On 16/09/2025 08:32, Usama Mehboob wrote:
My squid version is 6 and running on amazon linux 2023.
root@ip-172-24-9-245:/var/log/squid# squid --version
Squid Cache: Version 6.13
Service Name: squid
This binary uses OpenSSL 3.2.2 4 Jun 2024. configure options: '--
...>
I am seeing this error in my cache-log
=============================
```
2025/09/14 09:46:34 kid1| ERROR: failure while accepting a TLS
connection on conn122766 local=3.225.139.255:443 remote=172.25.239.18:59114 FD 11 flags=33:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
current master transaction: master73677
OpenSSL library error code A000418 means "unknown CA".
When receiving a certificate chain, Squid found one of the CA was both
unknown, and did not provide details on where to fetch it.
Things you can do:
* Ensure that your machines "ca-certificates" are up to date.
* Fix the 'mode' issue below with squid.conf.
(I believe this is highly likely to be your problem).
* Try an upgrade to currently supported Squid. v7 these days.
* use "debug_options 11,2 ALL,1" to see what transactions are being
processed.
- Then "local=.. remote=.. FD .." on these errors should match
(exactly) to a CONNECT message earlier in the log. Telling you what
HTTPS server the client was try to connect to.
- Use that information to further track down what certificate details
are going bad. Ones from client (peek step1) or from server (peek step2).
My squid.conf file is this
====================
visible_hostname squid
FYI, The above should be an FQDN and resolvable in what your clients see
as the "public" DNS system.
http_port 3128
http_port 3129 intercept
https_port 3130 cert=/path/to/squid.pem ssl-bump intercept
Mode ("intercept ssl-bump") goes first. This is to ensure that Squid
loads the correct certificate type(s) etc.
https_port 3130 intercept ssl-bump cert=/path/to/squid.pem
If the above change makes squid produces certificate validation errors
about the CA, that may have been the problem. It needs fixing.
http_access allow SSL_ports
Congratulations, you now have an "open proxy" free use for the entire world.
I recommend removing this line. The rules you have later restricting
access to "localnet" is sufficient to allow LAN clients the access they
need.
acl instance_metadata dst 169.254.169.254
http_access deny instance_metadata
The above is unnecessary when the proxy is limited to "localnet" or
"localhost" use. You should be able to remove these once you stop doing
the "allow SSL_Ports".
acl allowed_https_sites ssl::server_name .domain1.com .domain2.com .domain3.com
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate step2 all
Okay. FYI, the default step #3 action after "peek step2" should be
splice. Which means any traffic reaching step #3 will splice.
You can clarify a bit by
Which is the same as this:
# Step 1
ssl_bump peek step1
# Step 2
ssl_bump peek allowed_https_sites
ssl_bump terminate step2
# Step 3
ssl_bump splice step3
server_idle_pconn_timeout 60 minute
connect_timeout 60 minute
read_timeout 60 minute
write_timeout 60 minute
request_timeout 60 minute
You might want to add request_start_timeout to that set of extended
timeouts. No use allowing 60 minutes for the first read() of TLS bytes,
if Squid is going to abort after 5 minutes of not seeing any HTTP request.
logformat fqdn_log %tg:UTC %6tr client:%>a %Ss/%03>Hs %<st %rm %ru %[un
%Sh/%<A %mt %ssl::>sni
access_log /var/log/squid/access.log fqdn_log
logfile_rotate 10
debug_options ALL,1, rotate=1
Can somebody please recommend some changes to try out?, also it drops
connection sometime when trying to connect to salesforce BulkAPI and
upon contacting salesforce, their team mentioned that it happens if
client (squid) closes connection before salesforce server. will
appreciate the help. thanks
Yeah, it seems their service is a bit fragile. Not sure what is going
bad there. Their service MUST cope with arbitrary closures, but Squid
should not be closing a transaction too-early.
Maybe an upgrade to v7 will help with that (better code, more things
fixed, etc), but no guarantees.
HTH
Amos
_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users
