v4.0.22 error:transaction-end-before-headers using transparent SSL method

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

v4.0.22 error:transaction-end-before-headers using transparent SSL method

David Touzeau-3

Hi

 

I’m using Squid Cache: Version 4.0.22 in transparent method

 

After several times the SSL port going into «  freeze  mode » and write in logs

 

1516660011.849 000000 192.168.1.214 NONE/000 0 NONE error:transaction-end-before-headers –

 

Doing a squid -k reconfigure release all freeze requests and proxy run in normal behavior and return back to freeze mode after 1 or 2 hours

 

How to fix this issue ?

 

Using the defined configuration :

 

http_port 192.168.1.1:50634  intercept disable-pmtu-discovery=transparent name=MyPortNameID27 

https_port 192.168.1.1:50635  intercept disable-pmtu-discovery=transparent name=MyPortNameID28 ssl-bump  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl/cb623e9bf

c65772f68b84393604cd6ea.dyn tls-dh=/etc/squid3/ssl/dhparam.pem

sslcrtd_program /lib/squid3/security_file_certgen -s /var/lib/squid/session/ssl/ssl_db -M 8MB

sslcrtd_children 16 startup=5 idle=1

acl FakeCert ssl::server_name .apple.com

acl FakeCert ssl::server_name .icloud.com

acl FakeCert ssl::server_name .mzstatic.com

acl FakeCert ssl::server_name .dropbox.com

acl ssl_step1 at_step SslBump1

acl ssl_step2 at_step SslBump2

acl ssl_step3 at_step SslBump3

ssl_bump peek ssl_step1

ssl_bump splice GlobalWhitelistDSTNet

ssl_bump splice GlobalWhitelistDomainsRx

ssl_bump splice GlobalWhitelistDomains

ssl_bump splice FakeCert

ssl_bump splice all


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: v4.0.22 error:transaction-end-before-headers using transparent SSL method

David Touzeau-3

Notice, it appears on both http/https ports, not only SSL

 

 

De : squid-users [mailto:[hidden email]] De la part de David Touzeau
Envoyé : lundi 22 janvier 2018 23:39
À : [hidden email]
Objet : [squid-users] v4.0.22 error:transaction-end-before-headers using transparent SSL method

 

Hi

 

I’m using Squid Cache: Version 4.0.22 in transparent method

 

After several times the SSL port going into «  freeze  mode » and write in logs

 

1516660011.849 000000 192.168.1.214 NONE/000 0 NONE error:transaction-end-before-headers –

 

Doing a squid -k reconfigure release all freeze requests and proxy run in normal behavior and return back to freeze mode after 1 or 2 hours

 

How to fix this issue ?

 

Using the defined configuration :

 

http_port 192.168.1.1:50634  intercept disable-pmtu-discovery=transparent name=MyPortNameID27 

https_port 192.168.1.1:50635  intercept disable-pmtu-discovery=transparent name=MyPortNameID28 ssl-bump  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl/cb623e9bf

c65772f68b84393604cd6ea.dyn tls-dh=/etc/squid3/ssl/dhparam.pem

sslcrtd_program /lib/squid3/security_file_certgen -s /var/lib/squid/session/ssl/ssl_db -M 8MB

sslcrtd_children 16 startup=5 idle=1

acl FakeCert ssl::server_name .apple.com

acl FakeCert ssl::server_name .icloud.com

acl FakeCert ssl::server_name .mzstatic.com

acl FakeCert ssl::server_name .dropbox.com

acl ssl_step1 at_step SslBump1

acl ssl_step2 at_step SslBump2

acl ssl_step3 at_step SslBump3

ssl_bump peek ssl_step1

ssl_bump splice GlobalWhitelistDSTNet

ssl_bump splice GlobalWhitelistDomainsRx

ssl_bump splice GlobalWhitelistDomains

ssl_bump splice FakeCert

ssl_bump splice all


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: v4.0.22 error:transaction-end-before-headers using transparent SSL method

David Touzeau-3
In reply to this post by David Touzeau-3

Notice, it appears on both http/https ports

Transparent Ports are freezing each 10 minutes.

I mention that in normal port there is no issue, the issue can be generated only on transparent mode.

 

 

 

De : squid-users [[hidden email]] De la part de David Touzeau
Envoyé : lundi 22 janvier 2018 23:39
À : [hidden email]
Objet : [squid-users] v4.0.22 error:transaction-end-before-headers using transparent SSL method

 

Hi

 

I’m using Squid Cache: Version 4.0.22 in transparent method

 

After several times the SSL port going into «  freeze  mode » and write in logs

 

1516660011.849 000000 192.168.1.214 NONE/000 0 NONE error:transaction-end-before-headers –

 

Doing a squid -k reconfigure release all freeze requests and proxy run in normal behavior and return back to freeze mode after 1 or 2 hours

 

How to fix this issue ?

 

Using the defined configuration :

 

http_port 192.168.1.1:50634  intercept disable-pmtu-discovery=transparent name=MyPortNameID27 

https_port 192.168.1.1:50635  intercept disable-pmtu-discovery=transparent name=MyPortNameID28 ssl-bump  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl/cb623e9bf

c65772f68b84393604cd6ea.dyn tls-dh=/etc/squid3/ssl/dhparam.pem

sslcrtd_program /lib/squid3/security_file_certgen -s /var/lib/squid/session/ssl/ssl_db -M 8MB

sslcrtd_children 16 startup=5 idle=1

acl FakeCert ssl::server_name .apple.com

acl FakeCert ssl::server_name .icloud.com

acl FakeCert ssl::server_name .mzstatic.com

acl FakeCert ssl::server_name .dropbox.com

acl ssl_step1 at_step SslBump1

acl ssl_step2 at_step SslBump2

acl ssl_step3 at_step SslBump3

ssl_bump peek ssl_step1

ssl_bump splice GlobalWhitelistDSTNet

ssl_bump splice GlobalWhitelistDomainsRx

ssl_bump splice GlobalWhitelistDomains

ssl_bump splice FakeCert

ssl_bump splice all


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: v4.0.22 error:transaction-end-before-headers using transparent SSL method

Amos Jeffries
Administrator
As an experiment does the issue remain if you use the memory-only mode
for the security_file_certgen helper in 4.0.23?

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: v4.0.22 error:transaction-end-before-headers using transparent SSL method

David Touzeau-3

Hi Amos,

I did not find any documentation related to "memory-only" on sslcrtd_program
features.

Did you have an example ?





_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: v4.0.22 error:transaction-end-before-headers using transparent SSL method

Amos Jeffries
Administrator
On 24/01/18 22:49, david wrote:
>
> Hi Amos,
>
> I did not find any documentation related to "memory-only" on sslcrtd_program
> features.
>
> Did you have an example ?
>

It is a new behaviour of the helper itself. Simply omit the -M and -s
options from its command line. Requires the helper be built from the v4
sources.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: v4.0.22 error:transaction-end-before-headers using transparent SSL method

David Touzeau-3
Thanks Amos for the tips.

The error was a python  helper that works on 3.5 but freeze on v4.
Forward code to php fix the issue

Thanks again !

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: v4.0.22 error:transaction-end-before-headers using transparent SSL method

Amos Jeffries
Administrator
On 26/01/18 03:50, David Touzeau wrote:
> Thanks Amos for the tips.
>
> The error was a python  helper that works on 3.5 but freeze on v4.
> Forward code to php fix the issue
>

Can you supply some more details in case someone else has the same issue
and cant figure it out?

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users