Squid error "FATAL: Unknown http_port option 'NO_TLSv1"

Antibiotic · Nov 16, 2024, 3:01 PM

Hi, have this error message,
Squid use in transparent mode with SSL Man In the Middle Filtering:

2024/11/16 13:41:51| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2024/11/16 13:41:51| Processing: http_port 192.168.10.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3, NO_TLSv1, NO_TLSv1_1,NO_TLSv1
2024/11/16 13:41:51| WARNING: Failed to decode EC parameters '/etc/dh-parameters.2048'
OpenSSL-saved error #1: 0x1e08010c
2024/11/16 13:41:51| FATAL: Unknown http_port option 'NO_TLSv1,'.
2024/11/16 13:41:51| Not currently OK to rewrite swap log.
2024/11/16 13:41:51| storeDirWriteCleanLogs: Operation aborted.
2024/11/16 13:41:51| FATAL: Bungled /usr/local/etc/squid/squid.conf line 4: http_port 192.168.10.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3, NO_TLSv1, NO_TLSv1_1,NO_TLSv1
2024/11/16 13:41:51| Squid Cache (Version 6.10): Terminated abnormally.
CPU Usage: 0.008 seconds = 0.004 user + 0.004 sys
Maximum Resident Size: 70176 KB
Page faults with physical i/o: 0

What to do?

Is it does not belong to this bug?
https://redmine.pfsense.org/issues/15614

Antibiotic · Nov 16, 2024, 3:27 PM

@Antibiotic said in Squid error "FATAL: Unknown http_port option 'NO_TLSv1":

options=NO_SSLv3, NO_TLSv1, NO_TLSv1_1,NO_TLSv1

Is it normal duplicates twice?

/usr/local/pkg/squid.inc:
line 1233 and below

$sslproxy_options = "NO_SSLv3, NO_TLSv1, NO_TLSv1_1";
/* XXX: Bug #4453, Bug #6592, Feature #6593, Bug #6563
* http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#Modern_DH.2FEDH_ciphers_usage
*/
if (empty($settings['sslproxy_compatibility_mode']) || ($settings['sslproxy_compatibility_mode'] == 'modern')) {
// Modern cipher suites
$sslproxy_cipher = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS";
} else {
$sslproxy_cipher = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";
$sslproxy_options . = ",NO_TLSv1";

Antibiotic · Nov 16, 2024, 3:27 PM

@Antibiotic said in Squid error "FATAL: Unknown http_port option 'NO_TLSv1":

$sslproxy_options . = ",NO_TLSv1";

Is it correct write?

JonathanLee · Nov 17, 2024, 6:25 AM

If you want to use tls v1 just enter that line in custom area and remove the no from it. It will enable it. But that version is somewhat outdated now. The newer versions are recommend to be used.

JonathanLee · Nov 17, 2024, 6:30 AM

Ref:

http://www.squid-cache.org/Doc/config/sslproxy_options/

mike123 · Dec 20, 2024, 8:09 PM

@Antibiotic said in Squid error "FATAL: Unknown http_port option 'NO_TLSv1":

$sslproxy_options . = ",NO_TLSv1";

Did you manage to get this working? I just put a new SSD and re-installed and squid is now broken for me - looks like the same error

aniodon · Dec 24, 2024, 8:17 AM

Hello,

i get the same error after upgrading pfsense / packages to latest.

Looks like the duplicate tlsv1 is in cause ? i don't see an option in GUI to help

Squid is stuck broken here

/pkg_edit.php: The command '/usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf' returned exit code '1', the output was 'CPU Usage: 0.008 seconds = 0.000 user + 0.008 sys Maximum Resident Size: 73120 KB Page faults with physical i/o: 0 2024/12/24 09:07:56| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0) 2024/12/24 09:07:56| WARNING: Failed to decode EC parameters '/etc/dh-parameters.2048' OpenSSL-saved error #1: 0x1e08010c 2024/12/24 09:07:56| FATAL: Unknown http_port option 'NO_TLSv1,'. 2024/12/24 09:07:56| Not currently OK to rewrite swap log. 2024/12/24 09:07:56| storeDirWriteCleanLogs: Operation aborted. 2024/12/24 09:07:56| FATAL: Bungled /usr/local/etc/squid/squid.conf line 4: http_port 172.21.5.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3, NO_TLSv1, NO_TLSv1_1,NO_TLSv1 2024/12/24 09:07:56| Squid Cache (Version 6.10): Terminated abnormally.'

aniodon · Dec 24, 2024, 9:19 AM

for the record : I too use the Transparent mode with ssl mitm filtering.
Unchecking https/ssl interception makes squid start again

aniodon · Dec 24, 2024, 12:43 PM

for my case, i had to write a System Patch to make squid work again.

it is a workaround, lowering the security of squid and is not recommended... use at your own risk
for what i have tested, it was something in the "options" that do not work now (maybe the tls1)

Hope someone more skilled will fix this mess...

here is the patch, tested for pf 24.11 and lightsquid 3.0.7_5 / squid 0.5

--- a/src/usr/local/pkg/squid.inc	2024-12-24 12:49:02.735299000 +0100
+++ b/src/usr/local/pkg/squid.inc	2024-12-24 12:59:50.633211000 +0100
@@ -1229,14 +1229,14 @@
 				$crt_pk = SQUID_CONFBASE . "/serverkey.pem";
 				$crt_capath = SQUID_LOCALBASE . "/share/certs/";
 				$crt_cafile = SQUID_LOCALBASE . "/share/certs/ca-root-nss.crt";
-				$sslproxy_options = "NO_SSLv3, NO_TLSv1, NO_TLSv1_1";
+				$sslproxy_options = "";//"NO_SSLv3, NO_TLSv1, NO_TLSv1_1";
 				/* XXX: Bug #4453, Bug #6592, Feature #6593, Bug #6563
 				 * http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#Modern_DH.2FEDH_ciphers_usage
 				 */
 				if (empty($settings['sslproxy_compatibility_mode']) || ($settings['sslproxy_compatibility_mode'] == 'modern')) {
 					// Modern cipher suites
 					$sslproxy_cipher = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS";
-					$sslproxy_options .= ",NO_TLSv1";
+					//$sslproxy_options .= ",NO_TLSv1";
 				} else {
 					$sslproxy_cipher = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";
 				}

sisko212 · Jan 13, 2025, 7:11 AM

@aniodon
Thanks, you patch has worked also on my case.
I think the security should not an issue... theoretically removing the options line, squid should use the default

JonathanLee · Jan 18, 2025, 8:08 AM

https://github.com/pfsense/FreeBSD-ports/commit/476a7d0e3dca704b236839970f1d215912184f73

This is a known issue I had a merge for a previous version when you could disable the older tls however this directive is no longer on the latest version of squid. This directive is no longer part of the latest squid package

aniodon · Jan 19, 2025, 12:02 PM

@JonathanLee Thanks ! I'll check this asap. Have a Nice day