Squid version in pfSense 2.5/21.02 is 4.13:

[2.5.0-RELEASE][root@xxx]/root: pkg info squid squid-4.13 Name : squid Version : 4.13

please test and leave your comment on https://redmine.pfsense.org/issues/10608

Anyone have any ideas?

@sraman
This config does not look like it would be generated by the pfSense haproxy package like this.. are you sure it is the one used? the config seems okay by itself...

I was not able to update squidGuard package, process stucked on Initialization. So I disabled squidGuard and Squid, remove SquidGuard package, but unfortunately was not able to install the new version cause of stuck on initialization, so I just backup all and did an upgrade to 2.5.0 and it finished successfull.

For now, my problem is solved, thanks a lot.

Further info:

I dug through the package repo and found that IGMP proxy has indeed updated with 2.5.0. But when I tried reverting back to the 2.4.5 version, it didn't fix my issue, so I guess the problem is not IGMP proxy itself but the fact that pfSense fails to restart it.

I checked the system log events when the interface goes down and found that the script /etc/rc.newwanip runs automatically when it comes back up. Looking in this script, there's a function near the end to restart the IGMP proxy: services_igmpproxy_configure()

Trouble is, that function only executes when a change in IP address is found, which is never going to happen because the interfaces on both sides of the proxy have static IPs.

I've edited my script and added a couple of lines at the end to make it go ahead and do the restart whenever the interface coming up is one that's used by IPTV (opt1 is my LAN side and opt3 is the WAN side):

/* reload igmpproxy for IPTV interface */
if ($interface == "opt1" || $interface == "opt3") {
services_igmpproxy_configure();
}

This seems to be doing the job for me, but I guess it will get wiped out by a future update, and I still don't know what changed to make this workaround necessary.

@michaelschefczyk
Hi Michael,
I think you should look a little at that cipher list, or perhaps not configure it and go for the SSL/TLS Compatibility Mode: 'intermediate' ?
That should help to get TLS1.2 back available. (at least in my ssllabs-server-test)

And yes having a ECDSA cert should help to lower the overhead a bit from what ive read, having rather low traffic numbers myself ive never bothered to investigate the exact details there..
Regards PiBa-NL

@czvacko said in 2.5.0 is deleting certs needed for SSL LDAP Squid auth:

How about squidGuard ? Were there any changes in the source code ?

Please create a new topic/bugreport with this issue

Could be related to https://redmine.pfsense.org/issues/11434

@stephenw10 thank you :-)

Hi,

Updating to pfSense 2.5.0 and adding the following has enabled TLS1.3 and 1.2,

OpenSSL Version 1.1.1 installed.

ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ssl-default-server-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

Screenshot from 2021-02-18 00-37-39.png