Re: SSL issue on Squid version 4 after blacklisting

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: SSL issue on Squid version 4 after blacklisting

Eliezer Croitoru-3

Hey Dixit,

 

Have you seen the next bug report:

https://bugs.squid-cache.org/show_bug.cgi?id=5067#c4

 

Alex/Amos: I assume that this specific issue deserve a DEBUG which will describe and relate to this BUG:5067 report.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

 

From: DIXIT Ankit <[hidden email]>
Sent: Friday, September 25, 2020 4:22 PM
To: Eliezer Croitor <[hidden email]>; 'Squid Users' <[hidden email]>
Subject: RE: SSL issue on Squid version 4 after blacklisting

 

Elizer/Team,

 

Any help would be appreciated.

 

Regards,

Ankit Dixit|IS Cloud Team

Eurostar International Ltd

Times House | Bravingtons Walk | London N1 9AW

Office: +44 (0)207 84 35550 (Extension– 35530)

 

From: DIXIT Ankit
Sent: Tuesday, September 15, 2020 1:24 PM
To: Eliezer Croitor <[hidden email]>; 'Squid Users' <[hidden email]>
Subject: SSL issue on Squid version 4 after blacklisting

 

Subject changed

 

Elizer/Team,

 

Connecting with you again after we upgraded to Squid version 4.

 

We have blacklisted the domain categories  on Squid Proxy, but we are getting below exception in cache.log and due to this internet is not flowing from client servers via squid.

This blacklist category is having thousands of blacklisted domains.

 

kid1| Error negotiating SSL on FD 33: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)

kid1| Error negotiating SSL connection on FD 26: (104) Connection reset by peer

 

Is there any specific ssl certificate, we need to configure? Or any other issue, you see here?

 

 

Regards,

Ankit Dixit|IS Cloud Team

Eurostar International Ltd

Times House | Bravingtons Walk | London N1 9AW

Office: +44 (0)207 84 35550 (Extension– 35530)

 

From: DIXIT Ankit
Sent: Monday, July 6, 2020 8:50 AM
To: Eliezer Croitor <[hidden email]>; 'Squid Users' <[hidden email]>
Subject: RE: [squid-users] Squid memory consumption problem

 

Elizer,

 

SSL was failing for few applications but was working fine for other applications. So we reverted back to old version.

I am not sure what ssl certificate dependency was there.

 

Would be great, if you can suggest memory leak solutions in 3.12 version.

 

Regards,

Ankit Dixit|IS Cloud Team

Eurostar International Ltd

Times House | Bravingtons Walk | London N1 9AW

Office: +44 (0)207 84 35550 (Extension– 35530)

 

From: Eliezer Croitor <[hidden email]>
Sent: Sunday, July 5, 2020 5:58 PM
To: DIXIT Ankit <[hidden email]>; 'Squid Users' <[hidden email]>
Cc: SETHI Konica <[hidden email]>
Subject: RE: [squid-users] Squid memory consumption problem

 

 

Hey,

 

What happen with this issue?

I am waiting for any input about this issue to understand with what I can try to help.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

 

From: DIXIT Ankit [[hidden email]]
Sent: Tuesday, June 30, 2020 12:35 PM
To: Eliezer Croitoru; Squid Users
Cc: SETHI Konica
Subject: RE: [squid-users] Squid memory consumption problem

 

For your information, we have added below configurations but again same issue.

 

tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

 

tls_outgoing_options cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

 

Regards,

Ankit Dixit|IS Cloud Team

Eurostar International Ltd

Times House | Bravingtons Walk | London N1 9AW

Office: +44 (0)207 84 35550 (Extension– 35530)

 

From: DIXIT Ankit
Sent: Tuesday, June 30, 2020 10:25 AM
To: Eliezer Croitoru <[hidden email]>; Squid Users <[hidden email]>
Cc: SETHI Konica <[hidden email]>
Subject: RE: [squid-users] Squid memory consumption problem

 

Eliezer,

 

Clients are facing some SSL related issues after upgrade. I could see below error. Please suggest, its little urgent.

 

quid[6706]: Error negotiating SSL connection on FD 167: error:00000001:lib(0):func(0):reason(1) (1/0)
Jun 30 09:17:38 squid[6706]: Error parsing SSL Server Hello Message on FD 77
Jun 30 09:17:38 squid[6706]: Error negotiating SSL connection on FD 75: error:00000001:lib(0):func(0):reason(1) (1/0)

 

 

Regards,

Ankit Dixit|IS Cloud Team

Eurostar International Ltd

Times House | Bravingtons Walk | London N1 9AW

Office: +44 (0)207 84 35550 (Extension– 35530)

 

From: Eliezer Croitoru <[hidden email]>
Sent: Tuesday, June 30, 2020 9:10 AM
To: Squid Users <[hidden email]>; DIXIT Ankit <[hidden email]>
Subject: RE: [squid-users] Squid memory consumption problem

 

 

The first thing to do is look at:

https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery

 

It should clear couple doubts for you.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

 

From: [hidden email]
Sent: Tuesday, June 30, 2020 10:46 AM
To: [hidden email]; [hidden email]; [hidden email]
Subject: RE: [squid-users] Squid memory consumption problem

 

Elizer,

 

We installed Squid 4.12 on production server, amazon Linux 2, successfully but I could see below messages in the logs for SECURITY ALERT: Host header forgery detected. These are getting generated very frequently.

Can we ignore this Or is it advised to suppress these alerts?

 

kid2| SECURITY ALERT: on URL: 5-25-3-app.agent.datadoghq.com:443

2020/06/30 07:41:29 kid1| SECURITY ALERT: Host header forgery detected on local=IP remote=IP FD 97 flags=33 (local IP does not match any domain IP)

 

Regards,

Ankit Dixit|IS Cloud Team

Eurostar International Ltd

Times House | Bravingtons Walk | London N1 9AW

Office: +44 (0)207 84 35550 (Extension– 35530)

 

 


This email (including any attachments) is intended only for the addressee(s), is confidential and may be legally privileged. If you are not the intended recipient, do not use, disclose, copy, or forward this email. Please notify the sender immediately and then delete it. Eurostar International Limited and its affiliates ("EIL") do not accept any liability for action taken in reliance on this email. EIL makes no representation that this email is free of viruses and addressees should check this email for viruses. The comments or statements expressed in this email are not necessarily those of EIL.

Eurostar International Ltd
Times House, Bravingtons Walk, London N1 9AW Registered in England and Wales No. 2462001


 

 


This email (including any attachments) is intended only for the addressee(s), is confidential and may be legally privileged. If you are not the intended recipient, do not use, disclose, copy, or forward this email. Please notify the sender immediately and then delete it. Eurostar International Limited and its affiliates ("EIL") do not accept any liability for action taken in reliance on this email. EIL makes no representation that this email is free of viruses and addressees should check this email for viruses. The comments or statements expressed in this email are not necessarily those of EIL.

Eurostar International Ltd
Times House, Bravingtons Walk, London N1 9AW Registered in England and Wales No. 2462001



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL issue on Squid version 4 after blacklisting

Eliezer Croitoru-3

Hey Dixit,

 

To get a response you would need to respond in the Bugzilla.

Maybe Alex might be able to answer some of your questions about the subject.

 

All The Bests,

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

 

From: DIXIT Ankit <[hidden email]>
Sent: Monday, October 19, 2020 3:11 PM
To: Eliezer Croitor <[hidden email]>
Cc: 'Squid Users' <[hidden email]>
Subject: RE: SSL issue on Squid version 4 after blacklisting

 

Elizer,

 

  1. I am not able to identify from below like what exactly needs to be done and in which file?

 

* Short-term: Essentially disable OpenSSL built-in certificate validation (for certificates with missing intermediate CAs) and perform that validation from Squid, using X509_verify_cert(), after SSL_connect() returns control to Squid and Squid fetches the missing CAs. This approach still requires some non-trivial Squid development and keeping an eye on OpenSSL built-in validation logic, but it can be completed without OpenSSL modifications and, IMHO, without replicating a lot of OpenSSL internal validation logic.

 

* Long-term: We need a new OpenSSL callback for pausing OpenSSL processing after TLS v1.3 server handshake is decrypted and before certificate validation starts.

 

  1. Apart from above, I want to also understand if we have below configuration in Squid version 3.5 in squid.conf then how would I replace and to what ,if we move to Squid version 4.12

 

sslproxy_cipher HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE

 

Regards,

Ankit Dixit|IS Cloud Team

Eurostar International Ltd

Times House | Bravingtons Walk | London N1 9AW

Office: +44 (0)207 84 35550 (Extension– 35530)

 

From: Eliezer Croitor <[hidden email]>
Sent: Monday, October 12, 2020 12:38 PM
To: DIXIT Ankit <[hidden email]>
Cc: 'Squid Users' <[hidden email]>
Subject: RE: SSL issue on Squid version 4 after blacklisting

 

 

Hey Dixit,

 

Have you seen the next bug report:

https://bugs.squid-cache.org/show_bug.cgi?id=5067#c4

 

Alex/Amos: I assume that this specific issue deserve a DEBUG which will describe and relate to this BUG:5067 report.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

 

From: DIXIT Ankit <[hidden email]>
Sent: Friday, September 25, 2020 4:22 PM
To: Eliezer Croitor <[hidden email]>; 'Squid Users' <[hidden email]>
Subject: RE: SSL issue on Squid version 4 after blacklisting

 

Elizer/Team,

 

Any help would be appreciated.

 

Regards,

Ankit Dixit|IS Cloud Team

Eurostar International Ltd

Times House | Bravingtons Walk | London N1 9AW

Office: +44 (0)207 84 35550 (Extension– 35530)

 

From: DIXIT Ankit
Sent: Tuesday, September 15, 2020 1:24 PM
To: Eliezer Croitor <[hidden email]>; 'Squid Users' <[hidden email]>
Subject: SSL issue on Squid version 4 after blacklisting

 

Subject changed

 

Elizer/Team,

 

Connecting with you again after we upgraded to Squid version 4.

 

We have blacklisted the domain categories  on Squid Proxy, but we are getting below exception in cache.log and due to this internet is not flowing from client servers via squid.

This blacklist category is having thousands of blacklisted domains.

 

kid1| Error negotiating SSL on FD 33: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)

kid1| Error negotiating SSL connection on FD 26: (104) Connection reset by peer

 

Is there any specific ssl certificate, we need to configure? Or any other issue, you see here?

 

 

Regards,

Ankit Dixit|IS Cloud Team

Eurostar International Ltd

Times House | Bravingtons Walk | London N1 9AW

Office: +44 (0)207 84 35550 (Extension– 35530)

 

From: DIXIT Ankit
Sent: Monday, July 6, 2020 8:50 AM
To: Eliezer Croitor <[hidden email]>; 'Squid Users' <[hidden email]>
Subject: RE: [squid-users] Squid memory consumption problem

 

Elizer,

 

SSL was failing for few applications but was working fine for other applications. So we reverted back to old version.

I am not sure what ssl certificate dependency was there.

 

Would be great, if you can suggest memory leak solutions in 3.12 version.

 

Regards,

Ankit Dixit|IS Cloud Team

Eurostar International Ltd

Times House | Bravingtons Walk | London N1 9AW

Office: +44 (0)207 84 35550 (Extension– 35530)

 

From: Eliezer Croitor <[hidden email]>
Sent: Sunday, July 5, 2020 5:58 PM
To: DIXIT Ankit <[hidden email]>; 'Squid Users' <[hidden email]>
Cc: SETHI Konica <[hidden email]>
Subject: RE: [squid-users] Squid memory consumption problem

 

 

Hey,

 

What happen with this issue?

I am waiting for any input about this issue to understand with what I can try to help.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

 

From: DIXIT Ankit [[hidden email]]
Sent: Tuesday, June 30, 2020 12:35 PM
To: Eliezer Croitoru; Squid Users
Cc: SETHI Konica
Subject: RE: [squid-users] Squid memory consumption problem

 

For your information, we have added below configurations but again same issue.

 

tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

 

tls_outgoing_options cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

 

Regards,

Ankit Dixit|IS Cloud Team

Eurostar International Ltd

Times House | Bravingtons Walk | London N1 9AW

Office: +44 (0)207 84 35550 (Extension– 35530)

 

From: DIXIT Ankit
Sent: Tuesday, June 30, 2020 10:25 AM
To: Eliezer Croitoru <[hidden email]>; Squid Users <[hidden email]>
Cc: SETHI Konica <[hidden email]>
Subject: RE: [squid-users] Squid memory consumption problem

 

Eliezer,

 

Clients are facing some SSL related issues after upgrade. I could see below error. Please suggest, its little urgent.

 

quid[6706]: Error negotiating SSL connection on FD 167: error:00000001:lib(0):func(0):reason(1) (1/0)
Jun 30 09:17:38 squid[6706]: Error parsing SSL Server Hello Message on FD 77
Jun 30 09:17:38 squid[6706]: Error negotiating SSL connection on FD 75: error:00000001:lib(0):func(0):reason(1) (1/0)

 

 

Regards,

Ankit Dixit|IS Cloud Team

Eurostar International Ltd

Times House | Bravingtons Walk | London N1 9AW

Office: +44 (0)207 84 35550 (Extension– 35530)

 

From: Eliezer Croitoru <[hidden email]>
Sent: Tuesday, June 30, 2020 9:10 AM
To: Squid Users <[hidden email]>; DIXIT Ankit <[hidden email]>
Subject: RE: [squid-users] Squid memory consumption problem

 

 

The first thing to do is look at:

https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery

 

It should clear couple doubts for you.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

 

From: [hidden email]
Sent: Tuesday, June 30, 2020 10:46 AM
To: [hidden email]; [hidden email]; [hidden email]
Subject: RE: [squid-users] Squid memory consumption problem

 

Elizer,

 

We installed Squid 4.12 on production server, amazon Linux 2, successfully but I could see below messages in the logs for SECURITY ALERT: Host header forgery detected. These are getting generated very frequently.

Can we ignore this Or is it advised to suppress these alerts?

 

kid2| SECURITY ALERT: on URL: 5-25-3-app.agent.datadoghq.com:443

2020/06/30 07:41:29 kid1| SECURITY ALERT: Host header forgery detected on local=IP remote=IP FD 97 flags=33 (local IP does not match any domain IP)

 

Regards,

Ankit Dixit|IS Cloud Team

Eurostar International Ltd

Times House | Bravingtons Walk | London N1 9AW

Office: +44 (0)207 84 35550 (Extension– 35530)

 

 


This email (including any attachments) is intended only for the addressee(s), is confidential and may be legally privileged. If you are not the intended recipient, do not use, disclose, copy, or forward this email. Please notify the sender immediately and then delete it. Eurostar International Limited and its affiliates ("EIL") do not accept any liability for action taken in reliance on this email. EIL makes no representation that this email is free of viruses and addressees should check this email for viruses. The comments or statements expressed in this email are not necessarily those of EIL.

Eurostar International Ltd
Times House, Bravingtons Walk, London N1 9AW Registered in England and Wales No. 2462001


 

 


This email (including any attachments) is intended only for the addressee(s), is confidential and may be legally privileged. If you are not the intended recipient, do not use, disclose, copy, or forward this email. Please notify the sender immediately and then delete it. Eurostar International Limited and its affiliates ("EIL") do not accept any liability for action taken in reliance on this email. EIL makes no representation that this email is free of viruses and addressees should check this email for viruses. The comments or statements expressed in this email are not necessarily those of EIL.

Eurostar International Ltd
Times House, Bravingtons Walk, London N1 9AW Registered in England and Wales No. 2462001


 

 


This email (including any attachments) is intended only for the addressee(s), is confidential and may be legally privileged. If you are not the intended recipient, do not use, disclose, copy, or forward this email. Please notify the sender immediately and then delete it. Eurostar International Limited and its affiliates ("EIL") do not accept any liability for action taken in reliance on this email. EIL makes no representation that this email is free of viruses and addressees should check this email for viruses. The comments or statements expressed in this email are not necessarily those of EIL.

Eurostar International Ltd
Times House, Bravingtons Walk, London N1 9AW Registered in England and Wales No. 2462001



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL issue on Squid version 4 after blacklisting

Alex Rousskov
On 10/19/20 1:16 PM, Eliezer Croitor wrote:

> To get a response you would need to respond in the Bugzilla.
> Maybe Alex might be able to answer some of your questions about the subject.

FWIW, the October 19 email from Ankit Dixit (quoted below) did not reach
me. It probably did not reach others on squid-users either because the
mailing list archive does not show it.

The short answer to that "what needs to be done" question is "serious
development". It is not a simple change, but we are making progress with it.

Alex.

  

> *From:* DIXIT Ankit <[hidden email]>
> *Sent:* Monday, October 19, 2020 3:11 PM
> *To:* Eliezer Croitor <[hidden email]>
> *Cc:* 'Squid Users' <[hidden email]>
> *Subject:* RE: SSL issue on Squid version 4 after blacklisting
>
>  
>
> Elizer,
>
>  
>
>  1. I am not able to identify from below like what exactly needs to be
>     done and in which file?
>
>  
>
> * Short-term: Essentially disable OpenSSL built-in certificate
> validation (for certificates with missing intermediate CAs) and perform
> that validation from Squid, using X509_verify_cert(), after
> SSL_connect() returns control to Squid and Squid fetches the missing
> CAs. This approach still requires some non-trivial Squid development and
> keeping an eye on OpenSSL built-in validation logic, but it can be
> completed without OpenSSL modifications and, IMHO, without replicating a
> lot of OpenSSL internal validation logic.
>
>  
>
> * Long-term: We need a new OpenSSL callback for pausing OpenSSL
> processing after TLS v1.3 server handshake is decrypted and before
> certificate validation starts.
>
>  
>
>  2. Apart from above, I want to also understand if we have below
>     configuration in Squid version 3.5 in squid.conf then how would I
>     replace and to what ,if we move to Squid version 4.12
>
>  
>
> sslproxy_cipher
> HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>
> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
>
>  
>
> *Regards,*
>
> *Ankit Dixit|IS Cloud Team*
>
> *Eurostar International Ltd*
>
> *Times House | Bravingtons Walk | London N1 9AW*
>
> *Office: +44 (0)207 84 35550 (Extension– 35530)*
>
>  
>
> *From:* Eliezer Croitor <[hidden email]
> <mailto:[hidden email]>>
> *Sent:* Monday, October 12, 2020 12:38 PM
> *To:* DIXIT Ankit <[hidden email]
> <mailto:[hidden email]>>
> *Cc:* 'Squid Users' <[hidden email]
> <mailto:[hidden email]>>
> *Subject:* RE: SSL issue on Squid version 4 after blacklisting
>
>  
>
>  
>
> Hey Dixit,
>
>  
>
> Have you seen the next bug report:
>
> https://bugs.squid-cache.org/show_bug.cgi?id=5067#c4
>
>  
>
> Alex/Amos: I assume that this specific issue deserve a DEBUG which will
> describe and relate to this BUG:5067 report.
>
>  
>
> Eliezer
>
>  
>
> ----
>
> Eliezer Croitoru
>
> Tech Support
>
> Mobile: +972-5-28704261
>
> Email: [hidden email] <mailto:[hidden email]>
>
>  
>
> *From:* DIXIT Ankit <[hidden email]
> <mailto:[hidden email]>>
> *Sent:* Friday, September 25, 2020 4:22 PM
> *To:* Eliezer Croitor <[hidden email]
> <mailto:[hidden email]>>; 'Squid Users'
> <[hidden email]
> <mailto:[hidden email]>>
> *Subject:* RE: SSL issue on Squid version 4 after blacklisting
>
>  
>
> Elizer/Team,
>
>  
>
> Any help would be appreciated.
>
>  
>
> *Regards,*
>
> *Ankit Dixit|IS Cloud Team*
>
> *Eurostar International Ltd*
>
> *Times House | Bravingtons Walk | London N1 9AW*
>
> *Office: +44 (0)207 84 35550 (Extension– 35530)*
>
>  
>
> *From:* DIXIT Ankit
> *Sent:* Tuesday, September 15, 2020 1:24 PM
> *To:* Eliezer Croitor <[hidden email]
> <mailto:[hidden email]>>; 'Squid Users'
> <[hidden email]
> <mailto:[hidden email]>>
> *Subject:* SSL issue on Squid version 4 after blacklisting
>
>  
>
> *_Subject changed_*
>
> * *
>
> Elizer/Team,
>
>  
>
> Connecting with you again after we upgraded to Squid version 4.
>
>  
>
> We have blacklisted the domain categories  on Squid Proxy, but we are
> getting below exception in cache.log and due to this internet is not
> flowing from client servers via squid.
>
> This blacklist category is having thousands of blacklisted domains.
>
>  
>
> kid1| Error negotiating SSL on FD 33: error:14090086:SSL
> routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
>
> kid1| Error negotiating SSL connection on FD 26: (104) Connection reset
> by peer
>
>  
>
> Is there any specific ssl certificate, we need to configure? Or any
> other issue, you see here?
>
>  
>
>  
>
> *Regards,*
>
> *Ankit Dixit|IS Cloud Team*
>
> *Eurostar International Ltd*
>
> *Times House | Bravingtons Walk | London N1 9AW*
>
> *Office: +44 (0)207 84 35550 (Extension– 35530)*
>
>  
>
> *From:* DIXIT Ankit
> *Sent:* Monday, July 6, 2020 8:50 AM
> *To:* Eliezer Croitor <[hidden email]
> <mailto:[hidden email]>>; 'Squid Users'
> <[hidden email]
> <mailto:[hidden email]>>
> *Subject:* RE: [squid-users] Squid memory consumption problem
>
>  
>
> Elizer,
>
>  
>
> SSL was failing for few applications but was working fine for other
> applications. So we reverted back to old version.
>
> I am not sure what ssl certificate dependency was there.
>
>  
>
> Would be great, if you can suggest memory leak solutions in 3.12 version.
>
>  
>
> *Regards,*
>
> *Ankit Dixit|IS Cloud Team*
>
> *Eurostar International Ltd*
>
> *Times House | Bravingtons Walk | London N1 9AW*
>
> *Office: +44 (0)207 84 35550 (Extension– 35530)*
>
>  
>
> *From:* Eliezer Croitor <[hidden email]
> <mailto:[hidden email]>>
> *Sent:* Sunday, July 5, 2020 5:58 PM
> *To:* DIXIT Ankit <[hidden email]
> <mailto:[hidden email]>>; 'Squid Users'
> <[hidden email]
> <mailto:[hidden email]>>
> *Cc:* SETHI Konica <[hidden email]
> <mailto:[hidden email]>>
> *Subject:* RE: [squid-users] Squid memory consumption problem
>
>  
>
>  
>
> Hey,
>
>  
>
> What happen with this issue?
>
> I am waiting for any input about this issue to understand with what I
> can try to help.
>
>  
>
> Eliezer
>
>  
>
> ----
>
> Eliezer Croitoru
>
> Tech Support
>
> Mobile: +972-5-28704261
>
> Email: [hidden email] <mailto:[hidden email]>
>
>  
>
> *From:*DIXIT Ankit [mailto:[hidden email]]
> *Sent:* Tuesday, June 30, 2020 12:35 PM
> *To:* Eliezer Croitoru; Squid Users
> *Cc:* SETHI Konica
> *Subject:* RE: [squid-users] Squid memory consumption problem
>
>  
>
> For your information, we have added below configurations but again same
> issue.
>
>  
>
> tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
>
>  
>
> tls_outgoing_options
> cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>
>  
>
> *Regards,*
>
> *Ankit Dixit|IS Cloud Team*
>
> *Eurostar International Ltd*
>
> *Times House | Bravingtons Walk | London N1 9AW*
>
> *Office: +44 (0)207 84 35550 (Extension– 35530)*
>
>  
>
> *From:* DIXIT Ankit
> *Sent:* Tuesday, June 30, 2020 10:25 AM
> *To:* Eliezer Croitoru <[hidden email]
> <mailto:[hidden email]>>; Squid Users
> <[hidden email]
> <mailto:[hidden email]>>
> *Cc:* SETHI Konica <[hidden email]
> <mailto:[hidden email]>>
> *Subject:* RE: [squid-users] Squid memory consumption problem
>
>  
>
> Eliezer,
>
>  
>
> Clients are facing some SSL related issues after upgrade. I could see
> below error. Please suggest, its little urgent.
>
>  
>
> quid[6706]: Error negotiating SSL connection on FD 167:
> error:00000001:lib(0):func(0):reason(1) (1/0)
> Jun 30 09:17:38 squid[6706]: Error parsing SSL Server Hello Message on FD 77
> Jun 30 09:17:38 squid[6706]: Error negotiating SSL connection on FD 75:
> error:00000001:lib(0):func(0):reason(1) (1/0)
>
>  
>
>  
>
> *Regards,*
>
> *Ankit Dixit|IS Cloud Team*
>
> *Eurostar International Ltd*
>
> *Times House | Bravingtons Walk | London N1 9AW*
>
> *Office: +44 (0)207 84 35550 (Extension– 35530)*
>
>  
>
> *From:* Eliezer Croitoru <[hidden email]
> <mailto:[hidden email]>>
> *Sent:* Tuesday, June 30, 2020 9:10 AM
> *To:* Squid Users <[hidden email]
> <mailto:[hidden email]>>; DIXIT Ankit
> <[hidden email] <mailto:[hidden email]>>
> *Subject:* RE: [squid-users] Squid memory consumption problem
>
>  
>
>  
>
> The first thing to do is look at:
>
> https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
>
>  
>
> It should clear couple doubts for you.
>
>  
>
> Eliezer
>
>  
>
> ----
>
> Eliezer Croitoru
>
> Tech Support
>
> Mobile: +972-5-28704261
>
> Email: [hidden email] <mailto:[hidden email]>
>
>  
>
> *From: *DIXIT Ankit <mailto:[hidden email]>
> *Sent: *Tuesday, June 30, 2020 10:46 AM
> *To: *Eliezer Croitoru <mailto:[hidden email]>; Alex Rousskov
> <mailto:[hidden email]>;
> [hidden email] <mailto:[hidden email]>
> *Subject: *RE: [squid-users] Squid memory consumption problem
>
>  
>
> Elizer,
>
>  
>
> We installed Squid 4.12 on production server, amazon Linux 2,
> successfully but I could see below messages in the logs for SECURITY
> ALERT: Host header forgery detected. These are getting generated very
> frequently.
>
> Can we ignore this Or is it advised to suppress these alerts?
>
>  
>
> kid2| SECURITY ALERT: on URL: 5-25-3-app.agent.datadoghq.com:443
> <http://5-25-3-app.agent.datadoghq.com:443>
>
> 2020/06/30 07:41:29 kid1| SECURITY ALERT: Host header forgery detected
> on local=IP remote=IP FD 97 flags=33 (local IP does not match any domain IP)
>
>  
>
> *Regards,*
>
> *Ankit Dixit|IS Cloud Team*
>
> *Eurostar International Ltd*
>
> *Times House | Bravingtons Walk | London N1 9AW*
>
> *Office: +44 (0)207 84 35550 (Extension– 35530)*
>
>  
>
>  
>
> ------------------------------------------------------------------------
>
> This email (including any attachments) is intended only for the
> addressee(s), is confidential and may be legally privileged. If you are
> not the intended recipient, do not use, disclose, copy, or forward this
> email. Please notify the sender immediately and then delete it. Eurostar
> International Limited and its affiliates ("EIL") do not accept any
> liability for action taken in reliance on this email. EIL makes no
> representation that this email is free of viruses and addressees should
> check this email for viruses. The comments or statements expressed in
> this email are not necessarily those of EIL.
>
> Eurostar International Ltd
> Times House, Bravingtons Walk, London N1 9AW Registered in England and
> Wales No. 2462001
>
> ------------------------------------------------------------------------
>
>  
>
>  
>
> ------------------------------------------------------------------------
>
> This email (including any attachments) is intended only for the
> addressee(s), is confidential and may be legally privileged. If you are
> not the intended recipient, do not use, disclose, copy, or forward this
> email. Please notify the sender immediately and then delete it. Eurostar
> International Limited and its affiliates ("EIL") do not accept any
> liability for action taken in reliance on this email. EIL makes no
> representation that this email is free of viruses and addressees should
> check this email for viruses. The comments or statements expressed in
> this email are not necessarily those of EIL.
>
> Eurostar International Ltd
> Times House, Bravingtons Walk, London N1 9AW Registered in England and
> Wales No. 2462001
>
> ------------------------------------------------------------------------
>
>  
>
>  
>
> ------------------------------------------------------------------------
>
> This email (including any attachments) is intended only for the
> addressee(s), is confidential and may be legally privileged. If you are
> not the intended recipient, do not use, disclose, copy, or forward this
> email. Please notify the sender immediately and then delete it. Eurostar
> International Limited and its affiliates ("EIL") do not accept any
> liability for action taken in reliance on this email. EIL makes no
> representation that this email is free of viruses and addressees should
> check this email for viruses. The comments or statements expressed in
> this email are not necessarily those of EIL.
>
> Eurostar International Ltd
> Times House, Bravingtons Walk, London N1 9AW Registered in England and
> Wales No. 2462001
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL issue on Squid version 4 after blacklisting

Eliezer Croitoru-3
In reply to this post by Eliezer Croitoru-3

https://bugs.squid-cache.org/createaccount.cgi

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

 

From: DIXIT Ankit <[hidden email]>
Sent: Tuesday, October 20, 2020 8:02 PM
To: Eliezer Croitor <[hidden email]>
Cc: 'Squid Users' <[hidden email]>
Subject: RE: SSL issue on Squid version 4 after blacklisting

 

Eliezer,

 

How to access Bugzilla?

 

Regards,

Ankit Dixit|IS Cloud Team

Eurostar International Ltd

Times House | Bravingtons Walk | London N1 9AW

Office: +44 (0)207 84 35550 (Extension– 35530)

 

From: Eliezer Croitor <[hidden email]>
Sent: Monday, October 19, 2020 6:16 PM
To: DIXIT Ankit <[hidden email]>
Cc: 'Squid Users' <[hidden email]>
Subject: RE: SSL issue on Squid version 4 after blacklisting

 

 

Hey Dixit,

 

To get a response you would need to respond in the Bugzilla.

Maybe Alex might be able to answer some of your questions about the subject.

 

All The Bests,

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

 

From: DIXIT Ankit <[hidden email]>
Sent: Monday, October 19, 2020 3:11 PM
To: Eliezer Croitor <[hidden email]>
Cc: 'Squid Users' <[hidden email]>
Subject: RE: SSL issue on Squid version 4 after blacklisting

 

Elizer,

 

  1. I am not able to identify from below like what exactly needs to be done and in which file?

 

* Short-term: Essentially disable OpenSSL built-in certificate validation (for certificates with missing intermediate CAs) and perform that validation from Squid, using X509_verify_cert(), after SSL_connect() returns control to Squid and Squid fetches the missing CAs. This approach still requires some non-trivial Squid development and keeping an eye on OpenSSL built-in validation logic, but it can be completed without OpenSSL modifications and, IMHO, without replicating a lot of OpenSSL internal validation logic.

 

* Long-term: We need a new OpenSSL callback for pausing OpenSSL processing after TLS v1.3 server handshake is decrypted and before certificate validation starts.

 

  1. Apart from above, I want to also understand if we have below configuration in Squid version 3.5 in squid.conf then how would I replace and to what ,if we move to Squid version 4.12

 

sslproxy_cipher HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE

 

Regards,

Ankit Dixit|IS Cloud Team

Eurostar International Ltd

Times House | Bravingtons Walk | London N1 9AW

Office: +44 (0)207 84 35550 (Extension– 35530)

 

From: Eliezer Croitor <[hidden email]>
Sent: Monday, October 12, 2020 12:38 PM
To: DIXIT Ankit <[hidden email]>
Cc: 'Squid Users' <[hidden email]>
Subject: RE: SSL issue on Squid version 4 after blacklisting

 

 

Hey Dixit,

 

Have you seen the next bug report:

https://bugs.squid-cache.org/show_bug.cgi?id=5067#c4

 

Alex/Amos: I assume that this specific issue deserve a DEBUG which will describe and relate to this BUG:5067 report.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

 

From: DIXIT Ankit <[hidden email]>
Sent: Friday, September 25, 2020 4:22 PM
To: Eliezer Croitor <[hidden email]>; 'Squid Users' <[hidden email]>
Subject: RE: SSL issue on Squid version 4 after blacklisting

 

Elizer/Team,

 

Any help would be appreciated.

 

Regards,

Ankit Dixit|IS Cloud Team

Eurostar International Ltd

Times House | Bravingtons Walk | London N1 9AW

Office: +44 (0)207 84 35550 (Extension– 35530)

 

From: DIXIT Ankit
Sent: Tuesday, September 15, 2020 1:24 PM
To: Eliezer Croitor <[hidden email]>; 'Squid Users' <[hidden email]>
Subject: SSL issue on Squid version 4 after blacklisting

 

Subject changed

 

Elizer/Team,

 

Connecting with you again after we upgraded to Squid version 4.

 

We have blacklisted the domain categories  on Squid Proxy, but we are getting below exception in cache.log and due to this internet is not flowing from client servers via squid.

This blacklist category is having thousands of blacklisted domains.

 

kid1| Error negotiating SSL on FD 33: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)

kid1| Error negotiating SSL connection on FD 26: (104) Connection reset by peer

 

Is there any specific ssl certificate, we need to configure? Or any other issue, you see here?

 

 

Regards,

Ankit Dixit|IS Cloud Team

Eurostar International Ltd

Times House | Bravingtons Walk | London N1 9AW

Office: +44 (0)207 84 35550 (Extension– 35530)

 

From: DIXIT Ankit
Sent: Monday, July 6, 2020 8:50 AM
To: Eliezer Croitor <[hidden email]>; 'Squid Users' <[hidden email]>
Subject: RE: [squid-users] Squid memory consumption problem

 

Elizer,

 

SSL was failing for few applications but was working fine for other applications. So we reverted back to old version.

I am not sure what ssl certificate dependency was there.

 

Would be great, if you can suggest memory leak solutions in 3.12 version.

 

Regards,

Ankit Dixit|IS Cloud Team

Eurostar International Ltd

Times House | Bravingtons Walk | London N1 9AW

Office: +44 (0)207 84 35550 (Extension– 35530)

 

From: Eliezer Croitor <[hidden email]>
Sent: Sunday, July 5, 2020 5:58 PM
To: DIXIT Ankit <[hidden email]>; 'Squid Users' <[hidden email]>
Cc: SETHI Konica <[hidden email]>
Subject: RE: [squid-users] Squid memory consumption problem

 

 

Hey,

 

What happen with this issue?

I am waiting for any input about this issue to understand with what I can try to help.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

 

From: DIXIT Ankit [[hidden email]]
Sent: Tuesday, June 30, 2020 12:35 PM
To: Eliezer Croitoru; Squid Users
Cc: SETHI Konica
Subject: RE: [squid-users] Squid memory consumption problem

 

For your information, we have added below configurations but again same issue.

 

tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

 

tls_outgoing_options cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

 

Regards,

Ankit Dixit|IS Cloud Team

Eurostar International Ltd

Times House | Bravingtons Walk | London N1 9AW

Office: +44 (0)207 84 35550 (Extension– 35530)

 

From: DIXIT Ankit
Sent: Tuesday, June 30, 2020 10:25 AM
To: Eliezer Croitoru <[hidden email]>; Squid Users <[hidden email]>
Cc: SETHI Konica <[hidden email]>
Subject: RE: [squid-users] Squid memory consumption problem

 

Eliezer,

 

Clients are facing some SSL related issues after upgrade. I could see below error. Please suggest, its little urgent.

 

quid[6706]: Error negotiating SSL connection on FD 167: error:00000001:lib(0):func(0):reason(1) (1/0)
Jun 30 09:17:38 squid[6706]: Error parsing SSL Server Hello Message on FD 77
Jun 30 09:17:38 squid[6706]: Error negotiating SSL connection on FD 75: error:00000001:lib(0):func(0):reason(1) (1/0)

 

 

Regards,

Ankit Dixit|IS Cloud Team

Eurostar International Ltd

Times House | Bravingtons Walk | London N1 9AW

Office: +44 (0)207 84 35550 (Extension– 35530)

 

From: Eliezer Croitoru <[hidden email]>
Sent: Tuesday, June 30, 2020 9:10 AM
To: Squid Users <[hidden email]>; DIXIT Ankit <[hidden email]>
Subject: RE: [squid-users] Squid memory consumption problem

 

 

The first thing to do is look at:

https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery

 

It should clear couple doubts for you.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

 

From: [hidden email]
Sent: Tuesday, June 30, 2020 10:46 AM
To: [hidden email]; [hidden email]; [hidden email]
Subject: RE: [squid-users] Squid memory consumption problem

 

Elizer,

 

We installed Squid 4.12 on production server, amazon Linux 2, successfully but I could see below messages in the logs for SECURITY ALERT: Host header forgery detected. These are getting generated very frequently.

Can we ignore this Or is it advised to suppress these alerts?

 

kid2| SECURITY ALERT: on URL: 5-25-3-app.agent.datadoghq.com:443

2020/06/30 07:41:29 kid1| SECURITY ALERT: Host header forgery detected on local=IP remote=IP FD 97 flags=33 (local IP does not match any domain IP)

 

Regards,

Ankit Dixit|IS Cloud Team

Eurostar International Ltd

Times House | Bravingtons Walk | London N1 9AW

Office: +44 (0)207 84 35550 (Extension– 35530)

 

 


This email (including any attachments) is intended only for the addressee(s), is confidential and may be legally privileged. If you are not the intended recipient, do not use, disclose, copy, or forward this email. Please notify the sender immediately and then delete it. Eurostar International Limited and its affiliates ("EIL") do not accept any liability for action taken in reliance on this email. EIL makes no representation that this email is free of viruses and addressees should check this email for viruses. The comments or statements expressed in this email are not necessarily those of EIL.

Eurostar International Ltd
Times House, Bravingtons Walk, London N1 9AW Registered in England and Wales No. 2462001


 

 


This email (including any attachments) is intended only for the addressee(s), is confidential and may be legally privileged. If you are not the intended recipient, do not use, disclose, copy, or forward this email. Please notify the sender immediately and then delete it. Eurostar International Limited and its affiliates ("EIL") do not accept any liability for action taken in reliance on this email. EIL makes no representation that this email is free of viruses and addressees should check this email for viruses. The comments or statements expressed in this email are not necessarily those of EIL.

Eurostar International Ltd
Times House, Bravingtons Walk, London N1 9AW Registered in England and Wales No. 2462001


 

 


This email (including any attachments) is intended only for the addressee(s), is confidential and may be legally privileged. If you are not the intended recipient, do not use, disclose, copy, or forward this email. Please notify the sender immediately and then delete it. Eurostar International Limited and its affiliates ("EIL") do not accept any liability for action taken in reliance on this email. EIL makes no representation that this email is free of viruses and addressees should check this email for viruses. The comments or statements expressed in this email are not necessarily those of EIL.

Eurostar International Ltd
Times House, Bravingtons Walk, London N1 9AW Registered in England and Wales No. 2462001


 

 


This email (including any attachments) is intended only for the addressee(s), is confidential and may be legally privileged. If you are not the intended recipient, do not use, disclose, copy, or forward this email. Please notify the sender immediately and then delete it. Eurostar International Limited and its affiliates ("EIL") do not accept any liability for action taken in reliance on this email. EIL makes no representation that this email is free of viruses and addressees should check this email for viruses. The comments or statements expressed in this email are not necessarily those of EIL.

Eurostar International Ltd
Times House, Bravingtons Walk, London N1 9AW Registered in England and Wales No. 2462001



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users