On 2025-10-31 11:38, Dieter Bloms wrote:
Hello Alex,
thank you for your answer,
yes, with:
tls_outgoing_options options=0x80
squid doesn't complain this parameter anymore and is running, but I think it
will not be taken in account.
I still get the errorpage "ERR_READ_ERROR" when I try to reach
https://www.zeitwertkonten.ruv.de/web/webSealContent/login/login.do with enabled bumping.
> ... for me it looks like squid doesn't set the ssl option
... or Squid sets the option, but setting it has no effect due to other
problems (e.g., Squid does not use the SSL context for which the option
was set). We probably solved the initial "How to set" problem, but more
triage is needed to figure out why that site does not work for you.
Personally, I am overloaded with other Squid volunteering work and
dealing with other Squid Project-created overheads, so I cannot promise
to look into this right now, unfortunately.
Alex.
With the openssl command it makes a difference (the error message is gone when
SSL_OP_IGNORE_UNEXPECTED_EOF is given as option)
without SSL_OP_IGNORE_UNEXPECTED_EOF you get an error:
--snip--
root@trixie:/# echo -e "GET
https:////www.zeitwertkonten.ruv.de/web/webSealContent/login/login.do HTTP/1.1\r\nHost:
www.zeitwertkonten.ruv.de\r\n\r\n" | openssl s_client -quiet -connect
www.zeitwertkonten.ruv.de:443 >/dev/null
Connecting to 91.235.236.137
depth=3 C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2
verify return:1
depth=2 C=CH, O=SwissSign AG, CN=SwissSign RSA TLS Root CA 2022 - 1
verify return:1
depth=1 C=CH, O=SwissSign AG, CN=SwissSign RSA TLS OV ICA 2022 - 1
verify return:1
depth=0 C=DE, ST=HE, L=Wiesbaden, O=R+V Allgemeine Versicherung AG,
CN=www.zeitwertkonten.ruv.de
verify return:1
40876FE3EB7F0000:error:0A000126:SSL routines::unexpected eof while
reading:../ssl/record/rec_layer_s3.c:696:
root@trixie:/#
--snip--
with SSL_OP_IGNORE_UNEXPECTED_EOF the error message is gone:
--snip--
root@trixie:/# echo -e "GET
https:////www.zeitwertkonten.ruv.de/web/webSealContent/login/login.do HTTP/1.1\r\nHost:
www.zeitwertkonten.ruv.de\r\n\r\n" | openssl s_client -ignore_unexpected_eof -quiet
-connect www.zeitwertkonten.ruv.de:443 >/dev/null
Connecting to 91.235.236.137
depth=3 C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2
verify return:1
depth=2 C=CH, O=SwissSign AG, CN=SwissSign RSA TLS Root CA 2022 - 1
verify return:1
depth=1 C=CH, O=SwissSign AG, CN=SwissSign RSA TLS OV ICA 2022 - 1
verify return:1
depth=0 C=DE, ST=HE, L=Wiesbaden, O=R+V Allgemeine Versicherung AG,
CN=www.zeitwertkonten.ruv.de
verify return:1
root@trixie:/#
--snip--
so for me it looks like squid doesn't set the ssl option
On Fri, Oct 31, Alex Rousskov wrote:
On 2025-10-31 08:12, Dieter Bloms wrote:
Does anybody know, howto set the SSL Option SSL_OP_IGNORE_UNEXPECTED_EOF
Squid does not recognize that option by name[^1]. Use option's hex value as
a workaround until [^1]. If my math is correct[^2], that option hex value is
0x80.
[^1]: A quality pull request adding by-name support for all known OpenSSL
v3.5 options is welcome.
[^2]: From OpenSSL include/openssl/ssl.h.in sources:
#define SSL_OP_BIT(n) ((uint64_t)1 << (uint64_t)n)
#define SSL_OP_IGNORE_UNEXPECTED_EOF SSL_OP_BIT(7)
HTH,
Alex.
there are some websites like
https://www.zeitwertkonten.ruv.de/web/webSealContent/login/login.do
which don't send the close_notify alert on shutdown and squid sends an error
page to the browser.
For a workaround I want to set the SSL_OP_IGNORE_UNEXPECTED_EOF option, but it
doesn't work.
I added one of following lines, but everytime squid claims about unknown TLS
options.
tls_outgoing_options options=SSL_OP_IGNORE_UNEXPECTED_EOF
or
tls_outgoing_options options=IGNORE_UNEXPECTED_EOF
but everytime I get an error message like
2025/10/31 11:56:35 kid1| ERROR: Unknown TLS option SSL_OP_IGNORE_UNEXPECTED_EOF
or
2025/10/31 12:53:20 kid1| ERROR: Unknown TLS option IGNORE_UNEXPECTED_EOF
My ssl_bump related configlines look like:
http_port 8080 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=32MB tls-cert=/secrets/ca.pem
tls-dh=/etc/squid/dhparams.pem
sslcrtd_program /usr/sbin/security_file_certgen -s /var/cache/squid/sslcert_db
-M 32MB
sslcrtd_children 32 startup=10 idle=3
tls_outgoing_options capath=/etc/ssl/certs min-version=1.2
tls_outgoing_options options=IGNORE_UNEXPECTED_EOF
ssl_bump peek step1
ssl_bump splice nohttpsscandomain
ssl_bump bump all
I use squid 7.3 on an up to date debian trixie with openssl 3.5.1:
Here some details of my system:
~# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 13 (trixie)"
NAME="Debian GNU/Linux"
VERSION_ID="13"
VERSION="13 (trixie)"
VERSION_CODENAME=trixie
DEBIAN_VERSION_FULL=13.1
ID=debian
HOME_URL="https://www.debian.org/";
SUPPORT_URL="https://www.debian.org/support";
BUG_REPORT_URL="https://bugs.debian.org/";
root@cdxhttpproxyiapdev01-v2465:/etc/squid# squid -v
Squid Cache: Version 7.3
Service Name: squid
This binary uses OpenSSL 3.5.1 1 Jul 2025. configure options: '--prefix=/usr'
'--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin'
'--localstatedir=/var' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid'
'--mandir=/usr/share/man' '--with-default-user=squid'
'--with-filedescriptors=131072' '--with-logdir=/var/log/squid'
'--disable-auto-locale' '--disable-eui' '--disable-carp' '--disable-htcp'
'--disable-ident-lookups' '--disable-translation' '--disable-wccp'
'--disable-wccpv2' '--disable-arch-native' '--disable-auth-negotiate'
'--disable-auth-ntlm' '--enable-async-io=128' '--enable-auth-basic=LDAP,NCSA'
'--enable-auth-digest=file,LDAP' '--enable-epoll'
'--enable-log-daemon-helpers=file' '--enable-icap-client' '--enable-inline'
'--enable-snmp' '--enable-disk-io=AIO,DiskThreads,IpcIo,Blocking'
'--enable-storeio=ufs,aufs,rock' '--enable-referer-log'
'--enable-useragent-log' '--enable-large-cache-files'
'--enable-removal-policies=lru,heap' '--enable-follow-x-forwa
rded
-for' '--enable-ssl-crtd' '--with-openssl' 'CFLAGS=-g -O2
-Werror=implicit-function-declaration -ffile-prefix-map=/=.
-fstack-protector-strong -fstack-clash-protection -Wformat
-Werror=format-security -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now'
'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2
-ffile-prefix-map=/=. -fstack-protector-strong -fstack-clash-protection
-Wformat -Werror=format-security -fcf-protection'
_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users
