Re: [squid-users] Squid RP in front of Atlassian Stash with SSL - 100% CPU and not responding

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 08 Aug 2013 23:29:16 +1200

On 8/08/2013 8:04 p.m., PSA4444 wrote:
> I've been stuck on this for 2 days now.
>
> After accessing this cache a couple of times, the CPU jumps to 100% and
> squid stops forwarding requests.
> It remained like this for 24 hours until I killed the process.
>
> Adding the following lines to the config has resolved the issue:
>
> ########################
> always_direct allow all
> sslproxy_flags DONT_VERIFY_PEER
> ########################
>
> BOTH of those lines must be added otherwise the symptoms return.
>
> But why? What are the security implications of these settings and why would
> they resolve the infinite loop problem?

This may be OpenSSL's bug 3090 which has infinite loop recursing
certificate chains on validation.

If so the sslproxy_flags is disabling certificate verification on DIRECT
traffic, and always_direct is disabling use of the cache_peer with SSL
settings.

Please try the patch which can be downloaded from here:
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-12963.patch
It may need some tweaking to apply on 3.3 or 3.2 versions of Squid.

>
> Config snippet
> ########################
> https_port 443 accel cert=/path/to/CertAuth/cert.cert
> key=/path/to/CertAuth/key.pem vhost defaultsite=www.domain.com
>
> cache_peer source.domain.com parent 443 0 no-query originserver ssl
> sslversion=3 connect-timeout=8 connect-fail-limit=2 sslflags=DONT
> _VERIFY_PEER front-end-https=on name=source login=PASSTHRU
> acl sites_source dstdomain source.domain.com
> cache_peer_access source allow sites_source
> acl http proto http
> acl https proto https
> ########################
>
> Replicated problem with:
> Ubuntu 12.04 - Squid 3.2 - compiled.
> CentOS 6 - Squid 3.3 - compiled.
> CentOS 6 - Squid 3.1 - installed from repository.
>
> Atlassian Stash with paid for SSL Certificate - looks fine connecting
> directly in firefox.
> Atlassian Stash with self signed SSL certificate.

> P.S. This appears to be the same problem:
> http://www.squid-cache.org/mail-archive/squid-users/201111/0416.html

I don't think so. That report the certificate is accepted and the hang
occurs afterwards. They are also havign it with disabled verification on
the failing link, which is the workaround that you found successful (you
could replace that "always_direct allow all" with cache_peer
sslflags=DONT_VERIFY_PEER).

Amos
Received on Thu Aug 08 2013 - 11:29:23 MDT

This archive was generated by hypermail 2.2.0 : Thu Aug 08 2013 - 12:00:14 MDT