Hello Alex, thank you for your answer, yes, with:
tls_outgoing_options options=0x80 squid doesn't complain this parameter anymore and is running, but I think it will not be taken in account. I still get the errorpage "ERR_READ_ERROR" when I try to reach https://www.zeitwertkonten.ruv.de/web/webSealContent/login/login.do with enabled bumping. With the openssl command it makes a difference (the error message is gone when SSL_OP_IGNORE_UNEXPECTED_EOF is given as option) without SSL_OP_IGNORE_UNEXPECTED_EOF you get an error: --snip-- root@trixie:/# echo -e "GET https:////www.zeitwertkonten.ruv.de/web/webSealContent/login/login.do HTTP/1.1\r\nHost: www.zeitwertkonten.ruv.de\r\n\r\n" | openssl s_client -quiet -connect www.zeitwertkonten.ruv.de:443 >/dev/null Connecting to 91.235.236.137 depth=3 C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2 verify return:1 depth=2 C=CH, O=SwissSign AG, CN=SwissSign RSA TLS Root CA 2022 - 1 verify return:1 depth=1 C=CH, O=SwissSign AG, CN=SwissSign RSA TLS OV ICA 2022 - 1 verify return:1 depth=0 C=DE, ST=HE, L=Wiesbaden, O=R+V Allgemeine Versicherung AG, CN=www.zeitwertkonten.ruv.de verify return:1 40876FE3EB7F0000:error:0A000126:SSL routines::unexpected eof while reading:../ssl/record/rec_layer_s3.c:696: root@trixie:/# --snip-- with SSL_OP_IGNORE_UNEXPECTED_EOF the error message is gone: --snip-- root@trixie:/# echo -e "GET https:////www.zeitwertkonten.ruv.de/web/webSealContent/login/login.do HTTP/1.1\r\nHost: www.zeitwertkonten.ruv.de\r\n\r\n" | openssl s_client -ignore_unexpected_eof -quiet -connect www.zeitwertkonten.ruv.de:443 >/dev/null Connecting to 91.235.236.137 depth=3 C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2 verify return:1 depth=2 C=CH, O=SwissSign AG, CN=SwissSign RSA TLS Root CA 2022 - 1 verify return:1 depth=1 C=CH, O=SwissSign AG, CN=SwissSign RSA TLS OV ICA 2022 - 1 verify return:1 depth=0 C=DE, ST=HE, L=Wiesbaden, O=R+V Allgemeine Versicherung AG, CN=www.zeitwertkonten.ruv.de verify return:1 root@trixie:/# --snip-- so for me it looks like squid doesn't set the ssl option On Fri, Oct 31, Alex Rousskov wrote: > On 2025-10-31 08:12, Dieter Bloms wrote: > > > Does anybody know, howto set the SSL Option SSL_OP_IGNORE_UNEXPECTED_EOF > > Squid does not recognize that option by name[^1]. Use option's hex value as > a workaround until [^1]. If my math is correct[^2], that option hex value is > 0x80. > > [^1]: A quality pull request adding by-name support for all known OpenSSL > v3.5 options is welcome. > > [^2]: From OpenSSL include/openssl/ssl.h.in sources: > #define SSL_OP_BIT(n) ((uint64_t)1 << (uint64_t)n) > #define SSL_OP_IGNORE_UNEXPECTED_EOF SSL_OP_BIT(7) > > > HTH, > > Alex. > > > there are some websites like > > https://www.zeitwertkonten.ruv.de/web/webSealContent/login/login.do > > which don't send the close_notify alert on shutdown and squid sends an > > error page to the browser. > > For a workaround I want to set the SSL_OP_IGNORE_UNEXPECTED_EOF option, but > > it doesn't work. > > > > I added one of following lines, but everytime squid claims about unknown > > TLS options. > > > > tls_outgoing_options options=SSL_OP_IGNORE_UNEXPECTED_EOF > > or > > tls_outgoing_options options=IGNORE_UNEXPECTED_EOF > > > > but everytime I get an error message like > > 2025/10/31 11:56:35 kid1| ERROR: Unknown TLS option > > SSL_OP_IGNORE_UNEXPECTED_EOF > > or > > 2025/10/31 12:53:20 kid1| ERROR: Unknown TLS option IGNORE_UNEXPECTED_EOF > > > > My ssl_bump related configlines look like: > > > > http_port 8080 ssl-bump generate-host-certificates=on > > dynamic_cert_mem_cache_size=32MB tls-cert=/secrets/ca.pem > > tls-dh=/etc/squid/dhparams.pem > > sslcrtd_program /usr/sbin/security_file_certgen -s > > /var/cache/squid/sslcert_db -M 32MB > > sslcrtd_children 32 startup=10 idle=3 > > tls_outgoing_options capath=/etc/ssl/certs min-version=1.2 > > tls_outgoing_options options=IGNORE_UNEXPECTED_EOF > > ssl_bump peek step1 > > ssl_bump splice nohttpsscandomain > > ssl_bump bump all > > > > I use squid 7.3 on an up to date debian trixie with openssl 3.5.1: > > > > Here some details of my system: > > > > ~# cat /etc/os-release > > PRETTY_NAME="Debian GNU/Linux 13 (trixie)" > > NAME="Debian GNU/Linux" > > VERSION_ID="13" > > VERSION="13 (trixie)" > > VERSION_CODENAME=trixie > > DEBIAN_VERSION_FULL=13.1 > > ID=debian > > HOME_URL="https://www.debian.org/"; > > SUPPORT_URL="https://www.debian.org/support"; > > BUG_REPORT_URL="https://bugs.debian.org/"; > > > > root@cdxhttpproxyiapdev01-v2465:/etc/squid# squid -v > > Squid Cache: Version 7.3 > > Service Name: squid > > > > This binary uses OpenSSL 3.5.1 1 Jul 2025. configure options: > > '--prefix=/usr' '--sysconfdir=/etc/squid' '--bindir=/usr/sbin' > > '--sbindir=/usr/sbin' '--localstatedir=/var' '--libexecdir=/usr/sbin' > > '--datadir=/usr/share/squid' '--mandir=/usr/share/man' > > '--with-default-user=squid' '--with-filedescriptors=131072' > > '--with-logdir=/var/log/squid' '--disable-auto-locale' '--disable-eui' > > '--disable-carp' '--disable-htcp' '--disable-ident-lookups' > > '--disable-translation' '--disable-wccp' '--disable-wccpv2' > > '--disable-arch-native' '--disable-auth-negotiate' '--disable-auth-ntlm' > > '--enable-async-io=128' '--enable-auth-basic=LDAP,NCSA' > > '--enable-auth-digest=file,LDAP' '--enable-epoll' > > '--enable-log-daemon-helpers=file' '--enable-icap-client' '--enable-inline' > > '--enable-snmp' '--enable-disk-io=AIO,DiskThreads,IpcIo,Blocking' > > '--enable-storeio=ufs,aufs,rock' '--enable-referer-log' > > '--enable-useragent-log' '--enable-large-cache-files' > > '--enable-removal-policies=lru,heap' '--enable-follow-x-forwarded > > -for' '--enable-ssl-crtd' '--with-openssl' 'CFLAGS=-g -O2 > > -Werror=implicit-function-declaration -ffile-prefix-map=/=. > > -fstack-protector-strong -fstack-clash-protection -Wformat > > -Werror=format-security -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' > > 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 > > -ffile-prefix-map=/=. -fstack-protector-strong -fstack-clash-protection > > -Wformat -Werror=format-security -fcf-protection' > > > > > -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. _______________________________________________ squid-users mailing list [email protected] https://lists.squid-cache.org/listinfo/squid-users
