Messages

Anyone?

Version:
OPNsense 19.7.3-amd64
FreeBSD 11.2-RELEASE-p14-HBSD
OpenSSL 1.0.2s 28 May 2019

Issue Logs:
Sep 10 13:54:30   (squid-1): FATAL: Received Segment Violation...dying.
Sep 10 13:54:30   (squid-1): FATAL: The /usr/local/libexec/squid/security_file_certgen -s /var/squid/ssl_crtd -M 10MB helpers are crashing too rapidly, need help!

Those logs keep repeating approximately every minute. Squid service does show running. A restart has no affect on the issue. The symptom is inaccessibility of all webpages as if the proxy is not running.

Thanks for any help!

I upgraded to the latest Prod version of OPNsense yesterday, and Squid no longer started. Squid logs were completely blank, so I had to resort to starting squid via console, which showed the error. It was unhappy with a nobump entry. I see that under System->Log File->General, we do have logs for the services, however it doesn't provide detail on the error and I had to resort to attempting to start the service via console. Can we enhance the GUI logging to include the detailed errors for a failure. Below I show the difference in logs from GUI and manually starting the Service:

Logs from GUI:

Code Select Expand

Feb 28 09:30:07 root: /usr/local/etc/rc.d/squid: WARNING: failed to start squid
Feb 28 09:30:07 squid: Bungled /usr/local/etc/squid/squid.conf line 30: acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"

Logs from console:

Code Select Expand


root@OPNsense:/var/log # service squid start
Starting squid.
2019/02/28 09:30:07| ERROR: '.site.com' is a subdomain of 'site.com'
2019/02/28 09:30:07| ERROR: You need to remove '.site.com' from the ACL named 'bump_nobumpsites'
FATAL: Bungled /usr/local/etc/squid/squid.conf line 30: acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
Squid Cache (Version 3.5.28): Terminated abnormally.
CPU Usage: 0.020 seconds = 0.013 user + 0.007 sys
Maximum Resident Size: 67200 KB
Page faults with physical i/o: 0
/usr/local/etc/rc.d/squid: WARNING: failed to start squid
root@OPNsense:/var/log #


Thanks!

ATM it only works best when you have a large text file managing all domains separated by comma so you can just paste it.

Thanks, I guess I can make do with that method for now. I'd still like to see my enh for groups for organization reasons though. But that brings up another issue I had forgotten about: Different NoBump lists for different source Subnets/VLANs. There is no option to accomplish this, so I added it to my original post.

Regarding "no-proxy" you'd need a nat exception not to push it to proxy.

Yes, I am using a No RDR (aka Do not Nat) rule for now to prevent Nat of the specific device/destination, but as I don't allow anything to Internet by default on my 4 server and DMZ VLANs, it actually requires a minimum of 2 rules: 1 for No RDR and 1 for firewall allow (No RDR doesn't have the option for auto-FW rule). Then for Destinations I want to prevent Proxy on for multiple VLANs, it requires a No RDR rule for each VLAN.

So it gets very messy very fast, so you can see why it would be far better to have it managed in one location with one setting. Less mess equates to better security because there's far less likelihood for it to get done wrong when removing or changing things.

1) For the SSL Nobump sites list, if you have a deployment of any size, this list can quickly become un-manageable with the current implementation the site list. I would like to see something like the firewall Aliases for these where I can create multiple Groups with lists of sites not to bump. For example, I would create a list of Banks, UserApplications, InternalSites, etc.

2) For the SSL Nobump, as well as the Groups suggested above, allow import/export of the list, with sites separated by a newline for the import/export.

3) I would also like to request No-Proxy settings for specific SourceIPs or DestinationIPs or URLs. For example, say I want a site not to be proxied, or a host server not to be proxied, or a destination IP range not to be proxied. Currently this is difficult and must be managed by creating NAT rules which have limitations and don't cover all 3 options above. These would also need a per-Subnet/Interface setting, with the ability to select multiple Subnets/Interfaces.

4) Separate NoBump lists for separate source Subnets/Interfaces which are using the proxy, or alternatively support multiple proxy processes so we can have fully separate proxy configurations for each Subnet/Interface.

Note that #1 is by far the more pressing need.

Thanks!

Maybe this will help: https://forum.opnsense.org/index.php?topic=7747.0

Ok, another SSL issue with Squid. This one looks like Squid doesn't like something about the Server Hello. Not browser specific. The site is prosper.com

It seems obvious that it's an unknown cipher, but here we see the client hello having the same cipher, ID 0xcca8 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

See attachment.

Message is below

Code Select Expand

The following error was encountered while trying to retrieve the URL: https://104.16.112.58/*

Failed to establish a secure connection to 104.16.112.58

The system returned:

(92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:140920F8:SSL routines:ssl3_get_server_hello:unknown cipher returned

I assume you meant from OPNsense? If so, here's the result. So on a whim I also tried IE and FireFox; seems to only be Chrome which has this issue.

Code Select Expand

root@OPNsense:~ # curl https://www.youtube.com/ -vkI
*   Trying 172.217.164.46...
* TCP_NODELAY set
* Connected to www.youtube.com (172.217.164.46) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=*.google.com
*  start date: Oct 23 16:54:00 2018 GMT
*  expire date: Jan 15 16:54:00 2019 GMT
*  issuer: C=US; O=Google Trust Services; CN=Google Internet Authority G3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x6499fa8d000)
> HEAD / HTTP/2
> Host: www.youtube.com
> User-Agent: curl/7.61.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
HTTP/2 200
< expires: Tue, 27 Apr 1971 19:44:06 EST
expires: Tue, 27 Apr 1971 19:44:06 EST
< x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
< content-type: text/html; charset=utf-8
content-type: text/html; charset=utf-8
< x-content-type-options: nosniff
x-content-type-options: nosniff
< strict-transport-security: max-age=31536000
strict-transport-security: max-age=31536000
< p3p: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info."
p3p: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info."
< cache-control: no-cache
cache-control: no-cache
< x-xss-protection: 1; mode=block; report=https://www.google.com/appserve/security-bugs/log/youtube
x-xss-protection: 1; mode=block; report=https://www.google.com/appserve/security-bugs/log/youtube
< date: Tue, 06 Nov 2018 23:48:22 GMT
date: Tue, 06 Nov 2018 23:48:22 GMT
< server: YouTube Frontend Proxy
server: YouTube Frontend Proxy
< set-cookie: VISITOR_INFO1_LIVE=gjFq7WYssGA; path=/; domain=.youtube.com; expires=Sun, 05-May-2019 23:48:21 GMT; httponly
set-cookie: VISITOR_INFO1_LIVE=gjFq7WYssGA; path=/; domain=.youtube.com; expires=Sun, 05-May-2019 23:48:21 GMT; httponly
< set-cookie: YSC=zLHS8Ul1c_4; path=/; domain=.youtube.com; httponly
set-cookie: YSC=zLHS8Ul1c_4; path=/; domain=.youtube.com; httponly
< set-cookie: GPS=1; path=/; domain=.youtube.com; expires=Wed, 07-Nov-2018 00:18:21 GMT
set-cookie: GPS=1; path=/; domain=.youtube.com; expires=Wed, 07-Nov-2018 00:18:21 GMT
< alt-svc: quic=":443"; ma=2592000; v="44,43,39,35"
alt-svc: quic=":443"; ma=2592000; v="44,43,39,35"
< accept-ranges: none
accept-ranges: none
< vary: Accept-Encoding
vary: Accept-Encoding

<
* Connection #0 to host www.youtube.com left intact
root@OPNsense:~ #


I have a 2nd outbound proxy that all web browsing traffic passes through, but it isn't set to do SSL scanning so shouldn't be messing with the SSL connection - and again this works with most sites.

I tried bypassing the 2nd outbound proxy and get a similar but different result, again, only on specific sites like youtube:

Code Select Expand

The following error was encountered while trying to retrieve the URL: https://172.217.3.238/*

Failed to establish a secure connection to 172.217.3.238

The system returned:

(92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:140920F8:SSL routines:ssl3_get_server_hello:unknown cipher returned

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

I have the same issue. If I edit an alias (ports or Hosts), the changes do not take effect until I edit and save a firewall rule so I get the Apply Settings button and click it. Once clicked, the firewall applies the settings.

Here's the error I am getting on certain sites like Youtube:

Code Select Expand

The following error was encountered while trying to retrieve the URL: https://www.youtube.com/*

Failed to establish a secure connection to 64.233.185.93

The system returned:

(92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /C=us/L=Nowhere/O=TG/CN=TG Proxy CA/emailAddress=##@##.com

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

I have attempted to add the site to the SSL no bump sites as well as setting the site in the Whitelist to no avail. Google search has stated the fix to this is upgrading Squid: https://serverfault.com/questions/867380/squid-configured-for-ssl-chokes-on-some-sites

Any recommendations?

Deal.

https://github.com/opnsense/core/issues/2871

Example of NetScaler (now called ADC) trace extra details in a packet capture which make life far easier when tracing a device with multiple interfaces and VLANs, especially when you add the NIC, VLAN, and Operation (rx/tx) items as columns.

Well, I resorted to using TCPdump, which worked and I fixed my asynchronous route.

Def. would like to see the ability to capture all Interfaces in the GUI in the future, as well as capturing in the NetScaler format for easier parsing of what came in and went out on what Interface/VLAN.

You can't use an out-of-scope Gateway. Gateways have to be within the subnet they are routing for, so the /32 is wrong.