squid errors spamming cache.log

Issues related to configuring your network
Post Reply
xbucaneer
Posts: 13
Joined: 2022/10/28 05:09:32

squid errors spamming cache.log

Post by xbucaneer » 2022/11/25 21:38:42

I am running CentOS 7 with iptables v1.4.21, squid 3.5.20, squidGuard v1.4 and openssl 1.1.1c. Squid is running transparently and using ssl bump for https!
I keep getting this error in cache.log

'Error negotiating SSL connection on FD 32: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher (1/-1)'

My research shows this may be related to the version of squid that I am running, and updating to squid version 4 may resolve this problem,
but

# yum update

returns

No packages marked for update.

Here is my squid.conf

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl manager proto cache_object
acl purge method PURGE
acl CONNECT method CONNECT
cache_mem 1024 MB
acl localnet src 192.168.1.0/24
http_port 192.168.1.101:3129 tproxy
acl lan src 192.168.1.1 192.168.0.0/24
http_access allow localhost
http_access allow lan
acl SSL_ports port 443
acl SSL_ports port 10000
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access allow localnet
http_access allow localhost
shutdown_lifetime 0 seconds
http_port 3126 intercept
https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/myCA.pem
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/myCA.pem
http_port 3129 tproxy
acl broken_sites dstdom_regex icicibank.com hdfcbank.com
acl monitor_domains dstdom_regex youtube.com facebook.com ytimg.com googlevideo.com ggpht.com
acl monitor_domains2 dst 216.58.196.110 216.58.199.174 #youtube connect works over IP
ssl_bump none localhost
ssl_bump none broken_sites #Avoid bumping financial sites such as banks
ssl_bump server-first monitor_domains #Bump facebook and youtube
ssl_bump server-first monitor_domains2 #Since youtube bump fails with just domain also add youtube serverIP
visible_hostname proxy.mallet.lan
strip_query_terms off #This will allow checking which youtube URLs were visited by user
http_access allow all
cache_mem 256 MB
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_query_timeout 2000

perhaps not relevant but here is /etc/sysconfig/iptables

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [23:4197]
-A INPUT -i lo -j ACCEPT
-A INPUT -i enp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i enp6s0 -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A FORWARD -i enp6s0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o enp6s0 -j ACCEPT
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [3:1516]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i enp6s0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.101:3129
-A PREROUTING -i enp2s0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
-A POSTROUTING -o enp2s0 -j MASQUERADE
COMMIT

*mangle
:PREROUTING ACCEPT [88:11385]
:INPUT ACCEPT [88:11385]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [63:6805]
:POSTROUTING ACCEPT [63:6805]
COMMIT

And here is my squidGuard.conf

dbhome /var/squidGuard/blacklists
logdir /var/log/squidGuard
src admin {
ip 192.168.0.40
user root buccaneer
}
dest adult {
domainlist porn/domains
urllist porn/urls
expressionlist porn/expressions
redirect http://google.com
}
dest test {
domainlist testdomains
redirect http://www.google.com
}
acl {
admin {
pass any
}
default {
pass !test !adult any
redirect http://googe.com
}
}

How do I stop cache.log being spammed with this error!
Is there a way to force yum to update squid to V4 if not how do I manually install squid with all the necessary modules to have it working in the current configuration?

Here is the full output of

# squid -v
Squid Cache: Version 3.5.20
Service Name: squid
configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,SMB_LM,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,rock,ufs' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie' 'LDFLAGS=-Wl,-z,relro -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'

Post Reply