Project

General

Profile

Actions

Bug #15381

closed

Update deprecated options

Added by Jonathan Lee 9 months ago. Updated 3 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Squid
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
24.11
Affected Version:
Affected Plus Version:
24.03
Affected Architecture:

Description

Squid runs however lists the following errors in 24.03.b.20240322.1708 Show

Config in use: Show


Files

1712248127011-screenshot-2024-04-04-092823.png (81 KB) 1712248127011-screenshot-2024-04-04-092823.png status shows forbidden Jonathan Lee, 04/04/2024 05:55 PM
1712247958622-screenshot-2024-04-04-092543.png (37.7 KB) 1712247958622-screenshot-2024-04-04-092543.png cachemgr.cgi log in prompt shows however access denied see netgate link for info on what cachemgr is Jonathan Lee, 04/04/2024 05:56 PM
1712247986560-screenshot-2024-04-04-092613.png (36.8 KB) 1712247986560-screenshot-2024-04-04-092613.png errors Jonathan Lee, 04/04/2024 05:56 PM
1712248086335-screenshot-2024-04-04-092710.png (81.5 KB) 1712248086335-screenshot-2024-04-04-092710.png Error page missing errror however shows errors Jonathan Lee, 04/04/2024 05:57 PM
1712247108738-screenshot-2024-04-04-091113.png (28.8 KB) 1712247108738-screenshot-2024-04-04-091113.png Kick Abandoning Error Jonathan Lee, 04/04/2024 05:58 PM
1712246840439-screenshot-2024-04-04-090152.png (9.96 KB) 1712246840439-screenshot-2024-04-04-090152.png 24 version number Jonathan Lee, 04/04/2024 05:59 PM
Screenshot 2024-04-05 at 15.22.53.png (364 KB) Screenshot 2024-04-05 at 15.22.53.png Jonathan Lee, 04/05/2024 10:25 PM
Actions #1

Updated by Jonathan Lee 9 months ago

Cachemgr.cgi ref:
https://forum.netgate.com/topic/187107/how-to-guide-for-accessing-squid-s-cachemgr-cgi-over-https

StoreID use Research:
https://forum.netgate.com/topic/186805/squid-storeid-and-facebook-plus-caching-windows-updates


EDIT:
Facebook Goals for me with the cache are related to
Ref:
https://research.facebook.com/blog/2016/4/the-evolution-of-advanced-caching-in-the-facebook-cdn/


EDIT:
The errors show a request for cafile= to be tls-cafile, so Squid is looking for tls certificates over the SSL we used before. Is there anyway to generate a TLS certificate authority?


EDIT: Show


EDIT:
2024/04/05 07:58:24| WARNING: UPGRADE: 'cafile=/usr/local/share/certs/ca-root-nss.crt' is deprecated in http_port. Use 'tls-cafile=' instead.

is fixed with the following

https://github.com/pfsense/FreeBSD-ports/commit/de0386f85a97b6424a0b5e371e98cfaea467972e


EDIT:
https://github.com/pfsense/FreeBSD-ports/pull/1365

this fixed the issue inside my SG-2100

Working on this also Per Squid support Amos Jeffries

"Also there are a few weird things in your TLS cipher settings, such as this sequence " EECDH+aRSA+RC4:...:!RC4 "
Which as I understand, enables the EECDH with RC4 hash, but also forbids all uses of RC4."

Working this issue now.


EDIT:

if (empty($settings['sslproxy_compatibility_mode']) || ($settings['sslproxy_compatibility_mode'] == 'modern')) {
                    // Modern cipher suites
                    $sslproxy_cipher = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS";
                    $sslproxy_options .= ",NO_TLSv1";
                } else {
                    $sslproxy_cipher = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";
                }

Should the RC4 be removed or allowed? I can also fix this what does everyone think with this?


EDIT:
Notes:

FIX ME
line of code 1261 in /usr/local/pkg/squid.inc
FIX ME
line of code 1235-1241 in usr/local/pkg/squid.inc


EDIT:
https://github.com/pfsense/FreeBSD-ports/pull/1366

Fix for

2024/04/05 07:58:24| ERROR: Unsupported TLS option SINGLE_DH_USE

2024/04/05 07:58:24| ERROR: Unsupported TLS option SINGLE_ECDH_USE

Actions #3

Updated by Marcos M 3 months ago

  • Subject changed from Squid 6.6 Errors Attached for Review TLS requested in errors to Update deprecated options
  • Description updated (diff)
  • Status changed from New to Closed
  • Plus Target Version set to 24.11
  • Affected Architecture deleted (SG-2100)

I've merged the above comments into one to help with readability.

The proposed changes from the posted PRs are simple/easy enough so I'll put them in, but please keep in mind that the Squid packages are deprecated and may be removed.

Actions #4

Updated by Jonathan Lee 3 months ago

Thanks for looking at this, and the YouTube issue.

Actions #5

Updated by Maharsh Patel 3 months ago

Can you also close this issue as well this is now no longer valid: https://redmine.pfsense.org/issues/15381

Actions #6

Updated by Jonathan Lee 3 months ago

https://redmine.pfsense.org/issues/13811

@Maharsh Patel

I think you mean this one.

Actions

Also available in: Atom PDF