Squid problem after upgrade to 2.7.1

saleg · Nov 24, 2023, 3:13 PM

Good afternoon all,

After upgrade to 2.7.1 squid service does not start. Below the error using squid -z command line. Can you help me please? I tried to restart service, cancel and reinstall package but nothing to fix it. Is referred to SSL and TLS option but I do not understand where I eventually have to modify options.

Toggle navigation
COMMUNITY EDITION
Command Prompt
Shell Output - squid -z
2023/11/24 15:58:32| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2023/11/24 15:58:32| WARNING: UPGRADE: 'cafile=/usr/local/share/certs/ca-root-nss.crt' is deprecated in http_port. Use 'tls-cafile=' instead.
2023/11/24 15:58:32| WARNING: Failed to decode EC parameters '/etc/dh-parameters.2048'
OpenSSL-saved error #1: 0x1e08010c
2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_DH_USE
2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_ECDH_USE
2023/11/24 15:58:32| Starting Authentication on port 127.0.0.1:3128
2023/11/24 15:58:32| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
2023/11/24 15:58:32| WARNING: UPGRADE: 'cafile=/usr/local/share/certs/ca-root-nss.crt' is deprecated in http_port. Use 'tls-cafile=' instead.
2023/11/24 15:58:32| WARNING: Failed to decode EC parameters '/etc/dh-parameters.2048'
OpenSSL-saved error #1: 0x1e08010c
2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_DH_USE
2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_ECDH_USE
2023/11/24 15:58:32| Starting Authentication on port 127.0.0.1:3129
2023/11/24 15:58:32| Disabling Authentication on port 127.0.0.1:3129 (interception enabled)
2023/11/24 15:58:32| WARNING: UPGRADE: 'cafile=/usr/local/share/certs/ca-root-nss.crt' is deprecated in https_port. Use 'tls-cafile=' instead.
2023/11/24 15:58:32| WARNING: Failed to decode EC parameters '/etc/dh-parameters.2048'
OpenSSL-saved error #1: 0x1e08010c
2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_DH_USE
2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_ECDH_USE
2023/11/24 15:58:32| ERROR: Directive 'dns_v4_first' is obsolete.
2023/11/24 15:58:32| dns_v4_first : Remove this line. Squid no longer supports preferential treatment of DNS A records.
2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_DH_USE
2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_ECDH_USE
2023/11/24 15:58:32| ERROR: configuration failure: POSIX regcomp(3) failure: (13) repetition-operator operand invalid
regular expression: .google.com/
exception location: RegexPattern.cc(30) RegexPattern
2023/11/24 15:58:32| Not currently OK to rewrite swap log.
2023/11/24 15:58:32| storeDirWriteCleanLogs: Operation aborted.
2023/11/24 15:58:32| FATAL: Bungled /usr/local/etc/squid/squid.conf line 97: acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
2023/11/24 15:58:32| Squid Cache (Version 6.3): Terminated abnormally.
CPU Usage: 0.016 seconds = 0.016 user + 0.000 sys
Maximum Resident Size: 69296 KB
Page faults with physical i/o: 0
Execute Shell Command
squid -z

Download File
File to download

Upload File

Execute PHP Commands
Command

Example: print("Hello World!");
pfSense is developed and maintained by Netgate. ESF 2004 - 2023 View license.

wynn1212 · Dec 6, 2023, 5:25 PM

I also found this problem after upgrade to 2.7.1
It turns out that the regular expression has been changed after the squid package updates

As you can see in this error log:

2023/11/24 15:58:32| ERROR: configuration failure: POSIX regcomp(3) failure: (13) repetition-operator operand invalid
regular expression: .google.com/
exception location: RegexPattern.cc(30) RegexPattern
2023/11/24 15:58:32| Not currently OK to rewrite swap log.
2023/11/24 15:58:32| storeDirWriteCleanLogs: Operation aborted.
2023/11/24 15:58:32| FATAL: Bungled /usr/local/etc/squid/squid.conf line 97: acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
2023/11/24 15:58:32| Squid Cache (Version 6.3): Terminated abnormally.

It turns out that .google.com/ in ACL Whitelist is no longer the valid regular expression
It should be changed to \.google.com/ (I'm not sure if my regex is correct, but it's enough for squid to continue function)

EDIT: Oops, looks like your problem was in ACL Whitelist. For me, it was Custom refresh_patterns

saleg · Dec 6, 2023, 5:25 PM

@wynn1212

No way wynn1212. Squid has been deprecated for Security reason. Too much Vulnerability not corrected are present. For this reason this Packet will be deprecated and not included in q the next release. RIP Squid in PFSense

yyovchev · Dec 13, 2023, 8:58 AM

Hello everyone. When squid proxy is removed from pfsense in new version, what is the alternative? I use squid for outboind proxy with multple IPs?

Michele Trotta · Jan 5, 2024, 1:14 PM

Hi everyone,

I have the same problem, has anyone managed to solve the problem?

Thanks again

Michele

JonathanLee · Jul 5, 2024, 1:04 PM

@saleg said in Squid problem after upgrade to 2.7.1:

2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_DH_USE
2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_ECDH_USE

How did you fix

2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_DH_USE
2023/11/24 15:58:32| ERROR: Unsupported TLS option SINGLE_ECDH_USE?

Michele Trotta · Jul 5, 2024, 1:04 PM

@JonathanLee said in Squid problem after upgrade to 2.7.1:

How did you fix

Hi, I couldn't solve it.

I'm looking for an alternative solution but I can't find anything at the moment

Greetings

Michele

wynn1212 · Jul 5, 2024, 1:16 PM

@JonathanLee If I remember correctly, those 2 error are not FATAL, and should not preventing squid to start. unless you really need this feature.
If squid failed to start, please check FATAL message instead of ERROR message.

JonathanLee · Jul 5, 2024, 5:21 PM

Does anyone know how to activate the TLS1.3 ciphers? This might fix some issues....
Per lists.squid-cache.org

Ref:
https://openssl.org/blog/blog/2017/05/04/tlsv1.3/
https://lists.squid-cache.org/pipermail/squid-users/2018-February/017640.html

And CVE-2016-0701

"Yes. Due to CVE-2016-0701 the SSL_OP_SINGLE_DH_USE option was deprecated”

It is depreciated and the new pfSense package still shows it as a default option, however how does one append

liberatti · Nov 6, 2024, 8:49 PM

Try to modify /usr/local/pkg/squid.inc
from

$sslproxy_options .= ",SINGLE_DH_USE,SINGLE_ECDH_USE";
to 
//$sslproxy_options .= ",SINGLE_DH_USE,SINGLE_ECDH_USE";

Check configuration with the command

squid -k parse

tls_outgoing_options cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

edelvandro · Jan 15, 2025, 8:41 PM

@liberatti This works for me!!
Line 1250 and 1254

JonathanLee · Jan 18, 2025, 8:07 AM

https://github.com/pfsense/FreeBSD-ports/commit/476a7d0e3dca704b236839970f1d215912184f73

This is a known issue I had a merge for a previous version when you could disable the older tls however this directive is no longer on the latest version of squid. This directive is no longer part of the latest squid package.