Squid error "FATAL: Unknown http_port option 'NO_TLSv1"
-
Hi, have this error message,
Squid use in transparent mode with SSL Man In the Middle Filtering:2024/11/16 13:41:51| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2024/11/16 13:41:51| Processing: http_port 192.168.10.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3, NO_TLSv1, NO_TLSv1_1,NO_TLSv1
2024/11/16 13:41:51| WARNING: Failed to decode EC parameters '/etc/dh-parameters.2048'
OpenSSL-saved error #1: 0x1e08010c
2024/11/16 13:41:51| FATAL: Unknown http_port option 'NO_TLSv1,'.
2024/11/16 13:41:51| Not currently OK to rewrite swap log.
2024/11/16 13:41:51| storeDirWriteCleanLogs: Operation aborted.
2024/11/16 13:41:51| FATAL: Bungled /usr/local/etc/squid/squid.conf line 4: http_port 192.168.10.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3, NO_TLSv1, NO_TLSv1_1,NO_TLSv1
2024/11/16 13:41:51| Squid Cache (Version 6.10): Terminated abnormally.
CPU Usage: 0.008 seconds = 0.004 user + 0.004 sys
Maximum Resident Size: 70176 KB
Page faults with physical i/o: 0
What to do?
Is it does not belong to this bug?
https://redmine.pfsense.org/issues/15614 -
@Antibiotic said in Squid error "FATAL: Unknown http_port option 'NO_TLSv1":
options=NO_SSLv3, NO_TLSv1, NO_TLSv1_1,NO_TLSv1
Is it normal duplicates twice?
/usr/local/pkg/squid.inc:
line 1233 and below$sslproxy_options = "NO_SSLv3, NO_TLSv1, NO_TLSv1_1";
/* XXX: Bug #4453, Bug #6592, Feature #6593, Bug #6563
* http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#Modern_DH.2FEDH_ciphers_usage
*/
if (empty($settings['sslproxy_compatibility_mode']) || ($settings['sslproxy_compatibility_mode'] == 'modern')) {
// Modern cipher suites
$sslproxy_cipher = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS";
} else {
$sslproxy_cipher = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";
$sslproxy_options . = ",NO_TLSv1"; -
@Antibiotic said in Squid error "FATAL: Unknown http_port option 'NO_TLSv1":
$sslproxy_options . = ",NO_TLSv1";
Is it correct write?
-
If you want to use tls v1 just enter that line in custom area and remove the no from it. It will enable it. But that version is somewhat outdated now. The newer versions are recommend to be used.
-
Ref:
http://www.squid-cache.org/Doc/config/sslproxy_options/
