Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid problem after upgrade to 2.7.1

    Cache/Proxy
    7
    12
    2.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      saleg
      last edited by

      Good afternoon all,

      After upgrade to 2.7.1 squid service does not start. Below the error using squid -z command line. Can you help me please? I tried to restart service, cancel and reinstall package but nothing to fix it. Is referred to SSL and TLS option but I do not understand where I eventually have to modify options.

      Toggle navigation
      COMMUNITY EDITION
      Command Prompt
      Shell Output - squid -z
      2023/11/24 15:58:32| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
      2023/11/24 15:58:32| WARNING: UPGRADE: 'cafile=/usr/local/share/certs/ca-root-nss.crt' is deprecated in http_port. Use 'tls-cafile=' instead.
      2023/11/24 15:58:32| WARNING: Failed to decode EC parameters '/etc/dh-parameters.2048'
      OpenSSL-saved error #1: 0x1e08010c
      2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_DH_USE
      2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_ECDH_USE
      2023/11/24 15:58:32| Starting Authentication on port 127.0.0.1:3128
      2023/11/24 15:58:32| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
      2023/11/24 15:58:32| WARNING: UPGRADE: 'cafile=/usr/local/share/certs/ca-root-nss.crt' is deprecated in http_port. Use 'tls-cafile=' instead.
      2023/11/24 15:58:32| WARNING: Failed to decode EC parameters '/etc/dh-parameters.2048'
      OpenSSL-saved error #1: 0x1e08010c
      2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_DH_USE
      2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_ECDH_USE
      2023/11/24 15:58:32| Starting Authentication on port 127.0.0.1:3129
      2023/11/24 15:58:32| Disabling Authentication on port 127.0.0.1:3129 (interception enabled)
      2023/11/24 15:58:32| WARNING: UPGRADE: 'cafile=/usr/local/share/certs/ca-root-nss.crt' is deprecated in https_port. Use 'tls-cafile=' instead.
      2023/11/24 15:58:32| WARNING: Failed to decode EC parameters '/etc/dh-parameters.2048'
      OpenSSL-saved error #1: 0x1e08010c
      2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_DH_USE
      2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_ECDH_USE
      2023/11/24 15:58:32| ERROR: Directive 'dns_v4_first' is obsolete.
      2023/11/24 15:58:32| dns_v4_first : Remove this line. Squid no longer supports preferential treatment of DNS A records.
      2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_DH_USE
      2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_ECDH_USE
      2023/11/24 15:58:32| ERROR: configuration failure: POSIX regcomp(3) failure: (13) repetition-operator operand invalid
      regular expression: .google.com/
      exception location: RegexPattern.cc(30) RegexPattern
      2023/11/24 15:58:32| Not currently OK to rewrite swap log.
      2023/11/24 15:58:32| storeDirWriteCleanLogs: Operation aborted.
      2023/11/24 15:58:32| FATAL: Bungled /usr/local/etc/squid/squid.conf line 97: acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
      2023/11/24 15:58:32| Squid Cache (Version 6.3): Terminated abnormally.
      CPU Usage: 0.016 seconds = 0.016 user + 0.000 sys
      Maximum Resident Size: 69296 KB
      Page faults with physical i/o: 0
      Execute Shell Command
      squid -z

      Download File
      File to download

      Upload File

      Execute PHP Commands
      Command

      Example: print("Hello World!");
      pfSense is developed and maintained by Netgate. © ESF 2004 - 2023 View license.

      1 Reply Last reply Reply Quote 0
      • W
        wynn1212
        last edited by wynn1212

        I also found this problem after upgrade to 2.7.1
        It turns out that the regular expression has been changed after the squid package updates

        As you can see in this error log:

        2023/11/24 15:58:32| ERROR: configuration failure: POSIX regcomp(3) failure: (13) repetition-operator operand invalid
regular expression: .google.com/
exception location: RegexPattern.cc(30) RegexPattern
2023/11/24 15:58:32| Not currently OK to rewrite swap log.
2023/11/24 15:58:32| storeDirWriteCleanLogs: Operation aborted.
2023/11/24 15:58:32| FATAL: Bungled /usr/local/etc/squid/squid.conf line 97: acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
2023/11/24 15:58:32| Squid Cache (Version 6.3): Terminated abnormally.

        It turns out that .google.com/ in ACL Whitelist is no longer the valid regular expression
        It should be changed to \.google.com/ (I'm not sure if my regex is correct, but it's enough for squid to continue function)

        EDIT: Oops, looks like your problem was in ACL Whitelist. For me, it was Custom refresh_patterns

        S 1 Reply Last reply Reply Quote 2
        • S
          saleg @wynn1212
          last edited by

          @wynn1212

          No way wynn1212. Squid has been deprecated for Security reason. Too much Vulnerability not corrected are present. For this reason this Packet will be deprecated and not included in q the next release. RIP Squid in PFSense

          1 Reply Last reply Reply Quote 0
          • Y
            yyovchev
            last edited by

            Hello everyone. When squid proxy is removed from pfsense in new version, what is the alternative? I use squid for outboind proxy with multple IPs?

            1 Reply Last reply Reply Quote 1
            • M
              Michele Trotta
              last edited by

              Hi everyone,

              I have the same problem, has anyone managed to solve the problem?

              Thanks again

              Michele

              1 Reply Last reply Reply Quote 1
              • JonathanLeeJ
                JonathanLee
                last edited by

                @saleg said in Squid problem after upgrade to 2.7.1:

                2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_DH_USE
                2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_ECDH_USE

                How did you fix

                2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_DH_USE
                2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_ECDH_USE?

                Make sure to upvote

                M W 2 Replies Last reply Reply Quote 0
                • M
                  Michele Trotta @JonathanLee
                  last edited by

                  @JonathanLee said in Squid problem after upgrade to 2.7.1:

                  How did you fix

                  Hi, I couldn't solve it.

                  I'm looking for an alternative solution but I can't find anything at the moment

                  Greetings

                  Michele

                  1 Reply Last reply Reply Quote 1
                  • W
                    wynn1212 @JonathanLee
                    last edited by

                    @JonathanLee If I remember correctly, those 2 error are not FATAL, and should not preventing squid to start. unless you really need this feature.
                    If squid failed to start, please check FATAL message instead of ERROR message.

                    1 Reply Last reply Reply Quote 1
                    • JonathanLeeJ
                      JonathanLee
                      last edited by

                      Does anyone know how to activate the TLS1.3 ciphers? This might fix some issues....
                      Per lists.squid-cache.org

                      Ref:
                      https://openssl.org/blog/blog/2017/05/04/tlsv1.3/
                      https://lists.squid-cache.org/pipermail/squid-users/2018-February/017640.html

                      And CVE-2016-0701

                      "Yes. Due to CVE-2016-0701 the SSL_OP_SINGLE_DH_USE option was deprecated”

                      It is depreciated and the new pfSense package still shows it as a default option, however how does one append

                      Make sure to upvote

                      1 Reply Last reply Reply Quote 0
                      • liberattiL
                        liberatti
                        last edited by

                        Try to modify /usr/local/pkg/squid.inc
                        from

                        $sslproxy_options .= ",SINGLE_DH_USE,SINGLE_ECDH_USE";
to 
//$sslproxy_options .= ",SINGLE_DH_USE,SINGLE_ECDH_USE";

                        Check configuration with the command

                        squid -k parse

                        tls_outgoing_options cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
                        E 1 Reply Last reply Reply Quote 0
                        • E
                          edelvandro @liberatti
                          last edited by

                          @liberatti This works for me!!
                          Line 1250 and 1254

                          1 Reply Last reply Reply Quote 0
                          • JonathanLeeJ
                            JonathanLee
                            last edited by JonathanLee

                            https://github.com/pfsense/FreeBSD-ports/commit/476a7d0e3dca704b236839970f1d215912184f73

                            This is a known issue I had a merge for a previous version when you could disable the older tls however this directive is no longer on the latest version of squid. This directive is no longer part of the latest squid package.

                            Make sure to upvote

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.