after upgrade to 24.11: squid doesn´t start

stephenw10

@philippe34 Is that the conf file start or fails?

The error shown: Unknown http_port option 'NO_TLSv1,' makes it seem like the conf file is being incorrectly generated such that it;s trying to use 'NO_TLSv' as a an http_port.

JonathanLee

@stephenw10

Commit
dc0f0badcbf29efa73fa6d3cc5e5ab966ea3da4f

caused issues I think this directive is no longer valid as soon as we fixed it, Squid upstream must have already fixed it and disabled the directive also just NO_TLSv1 the other NO_TLSv1_1 seems to still work.

https://github.com/JonathanDLee24/FreeBSD-ports/tree/dc0f0badcbf29efa73fa6d3cc5e5ab966ea3da4f

Screenshot 2024-12-02 at 15.45.04.png

Let me change it back and see if that fixes the error but it will take 6 months to get fixed before it gets reviewed again, I tested it with my stuff and everything. Keep trying don't give up

stephenw10

Oh OK this is a fixed setting not an option. Interesting.
I expect those http_ports lines to include those options like:

http_port 192.168.221.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3, NO_TLSv1_1

Which is why it throws the error there.

JonathanLee

@stephenw10 said in after upgrade to 24.11: squid doesn´t start:

le=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3, NO_TLSv1_1

https://github.com/pfsense/FreeBSD-ports/commit/476a7d0e3dca704b236839970f1d215912184f73

Should fix it per maintainer

philippe34

@stephenw10

hello,
for the moment it works I will do more tests this evening.
I will check the logs.
thanks for your help

19pegr69

nothing that helps me. I don´t use ssl or other extended options and it throws the error message i wrote before.

stephenw10

@19pegr69 said in after upgrade to 24.11: squid doesn´t start:

'ld-elf.so.1: /usr/local/sbin/squid: Undefined symbol "_ZTTNSt3__118basic_stringstreamIcNS_11char_traitsIcEENS_9allocatorIcEEEE"'

That looks more like you have the wrong squid version installed somehow.

dauhee

I have this also. I've nothing to add to the resolution efforts unfortunately

stephenw10

@JonathanLee said in after upgrade to 24.11: squid doesn´t start:

https://github.com/pfsense/FreeBSD-ports/commit/476a7d0e3dca704b236839970f1d215912184f73

This doesn't seem enough, at least not for all archs, since it also fails on TLSv1_1:

[24.11-RELEASE][admin@2100-3.stevew.lan]/root: /usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf
CPU Usage: 0.064 seconds = 0.040 user + 0.024 sys
Maximum Resident Size: 54384 KB
Page faults with physical i/o: 0
2024/12/04 20:00:01| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2024/12/04 20:00:01| WARNING: Failed to decode EC parameters '/etc/dh-parameters.2048'
    OpenSSL-saved error #1: 0x1e08010c
2024/12/04 20:00:01| FATAL: Unknown http_port option 'NO_TLSv1_1'.
2024/12/04 20:00:01| Not currently OK to rewrite swap log.
2024/12/04 20:00:01| storeDirWriteCleanLogs: Operation aborted.
2024/12/04 20:00:01| FATAL: Bungled /usr/local/etc/squid/squid.conf line 4: http_port 192.168.221.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3, NO_TLSv1_1
2024/12/04 20:00:01| Squid Cache (Version 6.10): Terminated abnormally.

JonathanLee

@stephenw10 I think he fixed this also it lists as a red removed line today for TLSv1_1 also. I wonder why the new Squid 7.0 that resolved all the concerns no longer lets you use this directive. Weird maybe it is just all disabled now for it and they do not need that directive. The V 7 has resolved almost all the concerns that was in that white paper

marcosm

The issue should be fixed after applying both the previous commit and this one:
https://github.com/pfsense/FreeBSD-ports/commit/009dc5f68e0cf1d1a767d1a9119bcbaface44823

JonathanLee

@marcosm thanks I love this package, I am also having that OpenSSL error for some reason.

stephenw10

Which error is that?

JonathanLee

@stephenw10 2024/12/04 20:00:01| WARNING: Failed to decode EC parameters '/etc/dh-parameters.2048'
OpenSSL-saved error #1: 0x1e08010c

stephenw10

Ah I see. Hmm....

19pegr69

It's nice that everyone seems to be able to solve this problem, but other than the comment that I've probably installed the wrong package, I haven't been able to get any help. I just expect the script to get the right package itself when updating. Can someone please explain to a FreeBSD layman how I can get the apparently correct package onto the system when installing via the GUI?

stephenw10

Check the pkgs you actually have installed: pkg info -x squid

dauhee

@stephenw10 said in after upgrade to 24.11: squid doesn´t start:

pkg info -x squid

this is mine and what I suspect everyone elses with version applied via the package manager:

pfSense-pkg-squid-0.5
squid-6.10
squid_radius_auth-1.10
squidclamav-7.3_2

is there a way to pull from the git commit that was mentioned or is it a waiting game for the next release?

stephenw10

You can apply both using the System Patches pkg, just create patches from the commits.

However that won't help with the undefined symbol errors some users are seeing.

intellq

Thread got sort of hijacked with another problem... but I'm here to tell that the exact same thing also happened to me.

/pkg_edit.php: The command '/usr/local/sbin/squid -z -f /usr/local/etc/squid/squid.conf' returned exit code '1', the output was 'ld-elf.so.1: /usr/local/sbin/squid: Undefined symbol "_ZTTNSt3__118basic_stringstreamIcNS_11char_traitsIcEENS_9allocatorIcEEEE"'

After the first boot after upgrading to 24.11, Squid doesn't work anymore, no matter what I do. I've tried:

Changed a lot of settings;
Reset squid settings to default;
Uninstalled squid completely...
...reinstall via gui
...or command line:

pkg install -f pfSense-pkg-squid-0.5 squid-6.10 squid_radius_auth-1.10 squidclamav-7.3_2

Nothing. Nada :(

Any help?