Hello,
Squid 6.9 has been released
https://www.squid-cache.org/Versions/v6/squid-6.9-RELEASENOTES.html
Cheers,
Michael
Hi there,
Updated to 6.9 rendering a no start of the squid daemon. Conf is pretty slick here, transparent only.
Cloned the VM for troubleshooting, could you perhaps head me towards the squid daemon startup logs?
tail -f dmesg.today
pid 37033 (squid), jid 0, uid 100: exited on signal 11
pid 43233 (squid), jid 0, uid 100: exited on signal 11
pid 56327 (squid), jid 0, uid 100: exited on signal 11
pid 71492 (squid), jid 0, uid 100: exited on signal 11
pid 82282 (squid), jid 0, uid 100: exited on signal 11
pid 90846 (squid), jid 0, uid 100: exited on signal 11
pid 84958 (squid), jid 0, uid 100: exited on signal 11
pid 93956 (squid), jid 0, uid 100: exited on signal 11
pid 1971 (squid), jid 0, uid 100: exited on signal 11
pid 13146 (squid), jid 0, uid 100: exited on signal 11
Thanks,
m.
It's an ongoing issue with Squid version 6. https://github.com/opnsense/plugins/issues/3827
Cheers,
Franco
Hi Franco, all,
Thanks for the lead =) Here is what I've done to get it back to "work", which is a workaround/downgrade:
root@opnsense:/ # opnsense-revert -r 24.1.5 squid
Fetching squid.pkg: ... done
Verifying signature with trusted certificate pkg.opnsense.org.20240105... done
squid-6.8: already unlocked
Installing squid-6.8...
package squid is already installed, forced install
...
This obviously after having passed the OPNsense 24.1.6-amd64 update.
Thanks,
m
I think all later 6.x are affected. Come to think of it it may be an OpenSSL 3 incompatibility...
Cheers,
Franco
Ok so I guess that's it then... https://issues.redhat.com/browse/RHEL-6873
Quote from: franco on May 07, 2024, 01:52:22 PM
I think all later 6.x are affected. Come to think of it it may be an OpenSSL 3 incompatibility...
Hi Franco,
Yes, I've carefully read the github issue and comments and hum well, even with 6.8 it still SEGFAULT's. I'll need to read more about the latest findings; squid's legacy openssl issue.
On another frontline, I'm here running different proxies all running squid 6.8 + ssl bumping all over + a really bigger and rather complex configuration which doesn't show any of such artifacts.. Theses are running on Debian though.
Anyways, let's hope for a fix at some point as I do think that transparent proxy on opnsense is extremely sexy TBH.
Cheers,
m.
A workaround is in place in the plugins for os-squid and os-OPNProxy and seems to work.
An interim solution is to edit /usr/local/opnsense/service/templates/OPNsense/Trust/openssl.cnf
Change the following line from
legacy = legacy_sect
To
#legacy = legacy_sect
And execute:
# /usr/local/etc/rc.configure_firmware
A slightly better workaround that will require no user interaction will be shipped in 24.1.7
Cheers,
Franco
Hi Franco, team,
Tested this workaround with prior to that, re-enabling Squid 6.9 on 24.1.6.
All fine here, config parses all good.
Thanks guys!
Cheers,
m.
Quote from: franco on May 08, 2024, 07:42:32 AM
A workaround is in place in the plugins for os-squid and os-OPNProxy and seems to work.
An interim solution is to edit /usr/local/opnsense/service/templates/OPNsense/Trust/openssl.cnf
Change the following line from
legacy = legacy_sect
To
#legacy = legacy_sect
And execute:
# /usr/local/etc/rc.configure_firmware
A slightly better workaround that will require no user interaction will be shipped in 24.1.7
That workaround seems to have a side-effect: With my OpenVPN config, this disables legacy ciphers, resulting in OpenVPN not starting with: "Error openvpn_server2 Cipher BF-CBC not supported".
I also had a Google drive backup fail with an invalid p12 key, but that I am unsure if it is related.
Yes, that's why the committed fix is not that... I'm aware of the mess we are in here ;) Python is another offender.
Cheers,
Franco
Was a bit late yesterday.. here are the relevant commits:
https://github.com/opnsense/plugins/commit/70de22e0c
https://github.com/opnsense/plugins/commit/e1d58710d
Will be part of 24.1.7 and an eventual hotfix of the 24.4 release.
Cheers,
Franco
Ah, so the disabling of openssl legacy functionality is limited to squid only by using a separate configuration file for it. Clever.
Yes, it's a trick I picked up a long time ago. ;)
Cheers,
Franco
Hi Franco, team,
Clean fix indeed =) I've just seen the 24.1.7 announcement, thanks for all the work.
Quick question: should I revert to the "original" status / edit /usr/local/opnsense/service/templates/OPNsense/Trust/openssl.cnf to it's original status prior to apply 24.1.7 ?
Thanks,
Regards,
m.
Ok nice :)
Should be back to normal with the update (if it doesn't pop up in the health audit it's ok).
Cheers,
Franco