> > 2018/11/07 12:41:45 kid1| assertion failed: http.cc:1530:
> > "!Comm::MonitorsRead(serverConnection->fd)"
>
> IIRC, there are relevant bug reports in bugzilla.
>
Hi,
See if this helps or its similar to your case:
https://bugs.squid-cache.org/show_bug.cgi?id=4896
If your squid's crash is
> > Program received signal SIGHUP, Hangup.
Yes, I did not realized that I have executed 'squid -k reconfigure', hence that
SIGHUP signal.
I don not know if the following is relevant but:
When the exception occurred, I had executed (earlier) 'squid -k reconfigure'.
Then, I made a full squid
> Hi Alex/Amos
>
> Since yesterday squid is running via this method in a cron script:
>
> trap "rm -f $$.gdb" 0
> cat <$$.gdb
> handle SIGPIPE pass nostop noprint
> handle SIGTERM pass nostop noprint
> handle SIGUSR1 pass nostop noprint
> handle SIGHUP pass
> handle SIGKILL pass
> handle
> >> assertion failed: http.cc:1530: "!Comm::MonitorsRead(serverConnection-
> >fd)"
> >
> >> Any idea?
> >
> > Without the stack trace, it is difficult to say much about this bug.
> > Please collect a stack trace from the crash and post it to Squid
> > bugzilla. If the stack trace looks similar to
Hi all,
Environment:
Squid Cache: Version 4.3-20181014-r17614d5
Service Name: squid
This binary uses OpenSSL 1.1.0f 25 May 2017. For legal restrictions on
distribution see https://www.openssl.org/source/license.html
configure options: '--prefix=/usr' '--build=x86_64-linux-gnu'
> > When I say "implicit" I want to mean that there is no any step specified in
> the rule.
>
> Understood. Please avoid that word usage. In this context, implicit means
> "without being configured" or "by default". One could say that "default rules
> implicitly match", or that "a rule without
> > # Second rule:
> > ssl_bump splice noBumpSites
> >
> > I think that this rule should implicity match only at step2.
>
> I do not know what "implicitly match" means here, but yes, the splice rule
> may only match at step2 in this configuration:
When I say "implicit" I want to mean that there
> > I will go (finally) with this sslBump config. Although I still have some
> doubts...
> > I think that It´s time to finish this thread.
>
> I am confused because "you think it is time to finish this thread" but you are
> asking new questions. Please clarify, do you want answers to the
Hi all.
I will go (finally) with this sslBump config. Although I still have some
doubts...
I think that It´s time to finish this thread.
# TLS CFG
acl noBumpSites ssl::server_name_regex -i "/etc/squid/url.nobump"
# steps ACL
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3
I reply to myself due to a bounce and I have to re-enable the membership to
list at least 3 times at month.
Maybe a problem with Yahoo.
>>> Alex: After a splice rule is applied, SslBump is over. No more rules are
>>> checked. No more loops are iterated. Squid simply "exits" the SslBump
>>>
>After a splice rule is applied, SslBump is over. No more rules are
>checked. No more loops are iterated. Squid simply "exits" the SslBump
>feature (and becomes a TCP tunnel).
How is that? What about the meaning of the ACL's at step1 when splice?
e.g.:
There only these two rules for ssl_bump
> Both loops can finish "early" (i.e. before three steps and/or before all
> configured rules are evaluated).
Yes, maybe I would have should say at least: "Well in really, depend on the
rules.." Especially in the inner loop.
But I pointed to the maximum possibilities. (if exists)
> Just to
> > So, when squid reaches this first rule and line (there is no explicit
> > step) ...does Squid make a "bucle of steps" only along the first line
> > and go to next line only when the rule stop being
> > applicable/matchable?
>
> I hesitate answering that question with a simple "yes" or "no"
> > Example:
> >
> > ssl_bump splice noBumpSites # this will be totally ignored by Squid if a
> stare rule precedes this.
>
> No, this is incorrect. There are many cases were a previous stare rule will
> not
> have the effect you state it will. For example:
>
> # Squid may splice at step2
> I am afraid you do not. You are probably missing the fact that, at each step,
> the rules after the matching applicable rule are not checked.
> Also, you seem to insert some implicit peeking rules that are never there.
> Finally, there may be some confusion regarding how multiple ACLs on one
>
> > So, in a brief the confi is:
> >
> > ssl_bump peek step1 all
> > ssl_bump peek step2 noBumpSites
> > ssl_bump stare step2 all
>
> ... which should be equivalent to an even simpler config:
>
> ssl_bump peek step1
> ssl_bump peek noBumpSites
> ssl_bump stare all
Yes, i've tested and
> -Mensaje original-
> De: squid-users En nombre de
> Amos Jeffries
> Enviado el: lunes, 10 de septiembre de 2018 01:13
> Para: squid-users@lists.squid-cache.org
> Asunto: Re: [squid-users] About SSL peek-n-splice/bump configurations
>
> >
> > ...So that means that squid processes the
> -Mensaje original-
> De: squid-users En nombre de
> Amos Jeffries
> Enviado el: domingo, 9 de septiembre de 2018 02:35
> Para: squid-users@lists.squid-cache.org
> Asunto: Re: [squid-users] About SSL peek-n-splice/bump configurations
>
> On 9/09/18 5:45 A
> -Mensaje original-
> De: squid-users En nombre de
> Amos Jeffries
> Enviado el: viernes, 7 de septiembre de 2018 15:19
> Para: squid-users@lists.squid-cache.org
> Asunto: Re: [squid-users] About SSL peek-n-splice/bump configurations
>
> > So from
> De: squid-users En nombre de
> Amos Jeffries
> Enviado el: viernes, 7 de septiembre de 2018 01:18
> Para: squid-users@lists.squid-cache.org
> Asunto: Re: [squid-users] About SSL peek-n-splice/bump configurations
>
> On 7/09/18 1:48 PM, Julian Perconti wrote:>
> >
> De: Alex Rousskov
> Enviado el: lunes, 13 de agosto de 2018 02:01
> Para: Julian Perconti ; squid-users@lists.squid-
> cache.org
> Asunto: Re: [squid-users] About SSL peek-n-splice/bump configurations
>
> On 08/12/2018 06:57 PM, Julian Perconti wrote:
> >> De:
> > So squid can not use one resolver for a local and public domains/addresses
> and other or a second resolver to only public domains/ip? Both recursive
> resolvers.
> >
>
> Correct.
Thank you for the clarification.
>
>
> Amos
> ___
> squid-users
> De: squid-users En nombre de
> Amos Jeffries
> Enviado el: jueves, 6 de septiembre de 2018 09:57
> Para: squid-users@lists.squid-cache.org
> Asunto: Re: [squid-users] Squid and DNS
>
> On 6/09/18 7:22 PM, Matus UHLAR - fantomas wrote:
> > On 06.09.18 0
> -Mensaje original-
> De: Alex Rousskov
> Enviado el: domingo, 12 de agosto de 2018 20:50
> Para: Julian Perconti ; squid-users@lists.squid-
> cache.org
> Asunto: Re: [squid-users] About SSL peek-n-splice/bump configurations
>
> On 08/12/2018 04:09 PM, Julian
Hi,
I would like to know which of these two cfg's are "better" or "more secure"
when a site/domain is spliced, bumped, etc.
Here the lines...
# mandatory lines:
acl noBumpSites ssl::server_name_regex -i "/etc/squid/url.nobump"
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3
> De: squid-users En nombre de
> Amos Jeffries
> Enviado el: viernes, 10 de agosto de 2018 02:41
> Para: squid-annou...@lists.squid-cache.org
> Asunto: [squid-users] [squid-announce] Squid 4.2 is available
>
> The Squid HTTP Proxy team is very pleased to announce the availability of the
>
> -Mensaje original-
> De: Julian Perconti [mailto:vh1...@yahoo.com.ar]
> Enviado el: jueves, 12 de julio de 2018 21:24
> Para: 'squid-users@lists.squid-cache.org' cache.org>
> Asunto: RE: [squid-users] Delay pools in squid4 not working with https
>
> > -M
> -Mensaje original-
> De: Alex Rousskov [mailto:rouss...@measurement-factory.com]
> Enviado el: jueves, 12 de julio de 2018 21:20
> Para: Julian Perconti ; squid-users@lists.squid-
> cache.org
> Asunto: Re: [squid-users] Delay pools in squid4 not working with https
>
> -Mensaje original-
> De: Alex Rousskov [mailto:rouss...@measurement-factory.com]
> Enviado el: jueves, 12 de julio de 2018 21:03
> Para: Julian Perconti ; squid-users@lists.squid-
> cache.org
> Asunto: Re: [squid-users] Delay pools in squid4 not working with https
>
> De: Alex Rousskov [mailto:rouss...@measurement-factory.com]
> Enviado el: jueves, 12 de julio de 2018 20:31
> Para: Julian Perconti ; squid-users@lists.squid-
> cache.org
> Asunto: Re: [squid-users] Delay pools in squid4 not working with https
>
> On 07/12/2018 05:19 PM,
>>
>> El martes, 10 de julio de 2018 18:57:43 -03, Alex Rousskov
>> escribió:
>>
>>
>> On 07/10/2018 01:50 PM, Paolo Marzari wrote:
>>> My home server just updated from 3.5.27, everything is working fine, but
>>> delay pools seems broken to me.
>>
>>> Revert to 3.5.27 and
>>>> El miércoles, 4 de julio de 2018 01:21:12 -03, Amos
>>>>Jeffries escribió:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 04/07/18 12:06, Julian Perconti wrote:
>
Hi all,
I have installed squid 4.1 on debian 9 with openssl 1.1.0f on transparent
mode.
I need to know how to track this error: (debbuging options is almost
impossible i mean examine the FD, etc.)
kid1| Error negotiating SSL connection on FD 19:
error:0001:lib(0):func(0):reason(1)
Hi all,
Problem solved.
With squid 4 openssl 1.1
I realized that WhatsApp use the following ports:
5223, 5228, 4244, 5242, and 5222 in addition to 443, 80.
So I opened that ports on the firewall and everythhing worked.
Also I changed the cipher suite in squid.conf like this: (for the dropbox
Hi all:
Finally I migrate everything to debian 9 with openssl 1.1 and squid 4 (june
22/18) reléase (the last one).
Everything seems to go very well.
However, the dropbox client logs this error in cache.log:
kid1| ERROR: negotiating TLS on FD 35: error:141710F8:SSL
Googling i foind this cfg lines:
acl SSLERR ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
sslproxy_cert_error allow SSLERR
sslproxy_cert_error deny all
The error " certificate verify failed has deissappeared, I refer to this error:
> have you tried -servername option for setting SNI extension?
How can i do this?
Well, debbuging cache.log i found this:
2018/06/18 08:22:08.822 kid1| 83,5| support.cc(300) ssl_verify_cb: Self signed
certificate in certificate chain: /CN=courier.push.apple.com/O=Apple
>Interesting.
>
>The main issue was that you configured only params for the Diffi-Helman (DH
>and DHE) ciphers - no >curve name. That meant your specified EEC* ciphers were
>disabled since they require a curve name as >well.
>
>Removing this option completely disables both DH and ECDH cipher
>> https_port 3130 intercept ssl-bump \
>> cert=/etc/squid/ssl_cert/squidCA.pem \
>> key=/etc/squid/ssl_cert/squidCA.pem \
>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>> tls-dh=/etc/squid/ssl_cert/dhparam.pem
>
>These DH parameters are for old DH not for ECDHE (missing
Hello community, I am new to the list and, I hope everyone is well.
I have running a squid server on debian 7.
My squid version is 3.5.27 manually compiled with LibreSSL 2.6.0 due to
problems with Dropbox. After compiling squid with LibreSSL, the error
"unknown cipher returned" has disappeared
40 matches
Mail list logo
