On 3/12/2011 4:44 a.m., Sean Boran wrote:
With squid running sslbump in routing mode, and used by a handful of
users, squid is crashing regularly, linked to visiting SSL sites.

Logs
--
2011/11/29 11:39:36| clientNegotiateSSL: Error negotiating SSL connection on FD
45: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number (1/-1)

Something in your OpenSSL library is incompatible with the SSL or TLS version being used by one of the certificates.

Given your helper problems I would not put it past being a corrupted local certificate file in the helpers databse.

2011/11/29 11:39:43| WARNING: ssl_crtd #2 (FD 11) exited
2011/11/29 11:39:43| Too few ssl_crtd processes are running (need 1/50)
2011/11/29 11:39:43| Starting new helpers
2011/11/29 11:39:43| helperOpenServers: Starting 1/50 'ssl_crtd' processes
2011/11/29 11:39:43| client_side.cc(3462) sslCrtdHandleReply: "ssl_crtd" helper
return<NULL>  reply

Major problem. Why is the helper dying on startup?

2011/11/29 11:39:44| WARNING: ssl_crtd #1 (FD 9) exited
2011/11/29 11:39:44| Too few ssl_crtd processes are running (need 1/50)
2011/11/29 11:39:44| storeDirWriteCleanLogs: Starting...
2011/11/29 11:39:44|   Finished.  Wrote 0 entries.
2011/11/29 11:39:44|   Took 0.00 seconds (  0.00 entries/sec).
FATAL: The ssl_crtd helpers are crashing too rapidly, need help!
--

So ssl_crtd is dying which is one issue, but its also killing squid which is
even worse.

As designed. These helper dying is not as trivial as you seem to think. It is happening immediately on starting the helper. Ignoring the crash abort in Squid only works if the helpers get some work done between dying. Ignoring startup crashes will lead to the machine CPU(s) being overloaded.


Amos

Reply via email to