Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    TLS pr_end_of_file_error (non proxy related)

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 7.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • joeschmoeJ
      joeschmoe
      last edited by

      Im getting 2 types of responses from the pfsense cli for the same website. problem is that when i hit the write:errno=54, the pr_end_of_file_error message in squid appears. This is not a squid cert error since im not running mitm/transparent. The testing below is directly from the pfsense cli.

      Reading wireshark difference, if the client hello is shows tls1, the error is encountered. Weird is that its from the same site.

      With ssl error(browser pr_end_of_file_error response):
      [[2.5.2-RELEASE][whoami@oo.ooo.oooo]/: openssl s_client -connect radiopaedia.org:443
      CONNECTED(00000003)
      write:errno=54

      no peer certificate available

      No client certificate CA names sent

      SSL handshake has read 0 bytes and written 319 bytes
      Verification: OK

      New, (NONE), Cipher is (NONE)
      Secure Renegotiation IS NOT supported
      Compression: NONE
      Expansion: NONE
      No ALPN negotiated
      Early data was not sent
      Verify return code: 0 (ok)
      ---]

      Without ssl error on browser:
      [2.5.2-RELEASE][whoami@oo.ooo.oooo]/: openssl s_client -connect radiopaedia.org:443
      CONNECTED(00000003)
      depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
      verify return:1
      depth=1 C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
      verify return:1
      depth=0 C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = sni.cloudflaressl.com
      verify return:1

      Certificate chain
      0 s:C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = sni.cloudflaressl.com
      i:C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
      1 s:C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
      i:C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root

      Server certificate
      -----BEGIN CERTIFICATE-----
      MIIFOzCCBOGgAwIBAgIQBBWphhBLhdqiMXLlVIVxHDAKBggqhkjOPQQDAjBKMQsw
      CQYDVQQGEwJVUzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjEgMB4GA1UEAxMX
      Q2xvdWRmbGFyZSBJbmMgRUNDIENBLTMwHhcNMjEwNzE2MDAwMDAwWhcNMjIwNzE1
      MjM1OTU5WjB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG
      A1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjEe
      MBwGA1UEAxMVc25pLmNsb3VkZmxhcmVzc2wuY29tMFkwEwYHKoZIzj0CAQYIKoZI
      zj0DAQcDQgAExwKT2LHQQCz78ykhm7Tetk5oAUnKCtR26kMroBEjNFNwN4lNHjMe
      nF3y6ko18vNnUFYDEBQ6pAOMJkbF75NfEqOCA3wwggN4MB8GA1UdIwQYMBaAFKXO
      N+rrsHUOlGeItEX62SQQh5YfMB0GA1UdDgQWBBQXkNbm9qfWFez+i37TnR5sScC1
      3jBEBgNVHREEPTA7ghVzbmkuY2xvdWRmbGFyZXNzbC5jb22CESoucmFkaW9wYWVk
      aWEub3Jngg9yYWRpb3BhZWRpYS5vcmcwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQW
      MBQGCCsGAQUFBwMBBggrBgEFBQcDAjB7BgNVHR8EdDByMDegNaAzhjFodHRwOi8v
      Y3JsMy5kaWdpY2VydC5jb20vQ2xvdWRmbGFyZUluY0VDQ0NBLTMuY3JsMDegNaAz
      hjFodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vQ2xvdWRmbGFyZUluY0VDQ0NBLTMu
      Y3JsMD4GA1UdIAQ3MDUwMwYGZ4EMAQICMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93
      d3cuZGlnaWNlcnQuY29tL0NQUzB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGG
      GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBABggrBgEFBQcwAoY0aHR0cDovL2Nh
      Y2VydHMuZGlnaWNlcnQuY29tL0Nsb3VkZmxhcmVJbmNFQ0NDQS0zLmNydDAMBgNV
      HRMBAf8EAjAAMIIBfAYKKwYBBAHWeQIEAgSCAWwEggFoAWYAdgBGpVXrdfqRIDC1
      oolp9PN9ESxBdL79SbiFq/L8cP5tRwAAAXqv4nBNAAAEAwBHMEUCIDeIF02r7EMA
      OE1LH5PhS1ttNN4w3DbxOThH1miCXz3NAiEAogaiG5eTgoDUgs28qhCxUqDq0AJJ
      L9q7f2YUbEJQFP4AdQBRo7D1/QF5nFZtuDd4jwykeswbJ8v3nohCmg3+1IsF5QAA
      AXqv4nA6AAAEAwBGMEQCICh9ZzfAmgWg3Nqj265ukh8RGtb/7y9fgOeQSqBO5For
      AiBpAUcLp1uV7TgFqHQxdmhrZBI9aBfzraQq/wxCsOgYEQB1AEHIyrHfIkZKEMah
      OglCh15OMYsbA+vrS8do8JBilgb2AAABeq/ib+oAAAQDAEYwRAIgaBwC/NlXMU22
      ljza1hK3+5qReb1GNeqiirk9t0TLUdUCIBo6fV/YLCGOFZBpUZ1HjsVvlNqgqtuZ
      o1NhcJzSj601MAoGCCqGSM49BAMCA0gAMEUCIQCElb21g6QRXZFn1yLMnB2kpgQl
      aLlOe2YUbDtCGQDBggIgJO7PVSz2rXalPTpHdDoICNIdRzAFgkG3D5+3sn1O6sU=
      -----END CERTIFICATE-----
      subject=C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = sni.cloudflaressl.com

      issuer=C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3


      No client certificate CA names sent
      Peer signing digest: SHA256
      Peer signature type: ECDSA
      Server Temp Key: X25519, 253 bits

      SSL handshake has read 2633 bytes and written 399 bytes
      Verification: OK

      New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
      Server public key is 256 bit
      Secure Renegotiation IS NOT supported
      Compression: NONE
      Expansion: NONE
      No ALPN negotiated
      Early data was not sent
      Verify return code: 0 (ok)

      read:errno=54

      1 Reply Last reply Reply Quote 0
      • joeschmoeJ
        joeschmoe
        last edited by

        showing curl response difference as well:

        OK Response
        2.5.2-RELEASE][whoami@oo.ooo.oooo]/: curl https://radiopaedia.org/ -vkI

        • Trying 172.67.72.247:443...
        • Connected to radiopaedia.org (172.67.72.247) port 443 (#0)
        • ALPN, offering h2
        • ALPN, offering http/1.1
        • successfully set certificate verify locations:
        • CAfile: /usr/local/share/certs/ca-root-nss.crt
        • CApath: none
        • TLSv1.3 (OUT), TLS handshake, Client hello (1):
        • TLSv1.3 (IN), TLS handshake, Server hello (2):
        • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
        • TLSv1.3 (IN), TLS handshake, Certificate (11):
        • TLSv1.3 (IN), TLS handshake, CERT verify (15):
        • TLSv1.3 (IN), TLS handshake, Finished (20):
        • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
        • TLSv1.3 (OUT), TLS handshake, Finished (20):
        • SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
        • ALPN, server accepted to use h2
        • Server certificate:
        • subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
        • start date: Jul 16 00:00:00 2021 GMT
        • expire date: Jul 15 23:59:59 2022 GMT
        • issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
        • SSL certificate verify ok.
        • Using HTTP2, server supports multi-use
        • Connection state changed (HTTP/2 confirmed)
        • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
        • Using Stream ID: 1 (easy handle 0x801435800)

        HEAD / HTTP/2
        Host: radiopaedia.org
        user-agent: curl/7.76.1
        accept: /

        • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
        • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
        • old SSL session ID is stale, removing
        • Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
          < HTTP/2 200
          HTTP/2 200
          < date: Fri, 08 Apr 2022 06:03:32 GMT
          date: Fri, 08 Apr 2022 06:03:32 GMT
          < content-type: text/html; charset=utf-8
          content-type: text/html; charset=utf-8
          < x-xss-protection: 1; mode=block
          x-xss-protection: 1; mode=block
          < x-content-type-options: nosniff
          x-content-type-options: nosniff
          < x-download-options: noopen
          x-download-options: noopen
          < x-permitted-cross-domain-policies: none
          x-permitted-cross-domain-policies: none
          < referrer-policy: strict-origin-when-cross-origin
          referrer-policy: strict-origin-when-cross-origin
          < vary: X-UA-Device
          vary: X-UA-Device
          < cache-control: max-age=0, private, must-revalidate
          cache-control: max-age=0, private, must-revalidate
          < set-cookie: _radiopaedia_session=VFo1RWVtOTB5OVRtVjg1RlRNSmVlYmRHMldwdFRNWGlNNDV1eEE3V0NXV08vM2pEdW5hUUtTeUw3WmFRVXMxaUpENXllTGp3SGw5cm5QbWpFNlBmWElqcXZSK29rZmhaR0lJRlFFQVkyUGplelovOFA0SCtJQ3B2OTNRWmI3OU1vckRzMVpDclV5Q29YMytuNitRUWlhQXVhb3FxUEpkdUc1NFZPTVJ2MkRZUVRLZVM1RFVqR3lkdWk5SGRLSmxTZTRuV1VUaXQ0TFpsbEQyelZzMmU5U2trZVhQbmJ1NHRPdVpEdG9EQm0yMG5UcU8wRytucW5GM0NCaGRsQWNyRnNRMmNjN1hLR3M2eUlQWXV6b3ZYSE01V1dMdWU2d0IvaDI5YmFZZ3ZwNmVSbGVkVy9adWhiUVNsNFNOSFVVQVNNR2ZRQmVjelFWenhaeFQ1dGhiMlJnPT0tLWpBbDNOcjg4MHZncmRCSkVrZUd0R1E9PQ%3D%3D--cae10cc899a0a04c2d9a48fd366ef013014f182d; path=/; secure; HttpOnly; SameSite=Lax
          set-cookie: _radiopaedia_session=VFo1RWVtOTB5OVRtVjg1RlRNSmVlYmRHMldwdFRNWGlNNDV1eEE3V0NXV08vM2pEdW5hUUtTeUw3WmFRVXMxaUpENXllTGp3SGw5cm5QbWpFNlBmWElqcXZSK29rZmhaR0lJRlFFQVkyUGplelovOFA0SCtJQ3B2OTNRWmI3OU1vckRzMVpDclV5Q29YMytuNitRUWlhQXVhb3FxUEpkdUc1NFZPTVJ2MkRZUVRLZVM1RFVqR3lkdWk5SGRLSmxTZTRuV1VUaXQ0TFpsbEQyelZzMmU5U2trZVhQbmJ1NHRPdVpEdG9EQm0yMG5UcU8wRytucW5GM0NCaGRsQWNyRnNRMmNjN1hLR3M2eUlQWXV6b3ZYSE01V1dMdWU2d0IvaDI5YmFZZ3ZwNmVSbGVkVy9adWhiUVNsNFNOSFVVQVNNR2ZRQmVjelFWenhaeFQ1dGhiMlJnPT0tLWpBbDNOcjg4MHZncmRCSkVrZUd0R1E9PQ%3D%3D--cae10cc899a0a04c2d9a48fd366ef013014f182d; path=/; secure; HttpOnly; SameSite=Lax
          < x-request-id: 7f78f573-23ad-4123-8caf-11f2af75e4e7
          x-request-id: 7f78f573-23ad-4123-8caf-11f2af75e4e7
          < x-runtime: 0.379540
          x-runtime: 0.379540
          < x-server-hostname-ssl: ip-10-10-4-150
          x-server-hostname-ssl: ip-10-10-4-150
          < x-server-hostname: ip-10-10-4-150
          x-server-hostname: ip-10-10-4-150
          < cf-cache-status: DYNAMIC
          cf-cache-status: DYNAMIC
          < expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
          expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
          < report-to: {"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v3?s=VTmmQB1piq9gxsnQTyAbxiuKaGbe%2Ff4WawDIO70CsHntMwil5ySdoDiAHfE0zV3yetJz5wn%2BPrP2syjgXhX3PBQ%2Bi1OF7Mf2iYPEGVJ%2FkfdmGXlZGPUIAermD7xwxUbtGg%3D%3D"}],"group":"cf-nel","max_age":604800}
          report-to: {"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v3?s=VTmmQB1piq9gxsnQTyAbxiuKaGbe%2Ff4WawDIO70CsHntMwil5ySdoDiAHfE0zV3yetJz5wn%2BPrP2syjgXhX3PBQ%2Bi1OF7Mf2iYPEGVJ%2FkfdmGXlZGPUIAermD7xwxUbtGg%3D%3D"}],"group":"cf-nel","max_age":604800}
          < nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
          nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
          < server: cloudflare
          server: cloudflare
          < cf-ray: 6f88cce05cf33d60-HKG
          cf-ray: 6f88cce05cf33d60-HKG
          < alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
          alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400

        <

        • Connection #0 to host radiopaedia.org left intact
          NOT OK Response ===========
          [2.5.2-RELEASE][whoami@oo.ooo.oooo]/usr/local/etc/squid: curl https://radiopaedia.org/ -vkI
        • Trying 104.26.9.61:443...
        • Connected to radiopaedia.org (104.26.9.61) port 443 (#0)
        • ALPN, offering h2
        • ALPN, offering http/1.1
        • successfully set certificate verify locations:
        • CAfile: /usr/local/share/certs/ca-root-nss.crt
        • CApath: none
        • TLSv1.3 (OUT), TLS handshake, Client hello (1):
        • OpenSSL SSL_connect: Connection reset by peer in connection to radiopaedia.org:443
        • Closing connection 0
          curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to radiopaedia.org:443
        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          What states do you see when you run those tests? I'm not sure why Squid would be involved at all.

          The curl responses make it look like the remote side is just doing something different. Like maybe it has load-balanced servers and they are not identical. Do you see this on other sites?

          Steve

          joeschmoeJ 1 Reply Last reply Reply Quote 0
          • joeschmoeJ
            joeschmoe @stephenw10
            last edited by

            @stephenw10 same behaviuor on some sites as well.

            [2.5.2-RELEASE][whoami@oo.ooo.oooo]/etc/ssl/certs: curl https://globemybusiness.zendesk.com -kvl
            *   Trying 104.16.51.111:443...
            * Connected to globemybusiness.zendesk.com (104.16.51.111) port 443 (#0)
            * ALPN, offering h2
            * ALPN, offering http/1.1
            * successfully set certificate verify locations:
            *  CAfile: /usr/local/share/certs/ca-root-nss.crt
            *  CApath: none
            * TLSv1.3 (OUT), TLS handshake, Client hello (1):
            * OpenSSL SSL_connect: Connection reset by peer in connection to globemybusiness.zendesk.com:443
            * Closing connection 0
            curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to globemybusiness.zendesk.com:443
            [2.5.2-RELEASE][whoami@oo.ooo.oooo]/etc/ssl/certs:
            
            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Looks like some things may have been missing from that post.

              But same question; what states do you see when you run these tests?

              @joeschmoe said in TLS pr_end_of_file_error (non proxy related):

              pr_end_of_file_error message in squid appears

              Where are you actually seeing that? In the Squid logs?

              Connections from the pfSense CLI should not go via Squid. If they are being redirected somehow that would show in the states created.

              Do you still see this issue if you disable Squid?

              Steve

              1 Reply Last reply Reply Quote 1
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.