Squid 6.9 has been released

[vost]

Hello,

Squid 6.9 has been released

https://www.squid-cache.org/Versions/v6/squid-6.9-RELEASENOTES.html


Cheers,
Michael

[mokaz]

Hi there,

Updated to 6.9 rendering a no start of the squid daemon. Conf is pretty slick here, transparent only.
Cloned the VM for troubleshooting, could you perhaps head me towards the squid daemon startup logs?

Code: [Select]

tail -f dmesg.today
pid 37033 (squid), jid 0, uid 100: exited on signal 11
pid 43233 (squid), jid 0, uid 100: exited on signal 11
pid 56327 (squid), jid 0, uid 100: exited on signal 11
pid 71492 (squid), jid 0, uid 100: exited on signal 11
pid 82282 (squid), jid 0, uid 100: exited on signal 11
pid 90846 (squid), jid 0, uid 100: exited on signal 11
pid 84958 (squid), jid 0, uid 100: exited on signal 11
pid 93956 (squid), jid 0, uid 100: exited on signal 11
pid 1971 (squid), jid 0, uid 100: exited on signal 11
pid 13146 (squid), jid 0, uid 100: exited on signal 11

Thanks,
m.

[franco]

It's an ongoing issue with Squid version 6. https://github.com/opnsense/plugins/issues/3827


Cheers,
Franco

[mokaz]

Hi Franco, all,

Thanks for the lead =) Here is what I've done to get it back to "work", which is a workaround/downgrade:

Code: [Select]

root@opnsense:/ # opnsense-revert -r 24.1.5 squid
Fetching squid.pkg: ... done
Verifying signature with trusted certificate pkg.opnsense.org.20240105... done
squid-6.8: already unlocked
Installing squid-6.8...
package squid is already installed, forced install
...

This obviously after having passed the OPNsense 24.1.6-amd64 update.

Thanks,
m

[franco]

I think all later 6.x are affected.  Come to think of it it may be an OpenSSL 3 incompatibility...


Cheers,
Franco

[franco]

Ok so I guess that's it then... https://issues.redhat.com/browse/RHEL-6873

[mokaz]

I think all later 6.x are affected.  Come to think of it it may be an OpenSSL 3 incompatibility...

Hi Franco,

Yes, I've carefully read the github issue and comments and hum well, even with 6.8 it still SEGFAULT's. I'll need to read more about the latest findings; squid's legacy openssl issue.

On another frontline, I'm here running different proxies all running squid 6.8 + ssl bumping all over + a really bigger and rather complex configuration which doesn't show any of such artifacts.. Theses are running on Debian though.

Anyways, let's hope for a fix at some point as I do think that transparent proxy on opnsense is extremely sexy TBH.

Cheers,
m.

[franco]

A workaround is in place in the plugins for os-squid and os-OPNProxy and seems to work.

An interim solution is to edit /usr/local/opnsense/service/templates/OPNsense/Trust/openssl.cnf

Change the following line from

legacy = legacy_sect

To

#legacy = legacy_sect

And execute:

# /usr/local/etc/rc.configure_firmware

A slightly better workaround that will require no user interaction will be shipped in 24.1.7


Cheers,
Franco

[mokaz]

Hi Franco, team,

Tested this workaround with prior to that, re-enabling Squid 6.9 on 24.1.6.
All fine here, config parses all good.

Thanks guys!
Cheers,
m.

[meyergru]

A workaround is in place in the plugins for os-squid and os-OPNProxy and seems to work.

An interim solution is to edit /usr/local/opnsense/service/templates/OPNsense/Trust/openssl.cnf

Change the following line from

legacy = legacy_sect

To

#legacy = legacy_sect

And execute:

# /usr/local/etc/rc.configure_firmware

A slightly better workaround that will require no user interaction will be shipped in 24.1.7

That workaround seems to have a side-effect: With my OpenVPN config, this disables legacy ciphers, resulting in OpenVPN not starting with: "Error   openvpn_server2   Cipher BF-CBC not supported".

I also had a Google drive backup fail with an invalid p12 key, but that I am unsure if it is related.

[franco]

Yes, that's why the committed fix is not that... I'm aware of the mess we are in here Python is another offender.


Cheers,
Franco

[franco]

Was a bit late yesterday.. here are the relevant commits:

https://github.com/opnsense/plugins/commit/70de22e0c
https://github.com/opnsense/plugins/commit/e1d58710d

Will be part of 24.1.7 and an eventual hotfix of the 24.4 release.


Cheers,
Franco

[meyergru]

Ah, so the disabling of openssl legacy functionality is limited to squid only by using a separate configuration file for it. Clever.

[franco]

Yes, it's a trick I picked up a long time ago.


Cheers,
Franco

[mokaz]

Hi Franco, team,

Clean fix indeed =) I've just seen the 24.1.7 announcement, thanks for all the work.
Quick question: should I revert to the "original" status / edit

Code: [Select]

/usr/local/opnsense/service/templates/OPNsense/Trust/openssl.cnf to it's original status prior to apply 24.1.7 ?

Thanks,
Regards,
m.