SSL negotiation errors on https_port

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL negotiation errors on https_port

Robert Senger
Hi there,

I have configured squid's https_port for client certificate
authorization:

https_port [2001:XXX:XX:XXX::2]:8008 cert=/etc/ssl/private/mydomain_de/mydomain_de.crt key=/etc/ssl/private/mydomain_de/mydomain_de.key clientca=/etc/squid/ssl-proxy/ca.crt tls-dh=/etc/squid/ssl/dh_2048.pem

This works as expected. Clients connect via client side stunnel4 using
their individual client certificates.

However, I see many lines like these in the cache.log file:

2019/10/17 22:38:33.552 kid1| Error negotiating SSL connection on FD 44: error:00000001:lib(0):func(0):reason(1) (1/-1)
2019/10/17 22:38:41.619 kid1| Error negotiating SSL connection on FD 37: error:00000001:lib(0):func(0):reason(1) (1/-1)
2019/10/17 22:38:42.174 kid1| Error negotiating SSL connection on FD 40: error:00000001:lib(0):func(0):reason(1) (1/-1)
2019/10/17 22:38:42.312 kid1| Error negotiating SSL connection on FD 42: error:00000001:lib(0):func(0):reason(1) (1/-1)
2019/10/17 22:38:42.507 kid1| Error negotiating SSL connection on FD 44: error:00000001:lib(0):func(0):reason(1) (1/-1)
2019/10/17 22:38:46.755 kid1| Error negotiating SSL connection on FD 48: error:00000001:lib(0):func(0):reason(1) (1/-1)
2019/10/17 22:38:46.763 kid1| Error negotiating SSL connection on FD 58: error:00000001:lib(0):func(0):reason(1) (1/-1)
2019/10/17 22:38:46.771 kid1| Error negotiating SSL connection on FD 48: error:00000001:lib(0):func(0):reason(1) (1/-1)
2019/10/17 22:38:50.306 kid1| Error negotiating SSL connection on FD 77: error:00000001:lib(0):func(0):reason(1) (1/-1)
2019/10/17 22:38:50.314 kid1| Error negotiating SSL connection on FD 80: error:00000001:lib(0):func(0):reason(1) (1/-1)
2019/10/17 22:38:50.324 kid1| Error negotiating SSL connection on FD 77: error:00000001:lib(0):func(0):reason(1) (1/-1)
2019/10/17 22:40:01.898 kid1| Error negotiating SSL connection on FD 13: error:00000001:lib(0):func(0):reason(1) (1/-1)

Increasing debug output tells me that SSL negotiation fails and then
succeeds, but I have no idea what causes these failures. Is it just
related to the ssl handshake and not to worry about? If so, why is that
reported to the logs? Setting min and max TLS version on the client
does not change the log outpu. TLS version used is 1.3 if allowed on
the client.

Thanks for clarification,

Robert


--
Robert Senger


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL negotiation errors on https_port

Alex Rousskov
On 10/17/19 4:52 PM, Robert wrote:

> I see many lines like these in the cache.log file:

> 2019/10/17 22:38:33.552 kid1| Error negotiating SSL connection on FD 44: error:00000001:lib(0):func(0):reason(1) (1/-1)

OpenSSL refused to accept a TLS client connection with a generic
SSL_ERROR_SSL:

    A non-recoverable, fatal error in the SSL library occurred, usually
    a protocol error.  The OpenSSL error queue contains more information
    on the error.

AFAICT, Squid does not have the code to examine OpenSSL error queue
beyond the surface level (shown in your cache.log), but that does not
mean there is actually more information in that queue in your particular
case. Said that, quality pull requests (or sponsorship for) adding deep
error queue inspection support are welcomed.

I trust there are no other potentially relevant ERRORs and WARNINGs in
your cache.log.

It sounds like you can trivially reproduce the problem. If so, a capable
developer with access to your box should be able to triage it further.


> Is it just related to the ssl handshake and not to worry about?

It is most likely related to the SSL handshake. FWIW, I would worry
about it because it should not be happening under normal conditions.


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users