Project

General

Profile

Actions
Copy link

Bug #13810

closed

Squid options obsolete

Added by Peter Moreno over 1 year ago. Updated 13 days ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Squid
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.7.x
Affected Plus Version:
Affected Architecture:
amd64

Description

Hello guys.

Running squid -k parse we have some options that are no longer used, maybe is time to update the GUI:
2022/12/28 23:02:50| Startup: Initializing Authentication Schemes ...
2022/12/28 23:02:50| Startup: Initialized Authentication Scheme 'basic'
2022/12/28 23:02:50| Startup: Initialized Authentication Scheme 'digest'
2022/12/28 23:02:50| Startup: Initialized Authentication Scheme 'negotiate'
2022/12/28 23:02:50| Startup: Initialized Authentication Scheme 'ntlm'
2022/12/28 23:02:50| Startup: Initialized Authentication.
2022/12/28 23:02:50| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2022/12/28 23:02:50| Processing: http_port 192.168.9.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
2022/12/28 23:02:50| UPGRADE WARNING: 'cafile=/usr/local/share/certs/ca-root-nss.crt' is deprecated in http_port. Use 'tls-cafile=' instead.
2022/12/28 23:02:53| ERROR: Unsupported TLS option SINGLE_DH_USE
2022/12/28 23:02:53| ERROR: Unsupported TLS option SINGLE_ECDH_USE
2022/12/28 23:02:53| Processing: http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
2022/12/28 23:02:53| Starting Authentication on port 127.0.0.1:3128
2022/12/28 23:02:53| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
2022/12/28 23:02:53| UPGRADE WARNING: 'cafile=/usr/local/share/certs/ca-root-nss.crt' is deprecated in http_port. Use 'tls-cafile=' instead.
2022/12/28 23:02:55| ERROR: Unsupported TLS option SINGLE_DH_USE
2022/12/28 23:02:55| ERROR: Unsupported TLS option SINGLE_ECDH_USE
2022/12/28 23:02:55| Processing: https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
2022/12/28 23:02:55| Starting Authentication on port 127.0.0.1:3129
2022/12/28 23:02:55| Disabling Authentication on port 127.0.0.1:3129 (interception enabled)
2022/12/28 23:02:55| UPGRADE WARNING: 'cafile=/usr/local/share/certs/ca-root-nss.crt' is deprecated in https_port. Use 'tls-cafile=' instead.
2022/12/28 23:02:58| ERROR: Unsupported TLS option SINGLE_DH_USE
2022/12/28 23:02:58| ERROR: Unsupported TLS option SINGLE_ECDH_USE
2022/12/28 23:02:58| Processing: icp_port 0
2022/12/28 23:02:58| Processing: digest_generation off
*2022/12/28 23:02:58| Processing: dns_v4_first off
2022/12/28 23:02:58| ERROR: Directive 'dns_v4_first' is obsolete.
  • 2022/12/28 23:02:58| dns_v4_first : Remove this line. Squid no longer supports preferential treatment of DNS A records.
    2022/12/28 23:02:58| Processing: pid_filename /var/run/squid/squid.pid
    2022/12/28 23:02:58| Processing: cache_effective_user squid
    2022/12/28 23:02:58| Processing: cache_effective_group proxy
    2022/12/28 23:02:58| Processing: error_default_language en
    2022/12/28 23:02:58| Processing: icon_directory /usr/local/etc/squid/icons
    2022/12/28 23:02:58| Processing: visible_hostname firewall.bos.local
    2022/12/28 23:02:58| Processing: cache_mgr
    2022/12/28 23:02:58| Processing: access_log /var/squid/logs/access.log
    2022/12/28 23:02:58| Processing: cache_log /var/squid/logs/cache.log
    2022/12/28 23:02:58| Processing: cache_store_log none
    2022/12/28 23:02:58| Processing: netdb_filename /var/squid/logs/netdb.state
    2022/12/28 23:02:58| Processing: pinger_enable off
    2022/12/28 23:02:58| Processing: pinger_program /usr/local/libexec/squid/pinger
    2022/12/28 23:02:58| Processing: sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/lib/ssl_db -M 4MB -b 2048
    2022/12/28 23:02:58| Processing: tls_outgoing_options cafile=/usr/local/share/certs/ca-root-nss.crt
    2022/12/28 23:02:58| Processing: tls_outgoing_options capath=/usr/local/share/certs/
    2022/12/28 23:02:58| Processing: tls_outgoing_options options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
    2022/12/28 23:02:58| ERROR: Unsupported TLS option SINGLE_DH_USE
    2022/12/28 23:02:58| ERROR: Unsupported TLS option SINGLE_ECDH_USE
    2022/12/28 23:02:58| Processing: tls_outgoing_options cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS
    2022/12/28 23:02:58| Processing: sslcrtd_children 5
    2022/12/28 23:02:58| Processing: sslproxy_cert_error allow all
    2022/12/28 23:02:58| Processing: sslproxy_cert_adapt setValidAfter all
    2022/12/28 23:02:58| Processing: sslproxy_cert_adapt setValidBefore all
    2022/12/28 23:02:58| Processing: sslproxy_cert_adapt setCommonName all
    2022/12/28 23:02:58| Processing: logfile_rotate 10
    2022/12/28 23:02:58| Processing: debug_options rotate=10
    2022/12/28 23:02:58| Processing: shutdown_lifetime 3 seconds
    2022/12/28 23:02:58| Processing: acl localnet src 192.168.9.0/24
    2022/12/28 23:02:58| Processing: forwarded_for on
    2022/12/28 23:02:58| Processing: httpd_suppress_version_string on
    2022/12/28 23:02:58| Processing: uri_whitespace strip
    2022/12/28 23:02:58| Processing: cache_mem 2048 MB
    2022/12/28 23:02:58| Processing: maximum_object_size_in_memory 256 KB
    2022/12/28 23:02:58| Processing: memory_replacement_policy heap GDSF
    2022/12/28 23:02:58| Processing: cache_replacement_policy heap LFUDA
    2022/12/28 23:02:58| Processing: minimum_object_size 0 KB
    2022/12/28 23:02:58| Processing: maximum_object_size 4 MB
    2022/12/28 23:02:58| Processing: cache_dir aufs /var/squid/cache 8192 16 256
    2022/12/28 23:02:58| Processing: offline_mode off
    2022/12/28 23:02:58| Processing: cache_swap_low 96
    2022/12/28 23:02:58| Processing: cache_swap_high 98
    2022/12/28 23:02:58| Processing: cache allow all
    2022/12/28 23:02:58| Processing: refresh_pattern ^ftp: 1440 20% 10080
    2022/12/28 23:02:58| Processing: refresh_pattern ^gopher: 1440 0% 1440
    2022/12/28 23:02:58| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
    2022/12/28 23:02:58| Processing: refresh_pattern . 0 20% 4320
    2022/12/28 23:02:58| Processing: acl allsrc src all
    2022/12/28 23:02:58| Processing: acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3129 1025-65535
    2022/12/28 23:02:58| Processing: acl sslports port 443 563
    2022/12/28 23:02:58| Processing: acl purge method PURGE
    2022/12/28 23:02:58| Processing: acl connect method CONNECT
    2022/12/28 23:02:58| Processing: acl HTTP proto HTTP
    2022/12/28 23:02:58| Processing: acl HTTPS proto HTTPS
    2022/12/28 23:02:58| Processing: acl step1 at_step SslBump1
    2022/12/28 23:02:58| Processing: acl step2 at_step SslBump2
    2022/12/28 23:02:58| Processing: acl step3 at_step SslBump3
    2022/12/28 23:02:58| Processing: http_access allow manager localhost
    2022/12/28 23:02:58| Processing: http_access deny manager
    2022/12/28 23:02:58| Processing: http_access allow purge localhost
    2022/12/28 23:02:58| Processing: http_access deny purge
    2022/12/28 23:02:58| Processing: http_access deny !safeports
    2022/12/28 23:02:58| Processing: http_access deny CONNECT !sslports
    2022/12/28 23:02:58| Processing: http_access allow localhost
    2022/12/28 23:02:58| Processing: request_body_max_size 0 KB
    2022/12/28 23:02:58| Processing: delay_pools 1
    2022/12/28 23:02:58| Processing: delay_class 1 2
    2022/12/28 23:02:58| Processing: delay_parameters 1 -1/-1 -1/-1
    2022/12/28 23:02:58| Processing: delay_initial_bucket_level 100
    2022/12/28 23:02:58| Processing: delay_access 1 allow allsrc
    2022/12/28 23:02:58| Processing: url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
    2022/12/28 23:02:58| Processing: url_rewrite_bypass off
    2022/12/28 23:02:58| Processing: url_rewrite_children 16 startup=8 idle=4 concurrency=0
    2022/12/28 23:02:58| Processing: acl sglog url_regex -i sgr=ACCESSDENIED
    2022/12/28 23:02:58| Processing: http_access deny sglog
    2022/12/28 23:02:58| Processing: ssl_bump peek step1
    2022/12/28 23:02:58| Processing: ssl_bump splice all
    2022/12/28 23:02:58| Processing: http_access allow localnet
    2022/12/28 23:02:58| Processing: http_access deny allsrc
    2022/12/28 23:02:58| Initializing https:// proxy context
    2022/12/28 23:02:58| Requiring client certificates.
    2022/12/28 23:02:58| Initializing http_port 192.168.9.1:3128 TLS contexts
    2022/12/28 23:02:58| Using certificate in /usr/local/etc/squid/serverkey.pem
    2022/12/28 23:02:58| Using certificate chain in /usr/local/etc/squid/serverkey.pem
    2022/12/28 23:02:58| Adding issuer CA: /CN=SQUID_BOSFW_CA/C=MX/ST=BAJA CALIFORNIA/L=TIJUANA/O=BOS/OU=IT
    2022/12/28 23:02:58| Using key in /usr/local/etc/squid/serverkey.pem
    2022/12/28 23:02:58| Not requiring any client certificates
    2022/12/28 23:02:58| Initializing http_port 127.0.0.1:3128 TLS contexts
    2022/12/28 23:02:58| Using certificate in /usr/local/etc/squid/serverkey.pem
    2022/12/28 23:02:58| Using certificate chain in /usr/local/etc/squid/serverkey.pem
    2022/12/28 23:02:58| Adding issuer CA: /CN=SQUID_BOSFW_CA/C=MX/ST=BAJA CALIFORNIA/L=TIJUANA/O=BOS/OU=IT
    2022/12/28 23:02:58| Using key in /usr/local/etc/squid/serverkey.pem
    2022/12/28 23:02:58| Not requiring any client certificates
    2022/12/28 23:02:58| Initializing https_port 127.0.0.1:3129 TLS contexts
    2022/12/28 23:02:58| Using certificate in /usr/local/etc/squid/serverkey.pem
    2022/12/28 23:02:58| Using certificate chain in /usr/local/etc/squid/serverkey.pem
    2022/12/28 23:02:58| Adding issuer CA: /CN=SQUID_BOSFW_CA/C=MX/ST=BAJA CALIFORNIA/L=TIJUANA/O=BOS/OU=IT
    2022/12/28 23:02:58| Using key in /usr/local/etc/squid/serverkey.pem
    2022/12/28 23:02:58| Not requiring any client certificates

If need more info let me know, regards!!!

Actions
Copy link
 #1

Updated by Jim Pingle over 1 year ago

  • Subject changed from Squid options obsolete. to Squid options obsolete
Actions
Copy link
 #2

Updated by Kris Phillips over 1 year ago

  • Status changed from New to Confirmed

I can confirm this behavior on my 23.01-BETA install:

2023/01/08 02:53:54| Startup: Initializing Authentication Schemes ...
2023/01/08 02:53:54| Startup: Initialized Authentication Scheme 'basic'
2023/01/08 02:53:54| Startup: Initialized Authentication Scheme 'digest'
2023/01/08 02:53:54| Startup: Initialized Authentication Scheme 'negotiate'
2023/01/08 02:53:54| Startup: Initialized Authentication Scheme 'ntlm'
2023/01/08 02:53:54| Startup: Initialized Authentication.
2023/01/08 02:53:54| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2023/01/08 02:53:54| Processing: icp_port 0
2023/01/08 02:53:54| Processing: digest_generation off
2023/01/08 02:53:54| Processing: dns_v4_first off
2023/01/08 02:53:54| ERROR: Directive 'dns_v4_first' is obsolete.
2023/01/08 02:53:54| dns_v4_first : Remove this line. Squid no longer supports preferential treatment of DNS A records.
2023/01/08 02:53:54| Processing: pid_filename /var/run/squid/squid.pid
2023/01/08 02:53:54| Processing: cache_effective_user squid
2023/01/08 02:53:54| Processing: cache_effective_group proxy
2023/01/08 02:53:54| Processing: error_default_language en
2023/01/08 02:53:54| Processing: icon_directory /usr/local/etc/squid/icons
2023/01/08 02:53:54| Processing: visible_hostname localhost
2023/01/08 02:53:54| Processing: cache_mgr admin@localhost
2023/01/08 02:53:54| Processing: access_log /dev/null
2023/01/08 02:53:54| Processing: cache_log /var/squid/logs/cache.log
2023/01/08 02:53:54| Processing: cache_store_log none
2023/01/08 02:53:54| Processing: netdb_filename /var/squid/logs/netdb.state
2023/01/08 02:53:54| Processing: pinger_enable on
2023/01/08 02:53:54| Processing: pinger_program /usr/local/libexec/squid/pinger
2023/01/08 02:53:54| Processing: logfile_rotate 0
2023/01/08 02:53:54| Processing: debug_options rotate=0
2023/01/08 02:53:54| Processing: shutdown_lifetime 3 seconds
2023/01/08 02:53:54| Processing: forwarded_for on
2023/01/08 02:53:54| Processing: uri_whitespace strip
2023/01/08 02:53:54| Processing: acl dynamic urlpath_regex cgi-bin \?
2023/01/08 02:53:54| Processing: cache deny dynamic
2023/01/08 02:53:54| Processing: cache_mem 64 MB
2023/01/08 02:53:54| Processing: maximum_object_size_in_memory 256 KB
2023/01/08 02:53:54| Processing: memory_replacement_policy heap GDSF
2023/01/08 02:53:54| Processing: cache_replacement_policy heap LFUDA
2023/01/08 02:53:54| Processing: minimum_object_size 0 KB
2023/01/08 02:53:54| Processing: maximum_object_size 4 MB
2023/01/08 02:53:54| Processing: cache_dir /var/squid/cache 100 16 256
2023/01/08 02:53:54| ERROR: This proxy does not support the '/var/squid/cache' cache type. Ignoring.
2023/01/08 02:53:54| Processing: offline_mode off
2023/01/08 02:53:54| Processing: cache allow all
2023/01/08 02:53:54| Processing: refresh_pattern ^ftp: 1440 20% 10080
2023/01/08 02:53:54| Processing: refresh_pattern ^gopher: 1440 0% 1440
2023/01/08 02:53:54| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
2023/01/08 02:53:54| Processing: refresh_pattern . 0 20% 4320
2023/01/08 02:53:54| Processing: acl allsrc src all
2023/01/08 02:53:54| Processing: acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 1025-65535
2023/01/08 02:53:54| Processing: acl sslports port 443 563
2023/01/08 02:53:54| Processing: acl purge method PURGE
2023/01/08 02:53:54| Processing: acl connect method CONNECT
2023/01/08 02:53:54| Processing: acl HTTP proto HTTP
2023/01/08 02:53:54| Processing: acl HTTPS proto HTTPS
2023/01/08 02:53:54| Processing: http_access allow manager localhost
2023/01/08 02:53:54| Processing: http_access deny manager
2023/01/08 02:53:54| Processing: http_access allow purge localhost
2023/01/08 02:53:54| Processing: http_access deny purge
2023/01/08 02:53:54| Processing: http_access deny !safeports
2023/01/08 02:53:54| Processing: http_access deny CONNECT !sslports
2023/01/08 02:53:54| Processing: http_access allow localhost
2023/01/08 02:53:54| Processing: http_access deny allsrc
2023/01/08 02:53:54| Initializing https:// proxy context
2023/01/08 02:53:54| Requiring client certificates.

Actions
Copy link
 #3

Updated by Kris Phillips 4 months ago

  • Status changed from Confirmed to Rejected

Marking this as Rejected since Squid is being deprecated and removed in a future version of pfSense CE and Plus.

Actions
Copy link

Also available in: Atom PDF