On 3/12/2011 4:44 a.m., Sean Boran wrote:
> With squid running sslbump in routing mode, and used by a handful of
> users, squid is crashing regularly, linked to visiting SSL sites.
>
> Logs
> --
> 2011/11/29 11:39:36| clientNegotiateSSL: Error negotiating SSL connection on FD
> 45: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number (1/-1)
Something in your OpenSSL library is incompatible with the SSL or TLS
version being used by one of the certificates.
Given your helper problems I would not put it past being a corrupted
local certificate file in the helpers databse.
> 2011/11/29 11:39:43| WARNING: ssl_crtd #2 (FD 11) exited
> 2011/11/29 11:39:43| Too few ssl_crtd processes are running (need 1/50)
> 2011/11/29 11:39:43| Starting new helpers
> 2011/11/29 11:39:43| helperOpenServers: Starting 1/50 'ssl_crtd' processes
> 2011/11/29 11:39:43| client_side.cc(3462) sslCrtdHandleReply: "ssl_crtd" helper
> return<NULL> reply
Major problem. Why is the helper dying on startup?
> 2011/11/29 11:39:44| WARNING: ssl_crtd #1 (FD 9) exited
> 2011/11/29 11:39:44| Too few ssl_crtd processes are running (need 1/50)
> 2011/11/29 11:39:44| storeDirWriteCleanLogs: Starting...
> 2011/11/29 11:39:44| Finished. Wrote 0 entries.
> 2011/11/29 11:39:44| Took 0.00 seconds ( 0.00 entries/sec).
> FATAL: The ssl_crtd helpers are crashing too rapidly, need help!
> --
>
> So ssl_crtd is dying which is one issue, but its also killing squid which is
> even worse.
As designed. These helper dying is not as trivial as you seem to think.
It is happening immediately on starting the helper. Ignoring the crash
abort in Squid only works if the helpers get some work done between
dying. Ignoring startup crashes will lead to the machine CPU(s) being
overloaded.
Amos
Received on Fri Dec 02 2011 - 16:48:35 MST
This archive was generated by hypermail 2.2.0 : Tue Dec 06 2011 - 12:00:03 MST