nameserver 80.58.61.250 from squid.conf
>> 2012/09/19 11:58:00| Adding nameserver 8.8.8.8 from squid.conf
>> 2012/09/19 11:58:00| helperOpenServers: Starting 5/10 'ssl_crtd' processes
>> 2012/09/19 11:58:00| helperOpenServers: Starting 5/20 
>> 'request_body_max_size.sh'
>> processes
>> 2012/09/19 11:58:00| Logfile: opening log daemon:/var/log/squid3/access.log
>> 2012/09/19 11:58:00| Logfile Daemon: opening log /var/log/squid3/access.log
>> 2012/09/19 11:58:00| Unlinkd pipe opened on FD 31
>> 2012/09/19 11:58:00| Local cache digest enabled; rebuild/rewrite every 
>> 3600/3600 sec
>> 2012/09/19 11:58:00| Store logging disabled
>> 2012/09/19 11:58:00| Swap maxSize 1536 + 262144 KB, estimated 312442 
>> objects
>> 2012/09/19 11:58:00| Target number of buckets: 15622
>> 2012/09/19 11:58:00| Using 16384 Store buckets
>> 2012/09/19 11:58:00| Max Mem  size: 262144 KB
>> 2012/09/19 11:58:00| Max Swap size: 1536 KB
>> 2012/09/19 11:58:00| Rebuilding storage in /mnt/squid/squid3 (clean log)
>> 2012/09/19 11:58:00| Using Least Load store dir selection
>> 2012/09/19 11:58:00| Set Current Directory to /mnt/squid/squid3
>> 2012/09/19 11:58:00| Loaded Icons.
>> 2012/09/19 11:58:00| HTCP Disabled.
>> 2012/09/19 11:58:00| Squid plugin modules loaded: 0
>> 2012/09/19 11:58:00| Adaptation support is off.
>> 2012/09/19 11:58:00| Accepting NAT intercepted HTTP Socket connections at
>> local=0.0.0.0:3128 remote=[::] FD 36 flags=41
>> 2012/09/19 11:58:00| Accepting SSL bumped HTTP Socket connections at
>> local=[::]:3150 remote=[::] FD 37 flags=9
>> 2012/09/19 11:58:00| Store rebuilding is 16.55% complete
>> 2012/09/19 11:58:00| Done reading /mnt/squid/squid3 swaplog (24167 entries)
>> 2012/09/19 11:58:00| Finished rebuilding storage from disk.
>> 2012/09/19 11:58:00| 24167 Entries scanned
>> 2012/09/19 11:58:00| 0 Invalid entries.
>> 2012/09/19 11:58:00| 0 With invalid flags.
>> 2012/09/19 11:58:00| 24167 Objects loaded.
>> 2012/09/19 11:58:00| 0 Objects expired.
>> 2012/09/19 11:58:00| 0 Objects cancelled.
>> 2012/09/19 11:58:00| 0 Duplicate URLs purged.
>> 2012/09/19 11:58:00| 0 Swapfile clashes avoided.
>> 2012/09/19 11:58:00|   Took 0.12 seconds (204025.29 objects/sec).
>> 2012/09/19 11:58:00| Beginning Validation Procedure
>> 2012/09/19 11:58:00|   Completed Validation Procedure
>> 2012/09/19 11:58:00|   Validated 24167 Entries
>> 2012/09/19 11:58:00|   store_swap_size = 732468.00 KB
>> 2012/09/19 11:58:01| storeLateRelease: released 0 objects
>> (ssl_crtd): Cannot create ssl certificate or private key.
>> 2012/09/19 12:03:20| WARNING: ssl_crtd #1 exited
>> 2012/09/19 12:03:20| Too few ssl_crtd processes are running (need 1/10)
>> 2012/09/19 12:03:20| Starting new helpers
>> 2012/09/19 12:03:20| helperOpenServers: Starting 1/10 'ssl_crtd' processes
>> 2012/09/19 12:03:20| client_side.cc(3477) sslCrtdHandleReply: "ssl_crtd" 
>> helper
>> return  reply
>> (ssl_crtd): Cannot create ssl certificate or private key.
>> 2012/09/19 12:03:20| WARNING: ssl_crtd #2 exited
>> 2012/09/19 12:03:20| Too few ssl_crtd processes are running (need 1/10)
&

Re: [squid-users] problems with ssl_crtd

[Linos]

On 19/09/12 16:46, Guy Helmer wrote:
> 
> On Sep 19, 2012, at 9:03 AM, Linos  wrote:
> 
>> On 19/09/12 15:30, Guy Helmer wrote:
>>> On Sep 19, 2012, at 5:44 AM, Linos  wrote:
>>>
>>>> Hi,
>>>>i have been using Squid squid-3.2.0.17-20120527-r11561 in an Ubuntu 
>>>> Server
>>>> 12.04 some time with ssl-bump without problems for a year, the ca cert 
>>>> expired
>>>> some days ago and with the new ca cert i installed squid 3.2.1 stable.
>>>>
>>>> Now the proxy exists every time 10 or more users use https at the same 
>>>> time,
>>>> it's pretty strange, i have tried to downgrade to the old squid version 
>>>> but i
>>>> can't get the proxy to be stable no matter if using new or old version, i 
>>>> have
>>>> tried to recreate other cert just in case, same problem, i recreated too
>>>> squid_ssl_db and cache_dir, no matter what i do it keeps crashing, the 
>>>> cache log
>>>> read as this:
>>>>
>>>>
>>>> --
>>>> 2012/09/19 11:58:00| Starting Squid Cache version 3.2.1 for 
>>>> x86_64-pc-linux-gnu...
>>>> 2012/09/19 11:58:00| Process ID 30077
>>>> 2012/09/19 11:58:00| Process Roles: master worker
>>>> 2012/09/19 11:58:00| With 65535 file descriptors available
>>>> 2012/09/19 11:58:00| Initializing IP Cache...
>>>> 2012/09/19 11:58:00| DNS Socket created at [::], FD 4
>>>> 2012/09/19 11:58:00| DNS Socket created at 0.0.0.0, FD 5
>>>> 2012/09/19 11:58:00| Adding nameserver 80.58.61.250 from squid.conf
>>>> 2012/09/19 11:58:00| Adding nameserver 8.8.8.8 from squid.conf
>>>> 2012/09/19 11:58:00| helperOpenServers: Starting 5/10 'ssl_crtd' processes
>>>> 2012/09/19 11:58:00| helperOpenServers: Starting 5/20 
>>>> 'request_body_max_size.sh'
>>>> processes
>>>> 2012/09/19 11:58:00| Logfile: opening log daemon:/var/log/squid3/access.log
>>>> 2012/09/19 11:58:00| Logfile Daemon: opening log /var/log/squid3/access.log
>>>> 2012/09/19 11:58:00| Unlinkd pipe opened on FD 31
>>>> 2012/09/19 11:58:00| Local cache digest enabled; rebuild/rewrite every 
>>>> 3600/3600 sec
>>>> 2012/09/19 11:58:00| Store logging disabled
>>>> 2012/09/19 11:58:00| Swap maxSize 1536 + 262144 KB, estimated 312442 
>>>> objects
>>>> 2012/09/19 11:58:00| Target number of buckets: 15622
>>>> 2012/09/19 11:58:00| Using 16384 Store buckets
>>>> 2012/09/19 11:58:00| Max Mem  size: 262144 KB
>>>> 2012/09/19 11:58:00| Max Swap size: 1536 KB
>>>> 2012/09/19 11:58:00| Rebuilding storage in /mnt/squid/squid3 (clean log)
>>>> 2012/09/19 11:58:00| Using Least Load store dir selection
>>>> 2012/09/19 11:58:00| Set Current Directory to /mnt/squid/squid3
>>>> 2012/09/19 11:58:00| Loaded Icons.
>>>> 2012/09/19 11:58:00| HTCP Disabled.
>>>> 2012/09/19 11:58:00| Squid plugin modules loaded: 0
>>>> 2012/09/19 11:58:00| Adaptation support is off.
>>>> 2012/09/19 11:58:00| Accepting NAT intercepted HTTP Socket connections at
>>>> local=0.0.0.0:3128 remote=[::] FD 36 flags=41
>>>> 2012/09/19 11:58:00| Accepting SSL bumped HTTP Socket connections at
>>>> local=[::]:3150 remote=[::] FD 37 flags=9
>>>> 2012/09/19 11:58:00| Store rebuilding is 16.55% complete
>>>> 2012/09/19 11:58:00| Done reading /mnt/squid/squid3 swaplog (24167 entries)
>>>> 2012/09/19 11:58:00| Finished rebuilding storage from disk.
>>>> 2012/09/19 11:58:00| 24167 Entries scanned
>>>> 2012/09/19 11:58:00| 0 Invalid entries.
>>>> 2012/09/19 11:58:00| 0 With invalid flags.
>>>> 2012/09/19 11:58:00| 24167 Objects loaded.
>>>> 2012/09/19 11:58:00| 0 Objects expired.
>>>> 2012/09/19 11:58:00| 0 Objects cancelled.
>>>> 2012/09/19 11:58:00| 0 Duplicate URLs purged.
>>>> 2012/09/19 11:58:00| 0 Swapfile clashes avoided.
>>>> 2012/09/19 11:58:00|   Took 0.12 seconds (204025.29 objects/sec).
>>>> 2012/09/19 11:58:00| Beginning Validation Procedure
>>>> 2012/09/19 11:58:00|   Completed Validation Procedure
>>>> 2012/09/19 11:58:00|   Validated 24167 Entries
>>>> 2012/09/19 11:58:00|   store_swap_size = 732468.00 KB
>>>> 2012/09/19

Re: [squid-users] problems with ssl_crtd

[Linos]

On 19/09/12 17:26, Eliezer Croitoru wrote:
> On 9/19/2012 1:44 PM, Linos wrote:
>> Hi,
>> i have been using Squid squid-3.2.0.17-20120527-r11561 in an Ubuntu 
>> Server
>> 12.04 some time with ssl-bump without problems for a year, the ca cert 
>> expired
>> some days ago and with the new ca cert i installed squid 3.2.1 stable.
>>
>> Now the proxy exists every time 10 or more users use https at the same time,
>> it's pretty strange, i have tried to downgrade to the old squid version but i
>> can't get the proxy to be stable no matter if using new or old version, i 
>> have
>> tried to recreate other cert just in case, same problem, i recreated too
>> squid_ssl_db and cache_dir, no matter what i do it keeps crashing, the cache 
>> log
>> read as this:
>>
> 
>>
>> I am using this ssl-bump line in squid.conf:
>> http_port 3150 ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=16MB cert=/etc/squid3/ssl_cert/myCA.pem
>>
>> I generated this myCA.pem using the instructions here
>> http://wiki.squid-cache.org/Features/DynamicSslCert
> 
> do you still have the old pem file?
> If it's expired ok but it should be still running but creating defective
> certificates.
I have the old pem, yes, but squid it's working fine with the new until more
than 5~6 people visit at the same time a https site, don't seems to be a problem
with a non-working certificate, i will test with the old one anyway.

> 
> did you changed ownership for the directory and files?
I have checked the ownership and files many times, and recreated the directories
some times too.

> did you tried to run the command from shell to see if it works?
it works because being launch by squid works too for some time.

> 
> Eliezer
> 

Miguel Angel.

Re: [squid-users] problems with ssl_crtd

[Linos]

On 19/09/12 16:46, Guy Helmer wrote:
>>
>> Thanks for reply.
>>
>> i checked the squid_ssl_db/size because i found the empty file problem 
>> searching
>> for my own problem in the mailing list, it's ok in my host, the file have the
>> content "139264" right now.
>>
>> I can't found the core file, do i need to do something for it to generate? 
>> maybe
>> a configure script option or squid.conf change to activate it?
>>
>> Regards,
>> Miguel Angel.
> 
> I have
> 
> coredump_dir /var/log/squid
> 
> to get coredumps in my /var/log/squid directory. Now that I think about it, I 
> don't remember if this works for ssl_crtd though -- seems like I have had to 
> start "gdb ssl_crtd" and then attach to one of the ssl_crtd processes, then 
> generate HTTPS traffic to trigger the request to ssl_crtd and get a backtrace 
> when ssl_crtd gets the segfault signal…
> 
> Guy
> 

Hi,
   i have been trying to debug with gdb attaching existing process, the strange
it's that ssl_ctrd seems to exit normally in this test, here you have it (sorry
for the spanish locale, i will use english next time, the only file with symbols
it's ssl_crtd itself):


GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Para las instrucciones de informe de errores, vea:
.
(gdb) attach 10495
Adjuntando a process 10495
Leyendo símbolos desde /usr/lib/squid3/ssl_crtd...Leyendo símbolos desde
/usr/lib/debug/usr/lib/squid3/ssl_crtd...hecho.
hecho.
Leyendo símbolos desde /lib/x86_64-linux-gnu/libcrypto.so.0.9.8...(no se
encontraron símbolos de depuración)hecho.
Símbolos cargados para /lib/x86_64-linux-gnu/libcrypto.so.0.9.8
Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libstdc++.so.6...(no se
encontraron símbolos de depuración)hecho.
Símbolos cargados para /usr/lib/x86_64-linux-gnu/libstdc++.so.6
Leyendo símbolos desde /lib/x86_64-linux-gnu/libgcc_s.so.1...(no se encontraron
símbolos de depuración)hecho.
Símbolos cargados para /lib/x86_64-linux-gnu/libgcc_s.so.1
Leyendo símbolos desde /lib/x86_64-linux-gnu/libc.so.6...(no se encontraron
símbolos de depuración)hecho.
Símbolos cargados para /lib/x86_64-linux-gnu/libc.so.6
Leyendo símbolos desde /lib/x86_64-linux-gnu/libdl.so.2...(no se encontraron
símbolos de depuración)hecho.
Símbolos cargados para /lib/x86_64-linux-gnu/libdl.so.2
Leyendo símbolos desde /lib/x86_64-linux-gnu/libz.so.1...(no se encontraron
símbolos de depuración)hecho.
Símbolos cargados para /lib/x86_64-linux-gnu/libz.so.1
Leyendo símbolos desde /lib/x86_64-linux-gnu/libm.so.6...(no se encontraron
símbolos de depuración)hecho.
Símbolos cargados para /lib/x86_64-linux-gnu/libm.so.6
Leyendo símbolos desde /lib64/ld-linux-x86-64.so.2...(no se encontraron símbolos
de depuración)hecho.
Símbolos cargados para /lib64/ld-linux-x86-64.so.2
0x7f3ef414f0a0 in read () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) continue
Continuando.
[Inferior 1 (process 10495) exited normally]
(gdb) bt
No stack.



I have tried attaching to squid3 process itself and i have received a signal 
here:

GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Para las instrucciones de informe de errores, vea:
.
(gdb) attach 10732
Adjuntando a process 10732
Leyendo símbolos desde /usr/sbin/squid3...coLeyendo símbolos desde
/usr/lib/debug/usr/sbin/squid3...ntinue
hecho.
hecho.
Leyendo símbolos desde /lib/x86_64-linux-gnu/libpthread.so.0...(no se
encontraron símbolos de depuración)hecho.
[Depuración de hilo usando libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Símbolos cargados para /lib/x86_64-linux-gnu/libpthread.so.0
Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libxml2.so.2...(no se
encontraron símbolos de depuración)hecho.
Símbolos cargados para /usr/lib/x86_64-linux-gnu/libxml2.so.2
Leyendo símbolos desde /lib/x86_64-linux-gnu/libexpat.so.1...(no se encontraron
símbolos de depuración)hecho.
Símbolos cargados para /lib/x86_64-linux-gnu/libexpat.so.1
Leyendo símbolos desde /lib/x86_64-linux-gnu/libssl.so.0.9.8...(no se
encontraron símbolos de depuración)hecho.
Símbolos cargados para /lib

Re: [squid-users] problems with ssl_crtd

[Linos]

On 20/09/12 12:58, Ahmed Talha Khan wrote:
> Hey Guy, All
> 
> I have started facing a very similar issue now.I have been using
> squid-3.HEAD-20120421-r12120 for about 5 months without any issues.
> Suddenly from yesterday ive started getting crahses in ssl_crtd
> process.
> 
> 
> In my case i am the only user but i observe that the behaviour is
> random. Sometimes it crashes and sometimes it works. Different https
> pages give the crash. Even non https pages have caused the crash.
> 
>  These occur especially on google https pages like docs,mail,calender etc..
> 
> The signing cert is also ok and has NOT expired.
> 
> 
> My squid conf looks like this:
> ***
> sslproxy_cert_error allow all
> 
> sslcrtd_program /usr/local/squid-3.3/libexec/ssl_crtd -s
> /usr/local/squid-3.3/var/lib/ssl_db -M 4MB
> sslcrtd_children 5
> 
> http_port 192.168.8.134:3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB
> cert=/home/asif/squid/www.sample.com.pem
> key=/home/asif/squid/www.sample.com.pem
> 
> http_port 192.168.8.134:8080
> 
> https_port 192.168.8.134:3129 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB
> cert=/home/asif/squid/www.sample.com.pem
> key=/home/asif/squid/www.sample.com.pem
> ***
> 
> The ssl_db directory is initialized properly with correct permissions.
> 
> ***
> [talha@localhost lib]$ pwd
> /usr/local/squid-3.3/var/lib
> 
> [talha@localhost lib]$ ls -al
> total 24
> drwxrwxrwx 3 root   root  4096 Sep 20 15:31 .
> drwxrwxrwx 6 root   root  4096 Sep 20 15:05 ..
> drwxrwxrwx 3 nobody talha 4096 Sep 20 15:31 ssl_db
> 
> The size file also has some values in it and cert generation also
> seems to work but suddenly it all crashes .
> **
> 
> 
> 
> 2012/09/20 14:57:45| Starting Squid Cache version
> 3.HEAD-20120425-r12120 for x86_64-unknown-linux-gnu...
> 2012/09/20 14:57:45| Process ID 23826
> 2012/09/20 14:57:45| Process Roles: master worker
> 2012/09/20 14:57:45| With 1024 file descriptors available
> 2012/09/20 14:57:45| Initializing IP Cache...
> 2012/09/20 14:57:45| DNS Socket created at [::], FD 5
> 2012/09/20 14:57:45| DNS Socket created at 0.0.0.0, FD 6
> 2012/09/20 14:57:45| Adding nameserver 192.168.8.1 from /etc/resolv.conf
> 2012/09/20 14:57:45| Adding domain localdomain from /etc/resolv.conf
> 2012/09/20 14:57:45| helperOpenServers: Starting 5/5 'ssl_crtd' processes
> 2012/09/20 14:57:45| Logfile: opening log
> daemon:/usr/local/squid-3.3/var/logs/access.log
> 2012/09/20 14:57:45| Logfile Daemon: opening log
> /usr/local/squid-3.3/var/logs/access.log
> 2012/09/20 14:57:45| Logfile: opening log 
> /usr/local/squid-3.3/var/logs/icap-log
> 2012/09/20 14:57:45| WARNING: log parameters now start with a module
> name. Use 'stdio:/usr/local/squid-3.3/var/logs/icap-log'
> 
> 
> 2012/09/20 14:57:45| Store logging disabled
> 2012/09/20 14:57:45| Swap maxSize 0 + 262144 KB, estimated 20164 objects
> 2012/09/20 14:57:45| Target number of buckets: 1008
> 2012/09/20 14:57:45| Using 8192 Store buckets
> 2012/09/20 14:57:45| Max Mem  size: 262144 KB
> 2012/09/20 14:57:45| Max Swap size: 0 KB
> 2012/09/20 14:57:45| Using Least Load store dir selection
> 2012/09/20 14:57:45| Set Current Directory to /usr/local/squid-3.3/var/cache
> 2012/09/20 14:57:45| Loaded Icons.
> 2012/09/20 14:57:45| HTCP Disabled.
> 2012/09/20 14:57:45| /usr/local/squid-3.3/var/run/squid.pid: (13)
> Permission denied
> 2012/09/20 14:57:45| WARNING: Could not write pid file
> 2012/09/20 14:57:45| Squid plugin modules loaded: 0
> 2012/09/20 14:57:45| Adaptation support is on
> 2012/09/20 14:57:45| Accepting SSL bumped HTTP Socket connections at
> local=192.168.8.134:3128 remote=[::] FD 20 flags=9
> 2012/09/20 14:57:45| Accepting HTTP Socket connections at
> local=192.168.8.134:8080 remote=[::] FD 21 flags=9
> 2012/09/20 14:57:45| Accepting SSL bumped HTTPS Socket connections at
> local=192.168.8.134:3129 remote=[::] FD 22 flags=9
> 2012/09/20 14:57:46| storeLateRelease: released 0 objects
> 
> (ssl_crtd): Cannot create ssl certificate or private key.
> 2012/09/20 14:58:23| WARNING: ssl_crtd #2 exited
> 2012/09/20 14:58:23| Too few ssl_crtd processes are running (need 1/5)
> 
> 2012/09/20 14:58:23| Starting new helpers
> 2012/09/20 14:58:23| helperOpenServers: Starting 1/5 'ssl_crtd' processes
> 2012/09/20 14:58:23| client_side.cc(3478) sslCrtdHandleReply:
> "ssl_crtd" helper return  reply
> (ssl_crtd): Cannot create ssl certificate or private key.
> 
> 2012/09/20 14:58:23| WARNING: ssl_crtd #1 exited
> 2012/09/20 14:58:23| Too few ssl_crtd processes are running (need 1/5)
> 2012/09/20 14:58:23| storeDirWriteCleanLogs: Starting...
> 2012/09/20 14:58:23|   Finished.  Wrote 0 entries.
> 2012/09/20 14:58:23|   Took 0.00 seconds (  0.00 entries/sec).
> FATAL: The ssl_crtd helpers

Re: [squid-users] problems with ssl_crtd

[Linos]

On 20/09/12 12:58, Ahmed Talha Khan wrote:
> Hey Guy, All
> 
> I have started facing a very similar issue now.I have been using
> squid-3.HEAD-20120421-r12120 for about 5 months without any issues.
> Suddenly from yesterday ive started getting crahses in ssl_crtd
> process.
> 
> 
> In my case i am the only user but i observe that the behaviour is
> random. Sometimes it crashes and sometimes it works. Different https
> pages give the crash. Even non https pages have caused the crash.
> 
>  These occur especially on google https pages like docs,mail,calender etc..
> 
> The signing cert is also ok and has NOT expired.
> 
> 

I can confirm my problem is not reproducible with https://www.apple.com (for
example), not as easily as with google domain almost.

Regards,
Miguel Angel.

Re: [squid-users] problems with ssl_crtd

[Linos]

On 21/09/12 09:20, Amos Jeffries wrote:
> Firstly, is this problem still occuring with a recent snapshot? we have done a
> lot of stabilization on squid-3 in the months working up towards 3.2.1 release
> and the SSL code has had two new features added to improve the bumping process
> and behaviours.
> 
> 
> Secondly, the issue as you found is not in Squid but in the helper. You should
> be able to add -d option to the helper command line to get a debug trace out 
> of
> it into cache.log. Set Squid to a normal (0 or 1) level to avoid any squid 
> debug
> confusing the helper traces.
> 
> In 3.2 helpers crashing is not usually a fatal event, you will simply see an
> annoying amount of that:
> "
> 
> 2012/09/20 14:58:23| WARNING: ssl_crtd #2 exited
> 2012/09/20 14:58:23| Too few ssl_crtd processes are running (need 1/5)
> 2012/09/20 14:58:23| Starting new helpers
> "
> 
> 
> In this case there is something in the cert database or system environment 
> which
> is triggering the crash and persisting across into newly started helpers,
> crashing them as well. This is the one case where Squid is still killed by
> helpers dying faster than they can be sent lookups, thus the
> 
> "FATAL: The ssl_crtd helpers are crashing too rapidly, need help!"
> 
> HTH
> Amos
> 

I have not tried a recent snapshot but i am going to do right now.

I have added a -d option, now i have this line in squid.conf:
sslcrtd_program /usr/lib/squid3/ssl_crtd -d -s /var/spool/squid3/squid_ssl_db -M
16MB

Still i don't get nothing new in cache.log, this is the last crash:

(ssl_crtd): Cannot create ssl certificate or private key.
2012/09/21 10:33:10| WARNING: ssl_crtd #2 exited
2012/09/21 10:33:10| Too few ssl_crtd processes are running (need 1/10)
2012/09/21 10:33:10| Starting new helpers
2012/09/21 10:33:10| helperOpenServers: Starting 1/10 'ssl_crtd' processes
2012/09/21 10:33:10| client_side.cc(3477) sslCrtdHandleReply: "ssl_crtd" helper
return  reply
(ssl_crtd): Cannot create ssl certificate or private key.
2012/09/21 10:33:10| WARNING: ssl_crtd #1 exited
2012/09/21 10:33:10| Too few ssl_crtd processes are running (need 1/10)
2012/09/21 10:33:10| Closing HTTP port 0.0.0.0:3128
2012/09/21 10:33:10| Closing HTTP port [::]:3150
2012/09/21 10:33:10| storeDirWriteCleanLogs: Starting...
2012/09/21 10:33:10| 65536 entries written so far.
2012/09/21 10:33:10|   Finished.  Wrote 112080 entries.
2012/09/21 10:33:10|   Took 0.04 seconds (2691254.86 entries/sec).
FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

Squid Cache (Version 3.2.1): Terminated abnormally.
(ssl_crtd): Cannot create ssl certificate or private key.
CPU Usage: 1.196 seconds = 0.720 user + 0.476 sys
Maximum Resident Size: 199824 KB
Page faults with physical i/o: 0
Memory usage for squid via mallinfo():
total space in arena:   34196 KB
Ordinary blocks:33966 KB 52 blks
Small blocks:   0 KB  1 blks
Holding blocks: 37268 KB  8 blks
Free Small blocks:  0 KB
Free Ordinary blocks: 229 KB
Total in use:   71234 KB 208%
Total free:   229 KB 1%


I have tried to attach to the five ssl_crtd processes but after the crash i get:

[Inferior 1 (process 465) exited normally]
[Inferior 1 (process 463) exited normally]
[Inferior 1 (process 464) exited normally]
[Inferior 1 (process 466) exited with code 01]
[Inferior 1 (process 467) exited with code 01]

so no backtrace, not in gdb neither in cache.log.

About the environment problem seems to be related with google domains, i don't
if i could trigger with other but not as easily for sure.

I am going to try the last snapshot in a while and post here my results.

Regards,
Miguel Angel.

Re: [squid-users] problems with ssl_crtd

[Linos]

On 21/09/12 09:20, Amos Jeffries wrote:
> Firstly, is this problem still occuring with a recent snapshot? we have done a
> lot of stabilization on squid-3 in the months working up towards 3.2.1 release
> and the SSL code has had two new features added to improve the bumping process
> and behaviours.
> 
> 
> Secondly, the issue as you found is not in Squid but in the helper. You should
> be able to add -d option to the helper command line to get a debug trace out 
> of
> it into cache.log. Set Squid to a normal (0 or 1) level to avoid any squid 
> debug
> confusing the helper traces.
> 
> In 3.2 helpers crashing is not usually a fatal event, you will simply see an
> annoying amount of that:
> "
> 
> 2012/09/20 14:58:23| WARNING: ssl_crtd #2 exited
> 2012/09/20 14:58:23| Too few ssl_crtd processes are running (need 1/5)
> 2012/09/20 14:58:23| Starting new helpers
> "
> 
> 
> In this case there is something in the cert database or system environment 
> which
> is triggering the crash and persisting across into newly started helpers,
> crashing them as well. This is the one case where Squid is still killed by
> helpers dying faster than they can be sent lookups, thus the
> 
> "FATAL: The ssl_crtd helpers are crashing too rapidly, need help!"
> 
> HTH
> Amos
> 

Tested squid-3.HEAD-20120921-r12321, squid crash itself very fast with this
version, i have no time to test the ssl problem:

squid3 -N
2012/09/21 11:09:49| SECURITY NOTICE: auto-converting deprecated "ssl_bump allow
" to "ssl_bump client-first " which is usually inferior to the newer
server-first bumping mode. Update your ssl_bump rules.
Abortado (`core' generado)

about the core file, no matter what i put in squid.conf, squid does not generate
it, i have this line right now:
coredump_dir /var/log/squid3

but i have tried use the squid cache_dir itself and does not work either, i have
executed it in gdb and get this backtrace.


#0  0x7579a445 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x7579dbab in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x556cf63d in xassert (
msg=0x55906778 "!conn() || conn()->clientConnection == NULL ||
conn()->clientConnection->fd == aDescriptor", file=, line=103)
at debug.cc:565
#3  0x557c8985 in ACLFilledChecklist::fd (this=0x5691b418,
aDescriptor=11) at FilledChecklist.cc:103
#4  0x556f73bd in FwdState::initiateSSL (this=0x57b00268)
at forward.cc:831
#5  0x557fd204 in AsyncCall::make (this=0x577c9cf0)
at AsyncCall.cc:35
#6  0x55800227 in AsyncCallQueue::fireNext (this=)
at AsyncCallQueue.cc:52
#7  0x55800380 in AsyncCallQueue::fire (this=0x55d5aba0)
at AsyncCallQueue.cc:38
#8  0x556e8604 in EventLoop::runOnce (this=0x7fffe460)
at EventLoop.cc:130
#9  0x556e86d8 in EventLoop::run (this=0x7fffe460)
at EventLoop.cc:94
#10 0x55749249 in SquidMain (argc=,
argv=) at main.cc:1518
#11 0x55678536 in SquidMainSafe (argv=,
argc=) at main.cc:1240
#12 main (argc=, argv=) at main.cc:1232


Regards,
Miguel Angel.

Re: [squid-users] problems with ssl_crtd

[Linos]

ot create ssl certificate or private key.
> 
> 2012/09/20 14:58:23| WARNING: ssl_crtd #1 exited
> 2012/09/20 14:58:23| Too few ssl_crtd processes are running (need 1/5)
> 2012/09/20 14:58:23| storeDirWriteCleanLogs: Starting...
> 2012/09/20 14:58:23|   Finished.  Wrote 0 entries.
> 2012/09/20 14:58:23|   Took 0.00 seconds (  0.00 entries/sec).
> FATAL: The ssl_crtd helpers are crashing too rapidly, need help!
> 
> Squid Cache (Version 3.HEAD-20120425-r12120): Terminated abnormally.
> CPU Usage: 0.355 seconds = 0.289 user + 0.066 sys
> Maximum Resident Size: 71104 KB
> Page faults with physical i/o: 0
> Memory usage for squid via mallinfo():
> total space in arena:   11924 KB
> Ordinary blocks:11818 KB 49 blks
> Small blocks:   0 KB  0 blks
> Holding blocks:   664 KB  2 blks
> Free Small blocks:  0 KB
> Free Ordinary blocks: 105 KB
> 
> 
> 
> 
> 
> 
> On Thu, Sep 20, 2012 at 2:52 PM, Linos  wrote:
>> On 19/09/12 16:46, Guy Helmer wrote:
>>>>
>>>> Thanks for reply.
>>>>
>>>> i checked the squid_ssl_db/size because i found the empty file problem 
>>>> searching
>>>> for my own problem in the mailing list, it's ok in my host, the file have 
>>>> the
>>>> content "139264" right now.
>>>>
>>>> I can't found the core file, do i need to do something for it to generate? 
>>>> maybe
>>>> a configure script option or squid.conf change to activate it?
>>>>
>>>> Regards,
>>>> Miguel Angel.
>>>
>>> I have
>>>
>>> coredump_dir /var/log/squid
>>>
>>> to get coredumps in my /var/log/squid directory. Now that I think about it, 
>>> I don't remember if this works for ssl_crtd though -- seems like I have had 
>>> to start "gdb ssl_crtd" and then attach to one of the ssl_crtd processes, 
>>> then generate HTTPS traffic to trigger the request to ssl_crtd and get a 
>>> backtrace when ssl_crtd gets the segfault signal…
>>>
>>> Guy
>>>
>>
>> Hi,
>>i have been trying to debug with gdb attaching existing process, the 
>> strange
>> it's that ssl_ctrd seems to exit normally in this test, here you have it 
>> (sorry
>> for the spanish locale, i will use english next time, the only file with 
>> symbols
>> it's ssl_crtd itself):
>>
>> 
>> GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2) 7.4-2012.04
>> Copyright (C) 2012 Free Software Foundation, Inc.
>> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
>> This is free software: you are free to change and redistribute it.
>> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
>> and "show warranty" for details.
>> This GDB was configured as "x86_64-linux-gnu".
>> Para las instrucciones de informe de errores, vea:
>> <http://bugs.launchpad.net/gdb-linaro/>.
>> (gdb) attach 10495
>> Adjuntando a process 10495
>> Leyendo símbolos desde /usr/lib/squid3/ssl_crtd...Leyendo símbolos desde
>> /usr/lib/debug/usr/lib/squid3/ssl_crtd...hecho.
>> hecho.
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libcrypto.so.0.9.8...(no se
>> encontraron símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libcrypto.so.0.9.8
>> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libstdc++.so.6...(no se
>> encontraron símbolos de depuración)hecho.
>> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libstdc++.so.6
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libgcc_s.so.1...(no se 
>> encontraron
>> símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libgcc_s.so.1
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libc.so.6...(no se encontraron
>> símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libc.so.6
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libdl.so.2...(no se encontraron
>> símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libdl.so.2
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libz.so.1...(no se encontraron
>> símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libz.so.1
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libm.so.6...(no se encontraron
>> símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libm.so

Re: [squid-users] problems with ssl_crtd

[Linos]

On 24/09/12 12:52, Amos Jeffries wrote:
> On 24/09/2012 8:44 p.m., Linos wrote:
>> On 20/09/12 12:58, Ahmed Talha Khan wrote:
>>> Hey Guy, All
>>>
>>> I have started facing a very similar issue now.I have been using
>>> squid-3.HEAD-20120421-r12120 for about 5 months without any issues.
>>> Suddenly from yesterday ive started getting crahses in ssl_crtd
>>> process.
>>>
>>>
>>> In my case i am the only user but i observe that the behaviour is
>>> random. Sometimes it crashes and sometimes it works. Different https
>>> pages give the crash. Even non https pages have caused the crash.
>>>
>>>   These occur especially on google https pages like docs,mail,calender etc..
>>>
>>> The signing cert is also ok and has NOT expired.
>>>
>>>
>>> My squid conf looks like this:
>>> ***
>>> sslproxy_cert_error allow all
>>>
>>> sslcrtd_program /usr/local/squid-3.3/libexec/ssl_crtd -s
>>> /usr/local/squid-3.3/var/lib/ssl_db -M 4MB
>>> sslcrtd_children 5
>>>
>>> http_port 192.168.8.134:3128 ssl-bump generate-host-certificates=on
>>> dynamic_cert_mem_cache_size=4MB
>>> cert=/home/asif/squid/www.sample.com.pem
>>> key=/home/asif/squid/www.sample.com.pem
>>>
>>> http_port 192.168.8.134:8080
>>>
>>> https_port 192.168.8.134:3129 ssl-bump generate-host-certificates=on
>>> dynamic_cert_mem_cache_size=4MB
>>> cert=/home/asif/squid/www.sample.com.pem
>>> key=/home/asif/squid/www.sample.com.pem
>>> ***
>>>
>>> The ssl_db directory is initialized properly with correct permissions.
>>>
>>> ***
>>> [talha@localhost lib]$ pwd
>>> /usr/local/squid-3.3/var/lib
>>>
>>> [talha@localhost lib]$ ls -al
>>> total 24
>>> drwxrwxrwx 3 root   root  4096 Sep 20 15:31 .
>>> drwxrwxrwx 6 root   root  4096 Sep 20 15:05 ..
>>> drwxrwxrwx 3 nobody talha 4096 Sep 20 15:31 ssl_db
>>>
>>> The size file also has some values in it and cert generation also
>>> seems to work but suddenly it all crashes .
>>> **
>>>
>>>
>>>
>>> 2012/09/20 14:57:45| Starting Squid Cache version
>>> 3.HEAD-20120425-r12120 for x86_64-unknown-linux-gnu...
>>> 2012/09/20 14:57:45| Process ID 23826
>>> 2012/09/20 14:57:45| Process Roles: master worker
>>> 2012/09/20 14:57:45| With 1024 file descriptors available
>>> 2012/09/20 14:57:45| Initializing IP Cache...
>>> 2012/09/20 14:57:45| DNS Socket created at [::], FD 5
>>> 2012/09/20 14:57:45| DNS Socket created at 0.0.0.0, FD 6
>>> 2012/09/20 14:57:45| Adding nameserver 192.168.8.1 from /etc/resolv.conf
>>> 2012/09/20 14:57:45| Adding domain localdomain from /etc/resolv.conf
>>> 2012/09/20 14:57:45| helperOpenServers: Starting 5/5 'ssl_crtd' processes
>>> 2012/09/20 14:57:45| Logfile: opening log
>>> daemon:/usr/local/squid-3.3/var/logs/access.log
>>> 2012/09/20 14:57:45| Logfile Daemon: opening log
>>> /usr/local/squid-3.3/var/logs/access.log
>>> 2012/09/20 14:57:45| Logfile: opening log 
>>> /usr/local/squid-3.3/var/logs/icap-log
>>> 2012/09/20 14:57:45| WARNING: log parameters now start with a module
>>> name. Use 'stdio:/usr/local/squid-3.3/var/logs/icap-log'
>>>
>>>
>>> 2012/09/20 14:57:45| Store logging disabled
>>> 2012/09/20 14:57:45| Swap maxSize 0 + 262144 KB, estimated 20164 objects
>>> 2012/09/20 14:57:45| Target number of buckets: 1008
>>> 2012/09/20 14:57:45| Using 8192 Store buckets
>>> 2012/09/20 14:57:45| Max Mem  size: 262144 KB
>>> 2012/09/20 14:57:45| Max Swap size: 0 KB
>>> 2012/09/20 14:57:45| Using Least Load store dir selection
>>> 2012/09/20 14:57:45| Set Current Directory to /usr/local/squid-3.3/var/cache
>>> 2012/09/20 14:57:45| Loaded Icons.
>>> 2012/09/20 14:57:45| HTCP Disabled.
>>> 2012/09/20 14:57:45| /usr/local/squid-3.3/var/run/squid.pid: (13)
>>> Permission denied
>>> 2012/09/20 14:57:45| WARNING: Could not write pid file
>>> 2012/09/20 14:57:45| Squid plugin modules loaded: 0
>>> 2012/09/20 14:57:45| Adaptation support is on
>>> 2012/09/20 14:57:45| Accepting SSL bumped HTTP Socket connections at
>>> local=192.168.8.134

Re: [squid-users] problems with ssl_crtd

[Linos]

On 24/09/12 12:52, Amos Jeffries wrote:
> On 24/09/2012 8:44 p.m., Linos wrote:
>> On 20/09/12 12:58, Ahmed Talha Khan wrote:
>>> Hey Guy, All
>>>
>>> I have started facing a very similar issue now.I have been using
>>> squid-3.HEAD-20120421-r12120 for about 5 months without any issues.
>>> Suddenly from yesterday ive started getting crahses in ssl_crtd
>>> process.
>>>
>>>
>>> In my case i am the only user but i observe that the behaviour is
>>> random. Sometimes it crashes and sometimes it works. Different https
>>> pages give the crash. Even non https pages have caused the crash.
>>>
>>>   These occur especially on google https pages like docs,mail,calender etc..
>>>
>>> The signing cert is also ok and has NOT expired.
>>>
>>>
>>> My squid conf looks like this:
>>> ***
>>> sslproxy_cert_error allow all
>>>
>>> sslcrtd_program /usr/local/squid-3.3/libexec/ssl_crtd -s
>>> /usr/local/squid-3.3/var/lib/ssl_db -M 4MB
>>> sslcrtd_children 5
>>>
>>> http_port 192.168.8.134:3128 ssl-bump generate-host-certificates=on
>>> dynamic_cert_mem_cache_size=4MB
>>> cert=/home/asif/squid/www.sample.com.pem
>>> key=/home/asif/squid/www.sample.com.pem
>>>
>>> http_port 192.168.8.134:8080
>>>
>>> https_port 192.168.8.134:3129 ssl-bump generate-host-certificates=on
>>> dynamic_cert_mem_cache_size=4MB
>>> cert=/home/asif/squid/www.sample.com.pem
>>> key=/home/asif/squid/www.sample.com.pem
>>> ***
>>>
>>> The ssl_db directory is initialized properly with correct permissions.
>>>
>>> ***
>>> [talha@localhost lib]$ pwd
>>> /usr/local/squid-3.3/var/lib
>>>
>>> [talha@localhost lib]$ ls -al
>>> total 24
>>> drwxrwxrwx 3 root   root  4096 Sep 20 15:31 .
>>> drwxrwxrwx 6 root   root  4096 Sep 20 15:05 ..
>>> drwxrwxrwx 3 nobody talha 4096 Sep 20 15:31 ssl_db
>>>
>>> The size file also has some values in it and cert generation also
>>> seems to work but suddenly it all crashes .
>>> **
>>>
>>>
>>>
>>> 2012/09/20 14:57:45| Starting Squid Cache version
>>> 3.HEAD-20120425-r12120 for x86_64-unknown-linux-gnu...
>>> 2012/09/20 14:57:45| Process ID 23826
>>> 2012/09/20 14:57:45| Process Roles: master worker
>>> 2012/09/20 14:57:45| With 1024 file descriptors available
>>> 2012/09/20 14:57:45| Initializing IP Cache...
>>> 2012/09/20 14:57:45| DNS Socket created at [::], FD 5
>>> 2012/09/20 14:57:45| DNS Socket created at 0.0.0.0, FD 6
>>> 2012/09/20 14:57:45| Adding nameserver 192.168.8.1 from /etc/resolv.conf
>>> 2012/09/20 14:57:45| Adding domain localdomain from /etc/resolv.conf
>>> 2012/09/20 14:57:45| helperOpenServers: Starting 5/5 'ssl_crtd' processes
>>> 2012/09/20 14:57:45| Logfile: opening log
>>> daemon:/usr/local/squid-3.3/var/logs/access.log
>>> 2012/09/20 14:57:45| Logfile Daemon: opening log
>>> /usr/local/squid-3.3/var/logs/access.log
>>> 2012/09/20 14:57:45| Logfile: opening log 
>>> /usr/local/squid-3.3/var/logs/icap-log
>>> 2012/09/20 14:57:45| WARNING: log parameters now start with a module
>>> name. Use 'stdio:/usr/local/squid-3.3/var/logs/icap-log'
>>>
>>>
>>> 2012/09/20 14:57:45| Store logging disabled
>>> 2012/09/20 14:57:45| Swap maxSize 0 + 262144 KB, estimated 20164 objects
>>> 2012/09/20 14:57:45| Target number of buckets: 1008
>>> 2012/09/20 14:57:45| Using 8192 Store buckets
>>> 2012/09/20 14:57:45| Max Mem  size: 262144 KB
>>> 2012/09/20 14:57:45| Max Swap size: 0 KB
>>> 2012/09/20 14:57:45| Using Least Load store dir selection
>>> 2012/09/20 14:57:45| Set Current Directory to /usr/local/squid-3.3/var/cache
>>> 2012/09/20 14:57:45| Loaded Icons.
>>> 2012/09/20 14:57:45| HTCP Disabled.
>>> 2012/09/20 14:57:45| /usr/local/squid-3.3/var/run/squid.pid: (13)
>>> Permission denied
>>> 2012/09/20 14:57:45| WARNING: Could not write pid file
>>> 2012/09/20 14:57:45| Squid plugin modules loaded: 0
>>> 2012/09/20 14:57:45| Adaptation support is on
>>> 2012/09/20 14:57:45| Accepting SSL bumped HTTP Socket connections at
>>> local=192.168.8.134

Re: [squid-users] problems with ssl_crtd

[Linos]

Sure, you have it attached.

Miguel Angel.

On 24/09/12 20:10, Ahmed Talha Khan wrote:
> Linos,
> 
> I have not debugged the issue yet. Will post results when do it.
> 
> Can anyone provide with the FATAL patch kindly?
> 
> -talha
> 
> On Mon, Sep 24, 2012 at 9:47 PM, Linos  wrote:
>> On 24/09/12 12:52, Amos Jeffries wrote:
>>> On 24/09/2012 8:44 p.m., Linos wrote:
>>>> On 20/09/12 12:58, Ahmed Talha Khan wrote:
>>>>> Hey Guy, All
>>>>>
>>>>> I have started facing a very similar issue now.I have been using
>>>>> squid-3.HEAD-20120421-r12120 for about 5 months without any issues.
>>>>> Suddenly from yesterday ive started getting crahses in ssl_crtd
>>>>> process.
>>>>>
>>>>>
>>>>> In my case i am the only user but i observe that the behaviour is
>>>>> random. Sometimes it crashes and sometimes it works. Different https
>>>>> pages give the crash. Even non https pages have caused the crash.
>>>>>
>>>>>   These occur especially on google https pages like docs,mail,calender 
>>>>> etc..
>>>>>
>>>>> The signing cert is also ok and has NOT expired.
>>>>>
>>>>>
>>>>> My squid conf looks like this:
>>>>> ***
>>>>> sslproxy_cert_error allow all
>>>>>
>>>>> sslcrtd_program /usr/local/squid-3.3/libexec/ssl_crtd -s
>>>>> /usr/local/squid-3.3/var/lib/ssl_db -M 4MB
>>>>> sslcrtd_children 5
>>>>>
>>>>> http_port 192.168.8.134:3128 ssl-bump generate-host-certificates=on
>>>>> dynamic_cert_mem_cache_size=4MB
>>>>> cert=/home/asif/squid/www.sample.com.pem
>>>>> key=/home/asif/squid/www.sample.com.pem
>>>>>
>>>>> http_port 192.168.8.134:8080
>>>>>
>>>>> https_port 192.168.8.134:3129 ssl-bump generate-host-certificates=on
>>>>> dynamic_cert_mem_cache_size=4MB
>>>>> cert=/home/asif/squid/www.sample.com.pem
>>>>> key=/home/asif/squid/www.sample.com.pem
>>>>> ***
>>>>>
>>>>> The ssl_db directory is initialized properly with correct permissions.
>>>>>
>>>>> ***
>>>>> [talha@localhost lib]$ pwd
>>>>> /usr/local/squid-3.3/var/lib
>>>>>
>>>>> [talha@localhost lib]$ ls -al
>>>>> total 24
>>>>> drwxrwxrwx 3 root   root  4096 Sep 20 15:31 .
>>>>> drwxrwxrwx 6 root   root  4096 Sep 20 15:05 ..
>>>>> drwxrwxrwx 3 nobody talha 4096 Sep 20 15:31 ssl_db
>>>>>
>>>>> The size file also has some values in it and cert generation also
>>>>> seems to work but suddenly it all crashes .
>>>>> **
>>>>>
>>>>>
>>>>>
>>>>> 2012/09/20 14:57:45| Starting Squid Cache version
>>>>> 3.HEAD-20120425-r12120 for x86_64-unknown-linux-gnu...
>>>>> 2012/09/20 14:57:45| Process ID 23826
>>>>> 2012/09/20 14:57:45| Process Roles: master worker
>>>>> 2012/09/20 14:57:45| With 1024 file descriptors available
>>>>> 2012/09/20 14:57:45| Initializing IP Cache...
>>>>> 2012/09/20 14:57:45| DNS Socket created at [::], FD 5
>>>>> 2012/09/20 14:57:45| DNS Socket created at 0.0.0.0, FD 6
>>>>> 2012/09/20 14:57:45| Adding nameserver 192.168.8.1 from /etc/resolv.conf
>>>>> 2012/09/20 14:57:45| Adding domain localdomain from /etc/resolv.conf
>>>>> 2012/09/20 14:57:45| helperOpenServers: Starting 5/5 'ssl_crtd' processes
>>>>> 2012/09/20 14:57:45| Logfile: opening log
>>>>> daemon:/usr/local/squid-3.3/var/logs/access.log
>>>>> 2012/09/20 14:57:45| Logfile Daemon: opening log
>>>>> /usr/local/squid-3.3/var/logs/access.log
>>>>> 2012/09/20 14:57:45| Logfile: opening log 
>>>>> /usr/local/squid-3.3/var/logs/icap-log
>>>>> 2012/09/20 14:57:45| WARNING: log parameters now start with a module
>>>>> name. Use 'stdio:/usr/local/squid-3.3/var/logs/icap-log'
>>>>>
>>>>>
>>>>> 2012/09/20 14:57:45| Store logging disabled
>>>&

[squid-users] assertion failed squid 3.2.1

[Linos]

Hello,
Squid has exited today in my server with this error in cache.log

2012/10/09 11:18:27| assertion failed: disk.cc:374: "fd >= 0"

squid3 -v

Squid Cache: Version 3.2.1
configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
'--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--disable-silent-rules'
'--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
'--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-inline'
'--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
'--enable-follow-x-forwarded-for' '--enable-auth-basic' '--enable-auth-digest'
'--enable-auth-ntlm' '--enable-auth-negotiate'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM'
'--enable-ntlm-auth-helpers=smb_lm,'
'--enable-digest-auth-helpers=ldap,password'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
'--enable-arp-acl' '--enable-esi' '--enable-zph-qos' '--enable-wccpv2'
'--disable-translation' '--with-logdir=/var/log/squid3'
'--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536'
'--with-large-files' '--with-default-user=proxy' '--enable-ssl'
'--enable-ssl-crtd' '--disable-epoll' '--enable-linux-netfilter'
'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security'
'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security'

Regards,
Miguel Angel.

[squid-users] Squid 3.2.1 bug

[Linos]

Hi!,
today my Squid 3.2.1 exited with this errors in cache.log, i have 
restarted it,
i send to the list just in case it helps to find a bug.

2012/10/18 13:14:45| BUG: Orphan Comm::Connection:
local=[fe80::215:17ff:feb2:303e]:53077 remote=[2a00:1450:400c:c05::54]:443 FD
306 flags=1
2012/10/18 13:14:45| NOTE: 3 Orphans since last started.
2012/10/18 13:14:45| comm.cc(1094) _comm_close: BUG 3556: FD 306 is not an open
socket.
2012/10/18 13:14:49| clientNegotiateSSL: Error negotiating SSL connection on FD
142: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
2012/10/18 13:14:54| BUG: Orphan Comm::Connection:
local=[fe80::215:17ff:feb2:303e]:36372 remote=[2a00:1450:4007:804::101e]:443 FD
317 flags=1
2012/10/18 13:14:54| NOTE: 4 Orphans since last started.
2012/10/18 13:14:54| comm.cc(1094) _comm_close: BUG 3556: FD 317 is not an open
socket.
2012/10/18 13:15:07| assertion failed: forward.cc:199: "err"

Regards,
Miguel Angel.

Re: [squid-users] Squid 3.2.1 bug

[Linos]

On 18/10/12 13:37, Linos wrote:
> Hi!,
>   today my Squid 3.2.1 exited with this errors in cache.log, i have 
> restarted it,
> i send to the list just in case it helps to find a bug.
> 
> 2012/10/18 13:14:45| BUG: Orphan Comm::Connection:
> local=[fe80::215:17ff:feb2:303e]:53077 remote=[2a00:1450:400c:c05::54]:443 FD
> 306 flags=1
> 2012/10/18 13:14:45| NOTE: 3 Orphans since last started.
> 2012/10/18 13:14:45| comm.cc(1094) _comm_close: BUG 3556: FD 306 is not an 
> open
> socket.
> 2012/10/18 13:14:49| clientNegotiateSSL: Error negotiating SSL connection on 
> FD
> 142: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
> 2012/10/18 13:14:54| BUG: Orphan Comm::Connection:
> local=[fe80::215:17ff:feb2:303e]:36372 remote=[2a00:1450:4007:804::101e]:443 
> FD
> 317 flags=1
> 2012/10/18 13:14:54| NOTE: 4 Orphans since last started.
> 2012/10/18 13:14:54| comm.cc(1094) _comm_close: BUG 3556: FD 317 is not an 
> open
> socket.
> 2012/10/18 13:15:07| assertion failed: forward.cc:199: "err"
> 
> Regards,
> Miguel Angel.
> 

other crash:

2012/10/18 13:37:28| BUG: Orphan Comm::Connection:
local=[fe80::215:17ff:feb2:303e]:57966 remote=[2a00:1450:4007:800::1012]:443 FD
176 flags=1
2012/10/18 13:37:28| NOTE: 3 Orphans since last started.
2012/10/18 13:37:37| DiskThreadsDiskFile::openDone: (2) No such file or 
directory
2012/10/18 13:37:37|/mnt/squid/squid3/02/21/00022138
2012/10/18 13:37:47| BUG: Orphan Comm::Connection:
local=[fe80::215:17ff:feb2:303e]:43599 remote=[2a00:1450:4007:801::101e]:443 FD
64 flags=1
2012/10/18 13:37:47| NOTE: 4 Orphans since last started.
2012/10/18 13:37:47| BUG: Orphan Comm::Connection:
local=[fe80::215:17ff:feb2:303e]:41288 remote=[2a00:1450:4007:800::1017]:443 FD
79 flags=1
2012/10/18 13:37:47| NOTE: 5 Orphans since last started.
2012/10/18 13:37:54| DiskThreadsDiskFile::openDone: (2) No such file or 
directory
2012/10/18 13:37:54|/mnt/squid/squid3/02/21/00022138
2012/10/18 13:37:57| BUG: Orphan Comm::Connection:
local=[fe80::215:17ff:feb2:303e]:41344 remote=[2a00:1450:4007:800::1017]:443 FD
279 flags=1
2012/10/18 13:37:57| NOTE: 6 Orphans since last started.
2012/10/18 13:37:57| comm.cc(1094) _comm_close: BUG 3556: FD 279 is not an open
socket.
2012/10/18 13:38:11| DiskThreadsDiskFile::openDone: (2) No such file or 
directory
2012/10/18 13:38:11|/mnt/squid/squid3/02/21/00022138
2012/10/18 13:38:31| BUG: Orphan Comm::Connection:
local=[fe80::215:17ff:feb2:303e]:58203 remote=[2a00:1450:4007:800::1012]:443 FD
128 flags=1
2012/10/18 13:38:31| NOTE: 7 Orphans since last started.
2012/10/18 13:38:45| assertion failed: forward.cc:199: "err"

i checked the disks of the raid to be sure it's not a hardware problem, seems to
be fine.


Miguel Angel.