* Guido Falsi (m...@madpilot.net):
On Wed, Aug 11, 2010 at 12:54:07PM +0200, Dominique BERTHET wrote:
Hi,
I'm a sysadmin in a French School (Ecole des Mines de Saint-Etienne)
I have 2 squid FreeBSD servers based with ntlm authentification
I have upgrade squid from 5.1.x to 5.1.6 (yesterday)
On a 32b arch: no problem, everything work fine
On amd64: it works with http websites but impossible to access https
websites with this
TCP_MISS/503 errors
On the amd64 server i downgrade to squid-3.0.25_2 and everything work
fine...
I supposed it's a problem with amd64 arch
I'm having the same exact problem at work.
It looks like a problem related to IPv6 support. Could you check if you
have IPv6 in the i386 kernel?
I found just one thread abut this in the squid mailing lists and on
linux the solution sems to be enabling IPv6. (can't find the url right
now)
I suspect squid 3.1.6 is trying to, for some reason, uses some IPv6
feature to perform CONNECT requests used to transport https.
My solution for now has ben reverting to the previous (3.1.4) version of
the squid port waiting to find a fix for this.
Thanks for the heads up. From looking at
http://www.squid-cache.org/Versions/v3/3.1/changesets/
it looks like you are running into Squid bug #2994/3011 (squid
3.1.6 does not work on ipv4-only systems). Can you confirm that?
Could you try this patch against www/squid31? It adds a trimmed version
of changeset 10063 to the files/ directory. I tested that Squid still
builds on 8.1-STABLE/amd64.
Index: files/patch-changeset_10063
===
--- files/patch-changeset_10063 (Revision 0)
+++ files/patch-changeset_10063 (Revision 0)
@@ -0,0 +1,231 @@
+
+revno: 10063
+revision-id: amosjeffr...@squid-cache.org-2010081641-hybknxtyd8ukt5c1
+parent: amosjeffr...@squid-cache.org-20100810083149-w98pbcc8f0d5tlpo
+committer: Amos Jeffries amosjeffr...@squid-cache.org
+branch nick: SQUID_3_1
+timestamp: Wed 2010-08-11 05:16:41 -0600
+message:
+ Bug 3011: ICAP, HTTPS, cache_peer probe IPv4-only port fixes
+
+ Also updates the forwarding CONNECT_FAIL errors to display more correct
+ errno messages.
+
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: amosjeffr...@squid-cache.org-2010081641-\
+# hybknxtyd8ukt5c1
+# target_branch: http://www.squid-cache.org/bzr/squid3/trunk/
+# testament_sha1: 2aac12c8c664a6c3dbdbd075b256aefeb53926a8
+# timestamp: 2010-08-11 11:31:46 +
+# source_branch: http://www.squid-cache.org/bzr/squid3/branches\
+# /SQUID_3_1
+# base_revision_id: amosjeffr...@squid-cache.org-20100810083149-\
+# w98pbcc8f0d5tlpo
+#
+# Begin patch
+=== modified file 'src/adaptation/ServiceConfig.cc'
+--- src/adaptation/ServiceConfig.cc2010-05-26 04:00:23 +
src/adaptation/ServiceConfig.cc2010-08-11 11:16:41 +
+@@ -5,10 +5,11 @@
+ #include squid.h
+ #include ConfigParser.h
+ #include adaptation/ServiceConfig.h
++#include ip/tools.h
+
+ Adaptation::ServiceConfig::ServiceConfig():
+ port(-1), method(methodNone), point(pointNone),
+-bypass(false), routing(false)
++bypass(false), routing(false), ipv6(false)
+ {}
+
+ const char *
+@@ -93,7 +94,11 @@
+ grokked = grokBool(bypass, name, value);
+ else if (strcmp(name, routing) == 0)
+ grokked = grokBool(routing, name, value);
+-else {
++else if (strcmp(name, ipv6) == 0) {
++grokked = grokBool(ipv6, name, value);
++if (grokked ipv6 !Ip::EnableIpv6)
++debugs(3, DBG_IMPORTANT, WARNING: IPv6 is disabled. ICAP
service option ignored.);
++} else {
+ debugs(3, 0, cfg_filename ':' config_lineno :
+unknown adaptation service option: name '='
value);
+ }
+
+=== modified file 'src/adaptation/ServiceConfig.h'
+--- src/adaptation/ServiceConfig.h 2009-09-03 12:15:55 +
src/adaptation/ServiceConfig.h 2010-08-11 11:16:41 +
+@@ -33,6 +33,7 @@
+ VectPoint point; // where the adaptation happens (pre- or post-cache)
+ bool bypass;
+ bool routing; /// whether this service may determine the next service(s)
++bool ipv6;/// whether this service uses IPv6 transport (default IPv4)
+
+ protected:
+ Method parseMethod(const char *buf) const;
+
+=== modified file 'src/adaptation/icap/Xaction.cc'
+--- src/adaptation/icap/Xaction.cc 2009-09-03 12:15:55 +
src/adaptation/icap/Xaction.cc 2010-08-11 11:16:41 +
+@@ -13,6 +13,7 @@
+ #include pconn.h
+ #include HttpRequest.h
+ #include HttpReply.h
++#include ip/tools.h
+ #include acl/FilledChecklist.h
+ #include icap_log.h
+ #include fde.h
+@@ -116,6 +117,15 @@
+ disableRetries(); // we only retry pconn failures
+
+ IpAddress outgoing;
++if (!Ip::EnableIpv6