Re: [squid-users] 71 Protocol Error when using SSL

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 22 May 2010 14:41:25 +1200

Edoardo COSTA SANSEVERINO wrote:
>
> Hi all,
>
> I had a look in the archives and the only similar problem I found was
> never answered
> (http://www.squid-cache.org/mail-archive/squid-users/200801/0152.html)
> so I hope someone can help me. I posted this request on
> linuxquestions.org but got no reply so I thought I'd be better off
> asking you guys ;)
>
> I tried to get reverse proxy working with apache mod_proxy but that
> failed so I'm giving squid3 a go but with not much more luck. All
> connections to non ssl websites work fine. The following error I
> [B]only get the second time[/B] I access the page, the first time the
> page is displayed properly! This does not make sense to me but maybe it
> will to one of you.
>
> ERROR
> The requested URL could not be retrieved
>
> While trying to retrieve the URL: https://deb01.example.com/
>
> The following error was encountered:
> Connection to 192.168.122.11 Failed
>
> The system returned:
> (71) Protocol error
>
> The remote host or network may be down. Please try the request again.
>
> Your cache administrator is webmaster.
> Generated Thu, 20 May 2010 18:58:28 GMT by localhost (squid/3.0.STABLE8)
>
> My setup
> --------
> +--> (deb02) vhosts running multile http
> |
> [WWW] -> KVM/SQUID ->+--> (deb01) vhost running a single https
> |
> +--> (deb03) vhosts running multile http and one https
>
> My squid.conf
> -------------
>
> https_port 443 accel cert=/etc/ssl/deb01.example.com.crt
> key=/etc/ssl/deb01.example.com.pem defaultsite=deb01.example.com vhost
> protocol=https
> http_port 80 accel defaultsite=deb02.example.com vhost
>
> cache_peer 192.168.122.11 parent 443 0 no-query originserver login=PASS
> ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=srv01
> cache_peer 192.168.122.2 parent 80 0 no-query originserver name=srv02
>
> acl https proto https
> acl sites_srv01 dstdomain deb01.example.com
> acl sites_srv02 dstdomain deb02.example.com second.example.com
>
> http_access allow sites_srv01
> http_access allow sites_srv02
> cache_peer_access srv01 allow sites_srv01
> cache_peer_access srv02 allow sites_srv02
>
> forwarded_for on
> ---
>
> The first 'successful' connection gives the following entries in the logs:
>
> -----BEGIN SSL SESSION PARAMETERS-----
> MIGIAgEBAgIDAQQCADUEIDrfJnfrcvWw15QVzrwAlKJYsrinM/X+Ge9aeTyO8Fkx
> BDBLAPhbkN6LTcdvHMF9YGm8ib5Qwjm05qP3rr7I+LBjpikfjzV5gJSXLfke83U0
> ggOhBgIES/WH8aIEAgIBLKQCBACmFQQTZGViMDEucHJlY29nbmV0LmNvbQ==
> -----END SSL SESSION PARAMETERS-----
> 2010/05/20 21:05:21| 192.168.122.11 digest requires version 17487; have: 5
> 2010/05/20 21:05:21| temporary disabling (invalid digest cblock) digest
> from 192.168.122.11

Normal. Simply means the web server does not understand proxy cache
digest exchange. This can be silenced by adding no-digest option to the
web server cache_peer line.

> 2010/05/20 21:05:21| fwdNegotiateSSL: Error negotiating SSL connection
> on FD 16: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression
> (1/-1/0)
> 2010/05/20 21:05:21| TCP connection to 192.168.122.11/443 failed
> [...]

There is your HTTPS problem. Your SSL system libraries are producing
that error when they can't handle the settings.

http://google.com/search?q=SSL3_GET_RECORD%3Abad+decompression

> 2010/05/20 21:05:21| fwdNegotiateSSL: Error negotiating SSL connection
> on FD 16: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression
> (1/-1/0)
> 2010/05/20 21:05:21| TCP connection to 192.168.122.11/443 failed
> 2010/05/20 21:05:21| fwdNegotiateSSL: Error negotiating SSL connection
> on FD 16: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression
> (1/-1/0)
> 2010/05/20 21:05:21| TCP connection to 192.168.122.11/443 failed
>
<snip storage log>
>
>
> The second 'failed' connection shows the following log events:
>
>
> ==> /var/log/squid3/cache.log <==
> 2010/05/20 21:06:11| fwdNegotiateSSL: Error negotiating SSL connection
> on FD 15: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression
> (1/-1/0)
> [...]
> 2010/05/20 21:06:12| fwdNegotiateSSL: Error negotiating SSL connection
> on FD 15: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression
> (1/-1/0)
> 2010/05/20 21:06:12| TCP connection to 192.168.122.11/443 failed
> 2010/05/20 21:06:12| fwdNegotiateSSL: Error negotiating SSL connection
> on FD 15: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression
> (1/-1/0)
> 2010/05/20 21:06:12| TCP connection to 192.168.122.11/443 failed
>
<snip storage log>

store.log is irrelevant to most uses. You can safely set it to "none" in
your squid.conf file.

>
> Any help would be greatly apreciated.
>
>
> As a side note. If anyone can tell me how to show the IP of the squid
> server rather than the internal IP of the webserver (as in the error)
> that would be a bonus ;)

The error is correct.

The link client->squid is not working perfectly.

The link squid->server (via internal IPs) is failing.

Thus you get a report telling you which link out of the two has failed.
Changing that will only make you look in the wrong place for some

Amos 

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.3
Received on Sat May 22 2010 - 02:41:31 MDT

This archive was generated by hypermail 2.2.0 : Sat May 22 2010 - 12:00:06 MDT