Re: [squid-users] Squid problem OWA with SSL from Amos Jeffries on 2009-02-01 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 01 Feb 2009 20:34:16 +1300

Rakesh Jha wrote:
> Hi,
> Recently I have renewed the SSL certificate (issued from Thawte) since
> then I am facing the problem. The old ssl certificate (also from Thawte)
> which ran almost two years without any problem.
>
> I have two issues -
>
> 1. If I start squid with "-DYNCd3" I enter pass phrase correctly and
> htpps acceleration work ok but it abort after a day or so giving error.
>
> Please see below -
>
> [root_at_Squid-Rev logs]# ../../sbin/squid -DYNCd3
> 2009/01/28 09:23:43| Initializing https proxy context
> 2009/01/28 09:23:43| Initializing https_port 10.1.1.100:443 SSL context
> 2009/01/28 09:23:43| Using certificate in
> /usr/local/ssl/mail.domain.com.crt
> 2009/01/28 09:23:43| Using private key in
> /usr/local/ssl/mail.domain.com.key
> Enter PEM pass phrase:
> 2009/01/28 09:23:48| Starting Squid Cache version 3.0.PRE5 for
> i686-pc-linux-gnu ...
> 2009/01/28 09:23:48| Process ID 2713
> 2009/01/28 09:23:48| With 1024 file descriptors available
> 2009/01/28 09:23:48| DNS Socket created at 0.0.0.0, port 1083, FD 4
> 2009/01/28 09:23:48| Adding domain localdomain from /etc/resolv.conf
> 2009/01/28 09:23:48| Adding nameserver 196.1.69.98 from /etc/resolv.conf
> 2009/01/28 09:23:48| Adding nameserver 196.1.69.99 from /etc/resolv.conf
> 2009/01/28 09:23:48| Adding nameserver 10.1.1.104 from /etc/resolv.conf
> 2009/01/28 09:23:48| Adding nameserver 168.187.78.18 from
> /etc/resolv.conf
> 2009/01/28 09:23:48| Adding nameserver 168.187.198.11 from
> /etc/resolv.conf
> 2009/01/28 09:23:48| Adding nameserver 168.187.198.12 from
> /etc/resolv.conf
> 2009/01/28 09:23:48| Unlinkd pipe opened on FD 9
> 2009/01/28 09:23:48| Swap maxSize 102400 KB, estimated 7876 objects
> 2009/01/28 09:23:48| Target number of buckets: 393
> 2009/01/28 09:23:48| Using 8192 Store buckets
> 2009/01/28 09:23:48| Max Mem size: 8192 KB
> 2009/01/28 09:23:48| Max Swap size: 102400 KB
> 2009/01/28 09:23:48| Rebuilding storage in /usr/local/squid/var/cache
> (CLEAN)
> 2009/01/28 09:23:48| Using Least Load store dir selection
> 2009/01/28 09:23:48| Set Current Directory to /usr/local/squid/var/cache
> 2009/01/28 09:23:48| Loaded Icons.
> 2009/01/28 09:23:48| Accepting HTTPS connections at 10.1.1.100, port
> 443, FD 10.
> 2009/01/28 09:23:48| Accepting ICP messages at 0.0.0.0, port 3130, FD
> 11.
> 2009/01/28 09:23:48| WCCP Disabled.
> 2009/01/28 09:23:48| Configuring Parent mail.domain.com/80/0
> 2009/01/28 09:23:48| Ready to serve requests.
> 2009/01/28 09:24:02| Done scanning /usr/local/squid/var/cache swaplog (0
> entries
> )
> 2009/01/28 09:24:02| Finished rebuilding storage from disk.
> 2009/01/28 09:24:02| 0 Entries scanned
> 2009/01/28 09:24:02| 0 Invalid entries.
> 2009/01/28 09:24:02| 0 With invalid flags.
> 2009/01/28 09:24:02| 0 Objects loaded.
> 2009/01/28 09:24:02| 0 Objects expired.
> 2009/01/28 09:24:02| 0 Objects cancelled.
> 2009/01/28 09:24:02| 0 Duplicate URLs purged.
> 2009/01/28 09:24:02| 0 Swapfile clashes avoided.
> 2009/01/28 09:24:02| Took 14.3 seconds ( 0.0 objects/sec).
> 2009/01/28 09:24:02| Beginning Validation Procedure
> 2009/01/28 09:24:02| Completed Validation Procedure
> 2009/01/28 09:24:02| Validated 25 Entries
> 2009/01/28 09:24:02| store_swap_size = 0
> 2009/01/28 09:24:02| storeLateRelease: released 0 objects
> .
> .
> .
> .
> 2009/02/01 01:07:09| clientNegotiateSSL: Error negotiating SSL
> connection on FD 12: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3
> alert unexpected message (1/0)
> 2009/02/01 02:06:43| clientNegotiateSSL: Error negotiating SSL
> connection on FD 12: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3
> alert unexpected message (1/0)
> 2009/02/01 03:04:12| assertion failed: client_side.cc:2479:
> "conn->in.abortedSize == (size_t)conn->bodySizeLeft()"
> Aborted
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> When I start like -
> [root_at_Squid-Rev logs]# ../../sbin/squid
> Enter PEM pass phrase:
> [root_at_Squid-Rev logs]#
>
> Cache.log registeres errors. Please see following -
>
> 2009/01/28 09:42:31| Initializing https proxy context
> 2009/01/28 09:42:31| Initializing https_port 10.1.1.100:443 SSL context
> 2009/01/28 09:42:31| Using certificate in
> /usr/local/ssl/mail.domain.com.crt
> 2009/01/28 09:42:31| Using private key in
> /usr/local/ssl/mail.domain.com.key
> 2009/01/28 09:42:42| Initializing https proxy context
> 2009/01/28 09:42:42| Initializing https_port 10.1.1.100:443 SSL context
> 2009/01/28 09:42:42| Using certificate in
> /usr/local/ssl/mail.domain.com.crt
> 2009/01/28 09:42:42| Using private key in
> /usr/local/ssl/mail.domain.com.key
> 2009/01/28 09:42:42| Failed to acquire SSL private key
> '/usr/local/ssl/mail.domain.com.key': error :0906406D:PEM
> routines:DEF_CALLBACK:problems getting password
> 2009/01/28 09:42:42| Starting Squid Cache version 3.0.PRE5 for
> i686-pc-linux-gnu...
> 2009/01/28 09:42:42| Process ID 2734
> 2009/01/28 09:42:42| With 1024 file descriptors available
> 2009/01/28 09:42:42| Performing DNS Tests...
> 2009/01/28 09:42:42| Successful DNS name lookup tests...
> 2009/01/28 09:42:42| DNS Socket created at 0.0.0.0, port 1083, FD 6
> 2009/01/28 09:42:42| Adding domain localdomain from /etc/resolv.conf
> 2009/01/28 09:42:42| Adding nameserver 196.1.69.98 from /etc/resolv.conf
> 2009/01/28 09:42:42| Adding nameserver 196.1.69.99 from /etc/resolv.conf
> 2009/01/28 09:42:42| Adding nameserver 10.1.1.104 from /etc/resolv.conf
> 2009/01/28 09:42:42| Adding nameserver 168.187.78.18 from
> /etc/resolv.conf
> 2009/01/28 09:42:42| Adding nameserver 168.187.198.11 from
> /etc/resolv.conf
> 2009/01/28 09:42:42| Adding nameserver 168.187.198.12 from
> /etc/resolv.conf
> 2009/01/28 09:42:42| Unlinkd pipe opened on FD 11
> 2009/01/28 09:42:42| Swap maxSize 102400 KB, estimated 7876 objects
> 2009/01/28 09:42:42| Target number of buckets: 393
> 2009/01/28 09:42:42| Using 8192 Store buckets
> 2009/01/28 09:42:42| Max Mem size: 8192 KB
> 2009/01/28 09:42:42| Max Swap size: 102400 KB
> 2009/01/28 09:42:42| Rebuilding storage in /usr/local/squid/var/cache
> (CLEAN)
> 2009/01/28 09:42:42| Using Least Load store dir selection
> 2009/01/28 09:42:42| Set Current Directory to /usr/local/squid/var/cache
> 2009/01/28 09:42:42| Loaded Icons.
> 2009/01/28 09:42:42| Can not accept HTTPS connections at 10.1.1.100,
> port 443
> 2009/01/28 09:42:42| Accepting HTTPS connections at 10.1.1.100, port
> 443, FD 12.
> 2009/01/28 09:42:42| Accepting ICP messages at 0.0.0.0, port 3130, FD
> 13.
> 2009/01/28 09:42:42| WCCP Disabled.
> 2009/01/28 09:42:42| Configuring Parent mail.domain.com/80/0
> 2009/01/28 09:42:42| Ready to serve requests.
> 2009/01/28 09:42:48| Done scanning /usr/local/squid/var/cache swaplog (0
> entries)
> 2009/01/28 09:42:48| Finished rebuilding storage from disk.
> 2009/01/28 09:42:48| 0 Entries scanned
> 2009/01/28 09:42:48| 0 Invalid entries.
> 2009/01/28 09:42:48| 0 With invalid flags.
> 2009/01/28 09:42:48| 0 Objects loaded.
> 2009/01/28 09:42:48| 0 Objects expired.
> 2009/01/28 09:42:48| 0 Objects cancelled.
> 2009/01/28 09:42:48| 0 Duplicate URLs purged.
> 2009/01/28 09:42:48| 0 Swapfile clashes avoided.
> 2009/01/28 09:42:48| Took 6.1 seconds ( 0.0 objects/sec).
> 2009/01/28 09:42:48| Beginning Validation Procedure
> 2009/01/28 09:42:48| Completed Validation Procedure
> 2009/01/28 09:42:48| Validated 25 Entries
> 2009/01/28 09:42:48| store_swap_size = 0
> 2009/01/28 09:42:49| storeLateRelease: released 0 objects
> 2009/01/28 09:43:17| httpsAccept: Error allocating handle:
> error:0906A068:PEM routines:PEM_do_head
> er:bad password read
> 2009/01/28 09:43:17| httpsAccept: Error allocating handle:
> error:140B0009:SSL routines:SSL_CTX_use
> _PrivateKey_file:PEM lib
> 2009/01/28 09:43:17| httpsAccept: Error allocating handle:
> error:140BA0C3:SSL routines:SSL_new:nul
> l ssl ctx
> +++++++++++++++++++++++++++++++++++++++++++++++
>
> In this case port 443 opens but OWA does not work.
> I had no issue with old ssl certificate which will expire soon after
> almost two years and squid ran very stably during this time.
>
> Please suggest what has wrong with new ssl. I even tried with a test
> certificate from Thawte with same problem.
>
> Thanks,
> Rakesh Kumar
> Attention:
> Any non-official business related views, opinions and other information presented in this electronic mail
> are solely those of the sender/author.
> Burgan Bank does not endorse or accept responsibility for their opinions. If you are not the addressed
> indicated in this mail or responsible for delivering this message to the intended,
> you should delete this message and notify the sender immediately.
> -------------------------------------------------------
> Burgan Bank S.A.K
> www.burgan.com

There are a few issues here that I can see:

* 3.0.PRE5 is an extremely old Beta release of Squid. Please upgrade
to one of the 3.0 stable releases. That alone may cause the issue to go
away.

* Squid has an auto-restart feature. Your new certificate with a
manual pass-phrase may be hating every time squid has an issue and needs
to restart itself.

* then there is the assertion, which may be resolved by a newer Squid.
If it remains after an upgrade please report it.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE5 or 3.0.STABLE12
   Current Beta Squid 3.1.0.4

Received on Sun Feb 01 2009 - 07:34:08 MST

This archive was generated by hypermail 2.2.0 : Sun Feb 01 2009 - 12:00:03 MST