Pfsense SQUID 6.10 BUG NO_TLSv1

apachano

All Squid configurations have been reviewed via SSH, and this "NO_TLSv1" error persists. We are certain this is a bug in this version.

Is anyone else experiencing this issue?

We are using a Netgate 8200 device.

Regards

Here the LOG.

Mar 12 16:08:16 php-fpm 76668 /pkg_edit.php: The command '/usr/local/sbin/squid -z -f /usr/local/etc/squid/squid.conf' returned exit code '1', the output was '2025/03/12 16:08:16| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0) 2025/03/12 16:08:16| WARNING: Failed to decode EC parameters '/etc/dh-parameters.2048' OpenSSL-saved error #1: 0x1e08010c 2025/03/12 16:08:16| FATAL: Unknown http_port option 'NO_TLSv1,'. 2025/03/12 16:08:16| Not currently OK to rewrite swap log. 2025/03/12 16:08:16| storeDirWriteCleanLogs: Operation aborted. 2025/03/12 16:08:16| FATAL: Bungled /usr/local/etc/squid/squid.conf line 4: http_port 192.168.0.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3, NO_TLSv1, NO_TLSv1_1,NO_TLSv1 2025/03/12 16:08:16| Squid Cache (Version 6.10): Terminated abnormally. CPU Usage: 0.016 seconds = 0.000 user + 0.016 sys Maximum Resident Size: 62800 KB Page faults with physical i/o: 0'

stephenw10

Hmm, this was detailed in another thread. IIRC correctly it was something trivial like the missing space: options=NO_SSLv3, NO_TLSv1, NO_TLSv1_1,NO_TLSv1

Let me see....

stephenw10

Ah, in fact the addition of the space: https://forum.netgate.com/post/1204959

See if that allows it to start.

stephenw10

Yeah this is fixed in the current version. What pfSense version are you running?

apachano

@stephenw10

Hi.

24.11-RELEASE (amd64)
built on Thu Nov 21 23:34:00 -05 2024
FreeBSD 15.0-CURRENT

On NetGate 8200 pfsense Plus

stephenw10

Oh I see, still broken there for some reason hmm.

Applying this patch should fix it:
https://github.com/pfsense/FreeBSD-ports/commit/009dc5f68e0cf1d1a767d1a9119bcbaface44823.diff

It needs path strip set to 4 in the System Patches when you create it. Are you familiar with that?

apachano

@stephenw10

Thanks!!

JonathanLee

@stephenw10 Sorry about that, it is funny to think I fixed the issue only to have Squid developers fix it upstream and void my code so the directive no longer works... I was like O nooooo

stephenw10

The options are still valid; they just can't have spaces between them otherwise it tries to interpret them is new switches.