Re: [squid-users] squid dies: ssl_crtd helpers are crashing too rapidly

Hi,

Hmm. Is that negotiation between browser and squid or between squid
and the destination site?

Openssl is 0.9.8k (standard with Ubuntu Lucid 10.04)

I wiped /var/lib/squid_ssl_db/certs, and re-ran
/usr/local/squid/libexec/ssl_crtd -c -s /var/lib/squid_ssl_db
/var/lib/squid_ssl_db/certs
 so that new certs would be generated.

... and so far, no crashes.

It this resolves the issue, the perhaps the problem was that I changed
the proxy's CA key several times during tests, so some target sites
would have generated with different CA keys, and would have still be
cached in /var/lib/squid_ssl_db/certs.

The lesson would then be to empty /var/lib/squid_ssl_db/certs if one
changes the CA key :-)

Thanks,

Sean

On 2 December 2011 17:48, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 3/12/2011 4:44 a.m., Sean Boran wrote:
>>
>> With squid running sslbump in routing mode, and used by a handful of
>> users, squid is crashing regularly, linked to visiting SSL sites.
>>
>> Logs
>> --
>> 2011/11/29 11:39:36| clientNegotiateSSL: Error negotiating SSL connection
>> on FD
>> 45: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
>> (1/-1)
>
>
> Something in your OpenSSL library is incompatible with the SSL or TLS
> version being used by one of the certificates.
>
> Given your helper problems I would not put it past being a corrupted local
> certificate file in the helpers databse.
>
>
>> 2011/11/29 11:39:43| WARNING: ssl_crtd #2 (FD 11) exited
>> 2011/11/29 11:39:43| Too few ssl_crtd processes are running (need 1/50)
>> 2011/11/29 11:39:43| Starting new helpers
>> 2011/11/29 11:39:43| helperOpenServers: Starting 1/50 'ssl_crtd' processes
>> 2011/11/29 11:39:43| client_side.cc(3462) sslCrtdHandleReply: "ssl_crtd"
>> helper
>> return<NULL>  reply
>
>
> Major problem. Why is the helper dying on startup?
>
>
>> 2011/11/29 11:39:44| WARNING: ssl_crtd #1 (FD 9) exited
>> 2011/11/29 11:39:44| Too few ssl_crtd processes are running (need 1/50)
>> 2011/11/29 11:39:44| storeDirWriteCleanLogs: Starting...
>> 2011/11/29 11:39:44|   Finished.  Wrote 0 entries.
>> 2011/11/29 11:39:44|   Took 0.00 seconds (  0.00 entries/sec).
>> FATAL: The ssl_crtd helpers are crashing too rapidly, need help!
>> --
>>
>> So ssl_crtd is dying which is one issue, but its also killing squid which
>> is
>> even worse.
>
>
> As designed. These helper dying is not as trivial as you seem to think. It
> is happening immediately on starting the helper. Ignoring the crash abort in
> Squid only works if the helpers get some work done between dying. Ignoring
> startup crashes will lead to the machine CPU(s) being overloaded.
>
>
> Amos
Received on Tue Dec 06 2011 - 13:43:39 MST