[squid-users] Squid problem OWA with SSL from Rakesh Jha on 2009-02-01 (squid-users)

From: Rakesh Jha <rakesh_at_burgan.com>
Date: Sun, 1 Feb 2009 10:16:30 +0300

Hi,
Recently I have renewed the SSL certificate (issued from Thawte) since
then I am facing the problem. The old ssl certificate (also from Thawte)
which ran almost two years without any problem.

I have two issues -

1. If I start squid with "-DYNCd3" I enter pass phrase correctly and
htpps acceleration work ok but it abort after a day or so giving error.

Please see below -

[root_at_Squid-Rev logs]# ../../sbin/squid -DYNCd3
2009/01/28 09:23:43| Initializing https proxy context
2009/01/28 09:23:43| Initializing https_port 10.1.1.100:443 SSL context
2009/01/28 09:23:43| Using certificate in
/usr/local/ssl/mail.domain.com.crt
2009/01/28 09:23:43| Using private key in
/usr/local/ssl/mail.domain.com.key
Enter PEM pass phrase:
2009/01/28 09:23:48| Starting Squid Cache version 3.0.PRE5 for
i686-pc-linux-gnu ...
2009/01/28 09:23:48| Process ID 2713
2009/01/28 09:23:48| With 1024 file descriptors available
2009/01/28 09:23:48| DNS Socket created at 0.0.0.0, port 1083, FD 4
2009/01/28 09:23:48| Adding domain localdomain from /etc/resolv.conf
2009/01/28 09:23:48| Adding nameserver 196.1.69.98 from /etc/resolv.conf
2009/01/28 09:23:48| Adding nameserver 196.1.69.99 from /etc/resolv.conf
2009/01/28 09:23:48| Adding nameserver 10.1.1.104 from /etc/resolv.conf
2009/01/28 09:23:48| Adding nameserver 168.187.78.18 from
/etc/resolv.conf
2009/01/28 09:23:48| Adding nameserver 168.187.198.11 from
/etc/resolv.conf
2009/01/28 09:23:48| Adding nameserver 168.187.198.12 from
/etc/resolv.conf
2009/01/28 09:23:48| Unlinkd pipe opened on FD 9
2009/01/28 09:23:48| Swap maxSize 102400 KB, estimated 7876 objects
2009/01/28 09:23:48| Target number of buckets: 393
2009/01/28 09:23:48| Using 8192 Store buckets
2009/01/28 09:23:48| Max Mem size: 8192 KB
2009/01/28 09:23:48| Max Swap size: 102400 KB
2009/01/28 09:23:48| Rebuilding storage in /usr/local/squid/var/cache
(CLEAN)
2009/01/28 09:23:48| Using Least Load store dir selection
2009/01/28 09:23:48| Set Current Directory to /usr/local/squid/var/cache
2009/01/28 09:23:48| Loaded Icons.
2009/01/28 09:23:48| Accepting HTTPS connections at 10.1.1.100, port
443, FD 10.
2009/01/28 09:23:48| Accepting ICP messages at 0.0.0.0, port 3130, FD
11.
2009/01/28 09:23:48| WCCP Disabled.
2009/01/28 09:23:48| Configuring Parent mail.domain.com/80/0
2009/01/28 09:23:48| Ready to serve requests.
2009/01/28 09:24:02| Done scanning /usr/local/squid/var/cache swaplog (0
entries
)
2009/01/28 09:24:02| Finished rebuilding storage from disk.
2009/01/28 09:24:02| 0 Entries scanned
2009/01/28 09:24:02| 0 Invalid entries.
2009/01/28 09:24:02| 0 With invalid flags.
2009/01/28 09:24:02| 0 Objects loaded.
2009/01/28 09:24:02| 0 Objects expired.
2009/01/28 09:24:02| 0 Objects cancelled.
2009/01/28 09:24:02| 0 Duplicate URLs purged.
2009/01/28 09:24:02| 0 Swapfile clashes avoided.
2009/01/28 09:24:02| Took 14.3 seconds ( 0.0 objects/sec).
2009/01/28 09:24:02| Beginning Validation Procedure
2009/01/28 09:24:02| Completed Validation Procedure
2009/01/28 09:24:02| Validated 25 Entries
2009/01/28 09:24:02| store_swap_size = 0
2009/01/28 09:24:02| storeLateRelease: released 0 objects
.
.
.
.
2009/02/01 01:07:09| clientNegotiateSSL: Error negotiating SSL
connection on FD 12: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3
alert unexpected message (1/0)
2009/02/01 02:06:43| clientNegotiateSSL: Error negotiating SSL
connection on FD 12: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3
alert unexpected message (1/0)
2009/02/01 03:04:12| assertion failed: client_side.cc:2479:
"conn->in.abortedSize == (size_t)conn->bodySizeLeft()"
Aborted
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

When I start like -
[root_at_Squid-Rev logs]# ../../sbin/squid
Enter PEM pass phrase:
[root_at_Squid-Rev logs]#

Cache.log registeres errors. Please see following -

2009/01/28 09:42:31| Initializing https proxy context
2009/01/28 09:42:31| Initializing https_port 10.1.1.100:443 SSL context
2009/01/28 09:42:31| Using certificate in
/usr/local/ssl/mail.domain.com.crt
2009/01/28 09:42:31| Using private key in
/usr/local/ssl/mail.domain.com.key
2009/01/28 09:42:42| Initializing https proxy context
2009/01/28 09:42:42| Initializing https_port 10.1.1.100:443 SSL context
2009/01/28 09:42:42| Using certificate in
/usr/local/ssl/mail.domain.com.crt
2009/01/28 09:42:42| Using private key in
/usr/local/ssl/mail.domain.com.key
2009/01/28 09:42:42| Failed to acquire SSL private key
'/usr/local/ssl/mail.domain.com.key': error :0906406D:PEM
routines:DEF_CALLBACK:problems getting password
2009/01/28 09:42:42| Starting Squid Cache version 3.0.PRE5 for
i686-pc-linux-gnu...
2009/01/28 09:42:42| Process ID 2734
2009/01/28 09:42:42| With 1024 file descriptors available
2009/01/28 09:42:42| Performing DNS Tests...
2009/01/28 09:42:42| Successful DNS name lookup tests...
2009/01/28 09:42:42| DNS Socket created at 0.0.0.0, port 1083, FD 6
2009/01/28 09:42:42| Adding domain localdomain from /etc/resolv.conf
2009/01/28 09:42:42| Adding nameserver 196.1.69.98 from /etc/resolv.conf
2009/01/28 09:42:42| Adding nameserver 196.1.69.99 from /etc/resolv.conf
2009/01/28 09:42:42| Adding nameserver 10.1.1.104 from /etc/resolv.conf
2009/01/28 09:42:42| Adding nameserver 168.187.78.18 from
/etc/resolv.conf
2009/01/28 09:42:42| Adding nameserver 168.187.198.11 from
/etc/resolv.conf
2009/01/28 09:42:42| Adding nameserver 168.187.198.12 from
/etc/resolv.conf
2009/01/28 09:42:42| Unlinkd pipe opened on FD 11
2009/01/28 09:42:42| Swap maxSize 102400 KB, estimated 7876 objects
2009/01/28 09:42:42| Target number of buckets: 393
2009/01/28 09:42:42| Using 8192 Store buckets
2009/01/28 09:42:42| Max Mem size: 8192 KB
2009/01/28 09:42:42| Max Swap size: 102400 KB
2009/01/28 09:42:42| Rebuilding storage in /usr/local/squid/var/cache
(CLEAN)
2009/01/28 09:42:42| Using Least Load store dir selection
2009/01/28 09:42:42| Set Current Directory to /usr/local/squid/var/cache
2009/01/28 09:42:42| Loaded Icons.
2009/01/28 09:42:42| Can not accept HTTPS connections at 10.1.1.100,
port 443
2009/01/28 09:42:42| Accepting HTTPS connections at 10.1.1.100, port
443, FD 12.
2009/01/28 09:42:42| Accepting ICP messages at 0.0.0.0, port 3130, FD
13.
2009/01/28 09:42:42| WCCP Disabled.
2009/01/28 09:42:42| Configuring Parent mail.domain.com/80/0
2009/01/28 09:42:42| Ready to serve requests.
2009/01/28 09:42:48| Done scanning /usr/local/squid/var/cache swaplog (0
entries)
2009/01/28 09:42:48| Finished rebuilding storage from disk.
2009/01/28 09:42:48| 0 Entries scanned
2009/01/28 09:42:48| 0 Invalid entries.
2009/01/28 09:42:48| 0 With invalid flags.
2009/01/28 09:42:48| 0 Objects loaded.
2009/01/28 09:42:48| 0 Objects expired.
2009/01/28 09:42:48| 0 Objects cancelled.
2009/01/28 09:42:48| 0 Duplicate URLs purged.
2009/01/28 09:42:48| 0 Swapfile clashes avoided.
2009/01/28 09:42:48| Took 6.1 seconds ( 0.0 objects/sec).
2009/01/28 09:42:48| Beginning Validation Procedure
2009/01/28 09:42:48| Completed Validation Procedure
2009/01/28 09:42:48| Validated 25 Entries
2009/01/28 09:42:48| store_swap_size = 0
2009/01/28 09:42:49| storeLateRelease: released 0 objects
2009/01/28 09:43:17| httpsAccept: Error allocating handle:
error:0906A068:PEM routines:PEM_do_head
er:bad password read
2009/01/28 09:43:17| httpsAccept: Error allocating handle:
error:140B0009:SSL routines:SSL_CTX_use
_PrivateKey_file:PEM lib
2009/01/28 09:43:17| httpsAccept: Error allocating handle:
error:140BA0C3:SSL routines:SSL_new:nul
l ssl ctx
+++++++++++++++++++++++++++++++++++++++++++++++

In this case port 443 opens but OWA does not work.
I had no issue with old ssl certificate which will expire soon after
almost two years and squid ran very stably during this time.

Please suggest what has wrong with new ssl. I even tried with a test
certificate from Thawte with same problem.

Thanks,
Rakesh Kumar
Attention:
Any non-official business related views, opinions and other information presented in this electronic mail
are solely those of the sender/author.
Burgan Bank does not endorse or accept responsibility for their opinions. If you are not the addressed
indicated in this mail or responsible for delivering this message to the intended,
you should delete this message and notify the sender immediately.
-------------------------------------------------------
Burgan Bank S.A.K
www.burgan.com
Received on Sun Feb 01 2009 - 07:16:45 MST

This archive was generated by hypermail 2.2.0 : Sun Feb 01 2009 - 12:00:03 MST