• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Squid error "FATAL: Unknown http_port option 'NO_TLSv1"

Scheduled Pinned Locked Moved Cache/Proxy
13 Posts 6 Posters 2.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    JonathanLee
    last edited by JonathanLee Nov 17, 2024, 6:25 AM Nov 17, 2024, 6:20 AM

    If you want to use tls v1 just enter that line in custom area and remove the no from it. It will enable it. But that version is somewhat outdated now. The newer versions are recommend to be used.

    Make sure to upvote

    1 Reply Last reply Reply Quote 0
    • J
      JonathanLee
      last edited by Nov 17, 2024, 6:30 AM

      Ref:

      http://www.squid-cache.org/Doc/config/sslproxy_options/

      Make sure to upvote

      1 Reply Last reply Reply Quote 0
      • M
        mike123 @Antibiotic
        last edited by Dec 20, 2024, 8:09 PM

        @Antibiotic said in Squid error "FATAL: Unknown http_port option 'NO_TLSv1":

        $sslproxy_options . = ",NO_TLSv1";

        Did you manage to get this working? I just put a new SSD and re-installed and squid is now broken for me - looks like the same error

        1 Reply Last reply Reply Quote 0
        • A
          aniodon
          last edited by Dec 24, 2024, 8:17 AM

          Hello,

          i get the same error after upgrading pfsense / packages to latest.

          Looks like the duplicate tlsv1 is in cause ? i don't see an option in GUI to help

          Squid is stuck broken here

          /pkg_edit.php: The command '/usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf' returned exit code '1', the output was 'CPU Usage: 0.008 seconds = 0.000 user + 0.008 sys Maximum Resident Size: 73120 KB Page faults with physical i/o: 0 2024/12/24 09:07:56| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0) 2024/12/24 09:07:56| WARNING: Failed to decode EC parameters '/etc/dh-parameters.2048' OpenSSL-saved error #1: 0x1e08010c 2024/12/24 09:07:56| FATAL: Unknown http_port option 'NO_TLSv1,'. 2024/12/24 09:07:56| Not currently OK to rewrite swap log. 2024/12/24 09:07:56| storeDirWriteCleanLogs: Operation aborted. 2024/12/24 09:07:56| FATAL: Bungled /usr/local/etc/squid/squid.conf line 4: http_port 172.21.5.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3, NO_TLSv1, NO_TLSv1_1,NO_TLSv1 2024/12/24 09:07:56| Squid Cache (Version 6.10): Terminated abnormally.'
          
          A 1 Reply Last reply Dec 24, 2024, 9:19 AM Reply Quote 0
          • A
            aniodon @aniodon
            last edited by Dec 24, 2024, 9:19 AM

            for the record : I too use the Transparent mode with ssl mitm filtering.
            Unchecking https/ssl interception makes squid start again

            A 1 Reply Last reply Dec 24, 2024, 12:41 PM Reply Quote 0
            • A
              aniodon @aniodon
              last edited by aniodon Dec 24, 2024, 12:43 PM Dec 24, 2024, 12:41 PM

              for my case, i had to write a System Patch to make squid work again.

              it is a workaround, lowering the security of squid and is not recommended... use at your own risk
              for what i have tested, it was something in the "options" that do not work now (maybe the tls1)

              Hope someone more skilled will fix this mess...

              here is the patch, tested for pf 24.11 and lightsquid 3.0.7_5 / squid 0.5

              --- a/src/usr/local/pkg/squid.inc	2024-12-24 12:49:02.735299000 +0100
              +++ b/src/usr/local/pkg/squid.inc	2024-12-24 12:59:50.633211000 +0100
              @@ -1229,14 +1229,14 @@
               				$crt_pk = SQUID_CONFBASE . "/serverkey.pem";
               				$crt_capath = SQUID_LOCALBASE . "/share/certs/";
               				$crt_cafile = SQUID_LOCALBASE . "/share/certs/ca-root-nss.crt";
              -				$sslproxy_options = "NO_SSLv3, NO_TLSv1, NO_TLSv1_1";
              +				$sslproxy_options = "";//"NO_SSLv3, NO_TLSv1, NO_TLSv1_1";
               				/* XXX: Bug #4453, Bug #6592, Feature #6593, Bug #6563
               				 * http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#Modern_DH.2FEDH_ciphers_usage
               				 */
               				if (empty($settings['sslproxy_compatibility_mode']) || ($settings['sslproxy_compatibility_mode'] == 'modern')) {
               					// Modern cipher suites
               					$sslproxy_cipher = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS";
              -					$sslproxy_options .= ",NO_TLSv1";
              +					//$sslproxy_options .= ",NO_TLSv1";
               				} else {
               					$sslproxy_cipher = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";
               				}
              
              B 1 Reply Last reply 26 days ago Reply Quote 1
              • A aniodon referenced this topic on Dec 28, 2024, 11:00 AM
              • S
                sisko212
                last edited by Jan 13, 2025, 7:11 AM

                @aniodon
                Thanks, you patch has worked also on my case.
                I think the security should not an issue... theoretically removing the options line, squid should use the default

                1 Reply Last reply Reply Quote 0
                • J
                  JonathanLee
                  last edited by JonathanLee Jan 18, 2025, 8:08 AM Jan 18, 2025, 8:08 AM

                  https://github.com/pfsense/FreeBSD-ports/commit/476a7d0e3dca704b236839970f1d215912184f73

                  This is a known issue I had a merge for a previous version when you could disable the older tls however this directive is no longer on the latest version of squid. This directive is no longer part of the latest squid package

                  Make sure to upvote

                  A 1 Reply Last reply Jan 19, 2025, 12:02 PM Reply Quote 0
                  • A
                    aniodon @JonathanLee
                    last edited by Jan 19, 2025, 12:02 PM

                    @JonathanLee Thanks ! I'll check this asap. Have a Nice day

                    1 Reply Last reply Reply Quote 1
                    • B
                      b3rt @aniodon
                      last edited by 26 days ago

                      @aniodon

                      Apologies for the necro posting.

                      How would you apply such a patch ?

                      https://github.com/pfsense/FreeBSD-ports/commit/476a7d0e3dca704b236839970f1d215912184f73

                      I've created a system patch via pfsense GUI with the commit mentioned in this thread, however, it does not apply to my squid config,

                      It seems that it is not recognizing the file to update (?)
                      Here's what I'm getting in the debug log (not having changed default patch settings):

                      /usr/bin/patch --directory='/' -t  --strip '2' -i '/var/patches/682f24bdbc39f.patch' --check --forward --ignore-whitespace
                      
                      Hmm...  Looks like a unified diff to me...
                      The text leading up to this was:
                      --------------------------
                      |From 476a7d0e3dca704b236839970f1d215912184f73 Mon Sep 17 00:00:00 2001
                      |From: Marcos Mendoza <mmendoza@netgate.com>
                      |Date: Tue, 26 Nov 2024 18:36:53 -0600
                      |Subject: [PATCH] www/pfSense-pkg-squid: remove duplicate option
                      |
                      |---
                      | www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc | 1 -
                      | 1 file changed, 1 deletion(-)
                      |
                      |diff --git a/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc b/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc
                      |index 719cda2fb3cf..129b8b05335c 100644
                      |--- a/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc
                      |+++ b/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc
                      --------------------------
                      No file to patch.  Skipping...
                      Hunk #1 ignored at 1236.
                      1 out of 1 hunks ignored while patching pfSense-pkg-squid/files/usr/local/pkg/squid.inc
                      done
                      
                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received