Squid problem after upgrade to 2.7.1

wynn1212

I also found this problem after upgrade to 2.7.1
It turns out that the regular expression has been changed after the squid package updates

As you can see in this error log:

2023/11/24 15:58:32| ERROR: configuration failure: POSIX regcomp(3) failure: (13) repetition-operator operand invalid
regular expression: .google.com/
exception location: RegexPattern.cc(30) RegexPattern
2023/11/24 15:58:32| Not currently OK to rewrite swap log.
2023/11/24 15:58:32| storeDirWriteCleanLogs: Operation aborted.
2023/11/24 15:58:32| FATAL: Bungled /usr/local/etc/squid/squid.conf line 97: acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
2023/11/24 15:58:32| Squid Cache (Version 6.3): Terminated abnormally.

It turns out that .google.com/ in ACL Whitelist is no longer the valid regular expression
It should be changed to \.google.com/ (I'm not sure if my regex is correct, but it's enough for squid to continue function)

EDIT: Oops, looks like your problem was in ACL Whitelist. For me, it was Custom refresh_patterns

saleg

@wynn1212

No way wynn1212. Squid has been deprecated for Security reason. Too much Vulnerability not corrected are present. For this reason this Packet will be deprecated and not included in q the next release. RIP Squid in PFSense

yyovchev

Hello everyone. When squid proxy is removed from pfsense in new version, what is the alternative? I use squid for outboind proxy with multple IPs?

Michele Trotta

Hi everyone,

I have the same problem, has anyone managed to solve the problem?

Thanks again

Michele

JonathanLee

@saleg said in Squid problem after upgrade to 2.7.1:

2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_DH_USE
2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_ECDH_USE

How did you fix

2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_DH_USE
2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_ECDH_USE?

Michele Trotta

@JonathanLee said in Squid problem after upgrade to 2.7.1:

How did you fix

Hi, I couldn't solve it.

I'm looking for an alternative solution but I can't find anything at the moment

Greetings

Michele

wynn1212

@JonathanLee If I remember correctly, those 2 error are not FATAL, and should not preventing squid to start. unless you really need this feature.
If squid failed to start, please check FATAL message instead of ERROR message.

JonathanLee

Does anyone know how to activate the TLS1.3 ciphers? This might fix some issues....
Per lists.squid-cache.org

Ref:
https://openssl.org/blog/blog/2017/05/04/tlsv1.3/
https://lists.squid-cache.org/pipermail/squid-users/2018-February/017640.html

And CVE-2016-0701

"Yes. Due to CVE-2016-0701 the SSL_OP_SINGLE_DH_USE option was deprecated”

It is depreciated and the new pfSense package still shows it as a default option, however how does one append

liberatti

Try to modify /usr/local/pkg/squid.inc
from

$sslproxy_options .= ",SINGLE_DH_USE,SINGLE_ECDH_USE";
to 
//$sslproxy_options .= ",SINGLE_DH_USE,SINGLE_ECDH_USE";

Check configuration with the command

squid -k parse

tls_outgoing_options cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

edelvandro

@liberatti This works for me!!
Line 1250 and 1254

JonathanLee

https://github.com/pfsense/FreeBSD-ports/commit/476a7d0e3dca704b236839970f1d215912184f73

This is a known issue I had a merge for a previous version when you could disable the older tls however this directive is no longer on the latest version of squid. This directive is no longer part of the latest squid package.