Squid 6.9 has been released

Started by vost, April 12, 2024, 10:31:57 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
April 12, 2024, 10:31:57 PM
Hello,

Squid 6.9 has been released

https://www.squid-cache.org/Versions/v6/squid-6.9-RELEASENOTES.html


Cheers,
Michael
April 26, 2024, 07:37:54 AM #1
Hi there,

Updated to 6.9 rendering a no start of the squid daemon. Conf is pretty slick here, transparent only.
Cloned the VM for troubleshooting, could you perhaps head me towards the squid daemon startup logs?

Code Select

tail -f dmesg.today
pid 37033 (squid), jid 0, uid 100: exited on signal 11
pid 43233 (squid), jid 0, uid 100: exited on signal 11
pid 56327 (squid), jid 0, uid 100: exited on signal 11
pid 71492 (squid), jid 0, uid 100: exited on signal 11
pid 82282 (squid), jid 0, uid 100: exited on signal 11
pid 90846 (squid), jid 0, uid 100: exited on signal 11
pid 84958 (squid), jid 0, uid 100: exited on signal 11
pid 93956 (squid), jid 0, uid 100: exited on signal 11
pid 1971 (squid), jid 0, uid 100: exited on signal 11
pid 13146 (squid), jid 0, uid 100: exited on signal 11


Thanks,
m.
April 26, 2024, 08:57:40 AM #2
It's an ongoing issue with Squid version 6. https://github.com/opnsense/plugins/issues/3827


Cheers,
Franco
May 03, 2024, 09:52:00 PM #3
Hi Franco, all,

Thanks for the lead =) Here is what I've done to get it back to "work", which is a workaround/downgrade:
Code Select

root@opnsense:/ # opnsense-revert -r 24.1.5 squid
Fetching squid.pkg: ... done
Verifying signature with trusted certificate pkg.opnsense.org.20240105... done
squid-6.8: already unlocked
Installing squid-6.8...
package squid is already installed, forced install
...


This obviously after having passed the OPNsense 24.1.6-amd64 update.

Thanks,
m
May 07, 2024, 01:52:22 PM #4
I think all later 6.x are affected.  Come to think of it it may be an OpenSSL 3 incompatibility...


Cheers,
Franco
May 07, 2024, 02:04:18 PM #5
Ok so I guess that's it then... https://issues.redhat.com/browse/RHEL-6873
May 07, 2024, 11:15:51 PM #6
Quote from: franco on May 07, 2024, 01:52:22 PM
I think all later 6.x are affected.  Come to think of it it may be an OpenSSL 3 incompatibility...

Hi Franco,

Yes, I've carefully read the github issue and comments and hum well, even with 6.8 it still SEGFAULT's. I'll need to read more about the latest findings; squid's legacy openssl issue.

On another frontline, I'm here running different proxies all running squid 6.8 + ssl bumping all over + a really bigger and rather complex configuration which doesn't show any of such artifacts.. Theses are running on Debian though.

Anyways, let's hope for a fix at some point as I do think that transparent proxy on opnsense is extremely sexy TBH.

Cheers,
m.
May 08, 2024, 07:42:32 AM #7
A workaround is in place in the plugins for os-squid and os-OPNProxy and seems to work.

An interim solution is to edit /usr/local/opnsense/service/templates/OPNsense/Trust/openssl.cnf

Change the following line from

legacy = legacy_sect

To

#legacy = legacy_sect

And execute:

# /usr/local/etc/rc.configure_firmware

A slightly better workaround that will require no user interaction will be shipped in 24.1.7


Cheers,
Franco
May 09, 2024, 10:23:22 AM #8
Hi Franco, team,

Tested this workaround with prior to that, re-enabling Squid 6.9 on 24.1.6.
All fine here, config parses all good.

Thanks guys!
Cheers,
m.
May 09, 2024, 02:07:44 PM #9 Last Edit: May 09, 2024, 02:39:04 PM by meyergru
Quote from: franco on May 08, 2024, 07:42:32 AM
A workaround is in place in the plugins for os-squid and os-OPNProxy and seems to work.

An interim solution is to edit /usr/local/opnsense/service/templates/OPNsense/Trust/openssl.cnf

Change the following line from

legacy = legacy_sect

To

#legacy = legacy_sect

And execute:

# /usr/local/etc/rc.configure_firmware

A slightly better workaround that will require no user interaction will be shipped in 24.1.7

That workaround seems to have a side-effect: With my OpenVPN config, this disables legacy ciphers, resulting in OpenVPN not starting with: "Error   openvpn_server2   Cipher BF-CBC not supported".

I also had a Google drive backup fail with an invalid p12 key, but that I am unsure if it is related.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
May 09, 2024, 07:22:17 PM #10
Yes, that's why the committed fix is not that... I'm aware of the mess we are in here ;) Python is another offender.


Cheers,
Franco
May 10, 2024, 08:58:13 AM #11
Was a bit late yesterday.. here are the relevant commits:

https://github.com/opnsense/plugins/commit/70de22e0c
https://github.com/opnsense/plugins/commit/e1d58710d

Will be part of 24.1.7 and an eventual hotfix of the 24.4 release.


Cheers,
Franco
May 10, 2024, 09:03:24 AM #12 Last Edit: May 10, 2024, 09:12:11 AM by meyergru
Ah, so the disabling of openssl legacy functionality is limited to squid only by using a separate configuration file for it. Clever.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
May 10, 2024, 09:25:05 AM #13
Yes, it's a trick I picked up a long time ago. ;)


Cheers,
Franco
May 16, 2024, 08:26:02 PM #14
Hi Franco, team,

Clean fix indeed =) I've just seen the 24.1.7 announcement, thanks for all the work.
Quick question: should I revert to the "original" status / edit
Code Select
/usr/local/opnsense/service/templates/OPNsense/Trust/openssl.cnf to it's original status prior to apply 24.1.7 ?

Thanks,
Regards,
m.
Print
Go Up Pages1 2
User actions