Re: [squid-users] problems with ssl_crtd from Linos on 2012-09-24 (squid-users)

From: Linos <info_at_linos.es>
Date: Mon, 24 Sep 2012 10:44:18 +0200

On 20/09/12 12:58, Ahmed Talha Khan wrote:
> Hey Guy, All
>
> I have started facing a very similar issue now.I have been using
> squid-3.HEAD-20120421-r12120 for about 5 months without any issues.
> Suddenly from yesterday ive started getting crahses in ssl_crtd
> process.
>
>
> In my case i am the only user but i observe that the behaviour is
> random. Sometimes it crashes and sometimes it works. Different https
> pages give the crash. Even non https pages have caused the crash.
>
> These occur especially on google https pages like docs,mail,calender etc..
>
> The signing cert is also ok and has NOT expired.
>
>
> My squid conf looks like this:
> *******************************************************
> sslproxy_cert_error allow all
>
> sslcrtd_program /usr/local/squid-3.3/libexec/ssl_crtd -s
> /usr/local/squid-3.3/var/lib/ssl_db -M 4MB
> sslcrtd_children 5
>
> http_port 192.168.8.134:3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB
> cert=/home/asif/squid/www.sample.com.pem
> key=/home/asif/squid/www.sample.com.pem
>
> http_port 192.168.8.134:8080
>
> https_port 192.168.8.134:3129 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB
> cert=/home/asif/squid/www.sample.com.pem
> key=/home/asif/squid/www.sample.com.pem
> *******************************************************
>
> The ssl_db directory is initialized properly with correct permissions.
>
> ***********************************************************
> [talha_at_localhost lib]$ pwd
> /usr/local/squid-3.3/var/lib
>
> [talha_at_localhost lib]$ ls -al
> total 24
> drwxrwxrwx 3 root root 4096 Sep 20 15:31 .
> drwxrwxrwx 6 root root 4096 Sep 20 15:05 ..
> drwxrwxrwx 3 nobody talha 4096 Sep 20 15:31 ssl_db
>
> The size file also has some values in it and cert generation also
> seems to work but suddenly it all crashes .
> **************************************************************
>
>
>
> 2012/09/20 14:57:45| Starting Squid Cache version
> 3.HEAD-20120425-r12120 for x86_64-unknown-linux-gnu...
> 2012/09/20 14:57:45| Process ID 23826
> 2012/09/20 14:57:45| Process Roles: master worker
> 2012/09/20 14:57:45| With 1024 file descriptors available
> 2012/09/20 14:57:45| Initializing IP Cache...
> 2012/09/20 14:57:45| DNS Socket created at [::], FD 5
> 2012/09/20 14:57:45| DNS Socket created at 0.0.0.0, FD 6
> 2012/09/20 14:57:45| Adding nameserver 192.168.8.1 from /etc/resolv.conf
> 2012/09/20 14:57:45| Adding domain localdomain from /etc/resolv.conf
> 2012/09/20 14:57:45| helperOpenServers: Starting 5/5 'ssl_crtd' processes
> 2012/09/20 14:57:45| Logfile: opening log
> daemon:/usr/local/squid-3.3/var/logs/access.log
> 2012/09/20 14:57:45| Logfile Daemon: opening log
> /usr/local/squid-3.3/var/logs/access.log
> 2012/09/20 14:57:45| Logfile: opening log /usr/local/squid-3.3/var/logs/icap-log
> 2012/09/20 14:57:45| WARNING: log parameters now start with a module
> name. Use 'stdio:/usr/local/squid-3.3/var/logs/icap-log'
>
>
> 2012/09/20 14:57:45| Store logging disabled
> 2012/09/20 14:57:45| Swap maxSize 0 + 262144 KB, estimated 20164 objects
> 2012/09/20 14:57:45| Target number of buckets: 1008
> 2012/09/20 14:57:45| Using 8192 Store buckets
> 2012/09/20 14:57:45| Max Mem size: 262144 KB
> 2012/09/20 14:57:45| Max Swap size: 0 KB
> 2012/09/20 14:57:45| Using Least Load store dir selection
> 2012/09/20 14:57:45| Set Current Directory to /usr/local/squid-3.3/var/cache
> 2012/09/20 14:57:45| Loaded Icons.
> 2012/09/20 14:57:45| HTCP Disabled.
> 2012/09/20 14:57:45| /usr/local/squid-3.3/var/run/squid.pid: (13)
> Permission denied
> 2012/09/20 14:57:45| WARNING: Could not write pid file
> 2012/09/20 14:57:45| Squid plugin modules loaded: 0
> 2012/09/20 14:57:45| Adaptation support is on
> 2012/09/20 14:57:45| Accepting SSL bumped HTTP Socket connections at
> local=192.168.8.134:3128 remote=[::] FD 20 flags=9
> 2012/09/20 14:57:45| Accepting HTTP Socket connections at
> local=192.168.8.134:8080 remote=[::] FD 21 flags=9
> 2012/09/20 14:57:45| Accepting SSL bumped HTTPS Socket connections at
> local=192.168.8.134:3129 remote=[::] FD 22 flags=9
> 2012/09/20 14:57:46| storeLateRelease: released 0 objects
>
> (ssl_crtd): Cannot create ssl certificate or private key.
> 2012/09/20 14:58:23| WARNING: ssl_crtd #2 exited
> 2012/09/20 14:58:23| Too few ssl_crtd processes are running (need 1/5)
>
> 2012/09/20 14:58:23| Starting new helpers
> 2012/09/20 14:58:23| helperOpenServers: Starting 1/5 'ssl_crtd' processes
> 2012/09/20 14:58:23| client_side.cc(3478) sslCrtdHandleReply:
> "ssl_crtd" helper return <NULL> reply
> (ssl_crtd): Cannot create ssl certificate or private key.
>
> 2012/09/20 14:58:23| WARNING: ssl_crtd #1 exited
> 2012/09/20 14:58:23| Too few ssl_crtd processes are running (need 1/5)
> 2012/09/20 14:58:23| storeDirWriteCleanLogs: Starting...
> 2012/09/20 14:58:23| Finished. Wrote 0 entries.
> 2012/09/20 14:58:23| Took 0.00 seconds ( 0.00 entries/sec).
> FATAL: The ssl_crtd helpers are crashing too rapidly, need help!
>
> Squid Cache (Version 3.HEAD-20120425-r12120): Terminated abnormally.
> CPU Usage: 0.355 seconds = 0.289 user + 0.066 sys
> Maximum Resident Size: 71104 KB
> Page faults with physical i/o: 0
> Memory usage for squid via mallinfo():
> total space in arena: 11924 KB
> Ordinary blocks: 11818 KB 49 blks
> Small blocks: 0 KB 0 blks
> Holding blocks: 664 KB 2 blks
> Free Small blocks: 0 KB
> Free Ordinary blocks: 105 KB
>
>
>
>
>
>
> On Thu, Sep 20, 2012 at 2:52 PM, Linos <info_at_linos.es> wrote:
>> On 19/09/12 16:46, Guy Helmer wrote:
>>>>
>>>> Thanks for reply.
>>>>
>>>> i checked the squid_ssl_db/size because i found the empty file problem searching
>>>> for my own problem in the mailing list, it's ok in my host, the file have the
>>>> content "139264" right now.
>>>>
>>>> I can't found the core file, do i need to do something for it to generate? maybe
>>>> a configure script option or squid.conf change to activate it?
>>>>
>>>> Regards,
>>>> Miguel Angel.
>>>
>>> I have
>>>
>>> coredump_dir /var/log/squid
>>>
>>> to get coredumps in my /var/log/squid directory. Now that I think about it, I don't remember if this works for ssl_crtd though -- seems like I have had to start "gdb ssl_crtd" and then attach to one of the ssl_crtd processes, then generate HTTPS traffic to trigger the request to ssl_crtd and get a backtrace when ssl_crtd gets the segfault signal…
>>>
>>> Guy
>>>
>>
>> Hi,
>> i have been trying to debug with gdb attaching existing process, the strange
>> it's that ssl_ctrd seems to exit normally in this test, here you have it (sorry
>> for the spanish locale, i will use english next time, the only file with symbols
>> it's ssl_crtd itself):
>>
>> --------------------------------------------------------------------------------
>> GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2) 7.4-2012.04
>> Copyright (C) 2012 Free Software Foundation, Inc.
>> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
>> This is free software: you are free to change and redistribute it.
>> There is NO WARRANTY, to the extent permitted by law. Type "show copying"
>> and "show warranty" for details.
>> This GDB was configured as "x86_64-linux-gnu".
>> Para las instrucciones de informe de errores, vea:
>> <http://bugs.launchpad.net/gdb-linaro/>.
>> (gdb) attach 10495
>> Adjuntando a process 10495
>> Leyendo símbolos desde /usr/lib/squid3/ssl_crtd...Leyendo símbolos desde
>> /usr/lib/debug/usr/lib/squid3/ssl_crtd...hecho.
>> hecho.
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libcrypto.so.0.9.8...(no se
>> encontraron símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libcrypto.so.0.9.8
>> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libstdc++.so.6...(no se
>> encontraron símbolos de depuración)hecho.
>> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libstdc++.so.6
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libgcc_s.so.1...(no se encontraron
>> símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libgcc_s.so.1
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libc.so.6...(no se encontraron
>> símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libc.so.6
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libdl.so.2...(no se encontraron
>> símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libdl.so.2
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libz.so.1...(no se encontraron
>> símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libz.so.1
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libm.so.6...(no se encontraron
>> símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libm.so.6
>> Leyendo símbolos desde /lib64/ld-linux-x86-64.so.2...(no se encontraron símbolos
>> de depuración)hecho.
>> Símbolos cargados para /lib64/ld-linux-x86-64.so.2
>> 0x00007f3ef414f0a0 in read () from /lib/x86_64-linux-gnu/libc.so.6
>> (gdb) continue
>> Continuando.
>> [Inferior 1 (process 10495) exited normally]
>> (gdb) bt
>> No stack.
>>
>> --------------------------------------------------------------------------------
>>
>> I have tried attaching to squid3 process itself and i have received a signal here:
>>
>> GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2) 7.4-2012.04
>> Copyright (C) 2012 Free Software Foundation, Inc.
>> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
>> This is free software: you are free to change and redistribute it.
>> There is NO WARRANTY, to the extent permitted by law. Type "show copying"
>> and "show warranty" for details.
>> This GDB was configured as "x86_64-linux-gnu".
>> Para las instrucciones de informe de errores, vea:
>> <http://bugs.launchpad.net/gdb-linaro/>.
>> (gdb) attach 10732
>> Adjuntando a process 10732
>> Leyendo símbolos desde /usr/sbin/squid3...coLeyendo símbolos desde
>> /usr/lib/debug/usr/sbin/squid3...ntinue
>> hecho.
>> hecho.
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libpthread.so.0...(no se
>> encontraron símbolos de depuración)hecho.
>> [Depuración de hilo usando libthread_db enabled]
>> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
>> Símbolos cargados para /lib/x86_64-linux-gnu/libpthread.so.0
>> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libxml2.so.2...(no se
>> encontraron símbolos de depuración)hecho.
>> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libxml2.so.2
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libexpat.so.1...(no se encontraron
>> símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libexpat.so.1
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libssl.so.0.9.8...(no se
>> encontraron símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libssl.so.0.9.8
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libcrypto.so.0.9.8...(no se
>> encontraron símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libcrypto.so.0.9.8
>> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2...(no se
>> encontraron símbolos de depuración)hecho.
>> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
>> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libkrb5.so.3...(no se
>> encontraron símbolos de depuración)hecho.
>> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libkrb5.so.3
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libcom_err.so.2...(no se
>> encontraron símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libcom_err.so.2
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libcap.so.2...(no se encontraron
>> símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libcap.so.2
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/librt.so.1...(no se encontraron
>> símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/librt.so.1
>> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libltdl.so.7...(no se
>> encontraron símbolos de depuración)hecho.
>> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libltdl.so.7
>> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libstdc++.so.6...(no se
>> encontraron símbolos de depuración)hecho.
>> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libstdc++.so.6
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libm.so.6...(no se encontraron
>> símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libm.so.6
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libgcc_s.so.1...(no se encontraron
>> símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libgcc_s.so.1
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libc.so.6...(no se encontraron
>> símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libc.so.6
>> Leyendo símbolos desde /lib64/ld-linux-x86-64.so.2...(no se encontraron símbolos
>> de depuración)hecho.
>> Símbolos cargados para /lib64/ld-linux-x86-64.so.2
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libdl.so.2...(no se encontraron
>> símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libdl.so.2
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libz.so.1...(no se encontraron
>> símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libz.so.1
>> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libk5crypto.so.3...(no se
>> encontraron símbolos de depuración)hecho.
>> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libk5crypto.so.3
>> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libkrb5support.so.0...(no se
>> encontraron símbolos de depuración)hecho.
>> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libkrb5support.so.0
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libkeyutils.so.1...(no se
>> encontraron símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libkeyutils.so.1
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libresolv.so.2...(no se encontraron
>> símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libresolv.so.2
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libnss_files.so.2...(no se
>> encontraron símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libnss_files.so.2
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libnss_compat.so.2...(no se
>> encontraron símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libnss_compat.so.2
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libnsl.so.1...(no se encontraron
>> símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libnsl.so.1
>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libnss_nis.so.2...(no se
>> encontraron símbolos de depuración)hecho.
>> Símbolos cargados para /lib/x86_64-linux-gnu/libnss_nis.so.2
>> 0x00007f7d6243dac8 in poll () from /lib/x86_64-linux-gnu/libc.so.6
>> (gdb) continue
>> Continuando.
>>
>> Program received signal SIGPIPE, Broken pipe.
>> 0x00007f7d647becb0 in __write_nocancel () from /lib/x86_64-linux-gnu/libpthread.so.0
>> (gdb) bt
>> #0 0x00007f7d647becb0 in __write_nocancel () from
>> /lib/x86_64-linux-gnu/libpthread.so.0
>> #1 0x00007f7d63d075c5 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.0.9.8
>> #2 0x00007f7d63d05247 in BIO_write () from /lib/x86_64-linux-gnu/libcrypto.so.0.9.8
>> #3 0x00007f7d63ffafc4 in ssl3_write_pending () from
>> /lib/x86_64-linux-gnu/libssl.so.0.9.8
>> #4 0x00007f7d63ffc853 in ssl3_dispatch_alert () from
>> /lib/x86_64-linux-gnu/libssl.so.0.9.8
>> #5 0x00007f7d63ff9442 in ssl3_shutdown () from
>> /lib/x86_64-linux-gnu/libssl.so.0.9.8
>> #6 0x00007f7d64e8f0f4 in AsyncCall::make (this=0x7f7d687eb390) at AsyncCall.cc:36
>> #7 0x00007f7d64e92117 in AsyncCallQueue::fireNext (this=<optimized out>) at
>> AsyncCallQueue.cc:54
>> #8 0x00007f7d64e92270 in AsyncCallQueue::fire (this=0x7f7d66f5f2c0) at
>> AsyncCallQueue.cc:40
>> #9 0x00007f7d64d7c494 in EventLoop::runOnce (this=0x7fff630b3e60) at
>> EventLoop.cc:131
>> #10 0x00007f7d64d7c568 in EventLoop::run (this=0x7fff630b3e60) at EventLoop.cc:95
>> #11 0x00007f7d64ddc039 in SquidMain (argc=<optimized out>, argv=<optimized out>)
>> at main.cc:1500
>> #12 0x00007f7d64d10b76 in SquidMainSafe (argv=<optimized out>, argc=<optimized
>> out>) at main.cc:1215
>> #13 main (argc=<optimized out>, argv=<optimized out>) at main.cc:1207
>>
>> Any ideas what's going on with this information? Thansk!
>>
>> Regards,
>> Miguel Angel.
>
>
>

Hi Ahmed,
did you found a way to fix or workaround this? i can't get a backtrace with the
information needed and no matter what i try it keeps failing, i had to disable
ssl and my users are a bit upset.

Regards,
Miguel Angel.
Received on Mon Sep 24 2012 - 08:44:28 MDT

This archive was generated by hypermail 2.2.0 : Mon Sep 24 2012 - 12:00:05 MDT