[squid-users] Howto set SSL_OP_IGNORE_UNEXPECTED_EOF in squid.conf for outgoing tls session with enabled ssl_bump

Alex Rousskov rousskov at measurement-factory.com
Sat Nov 1 20:57:22 UTC 2025
Previous message (by thread): [squid-users] Howto set SSL_OP_IGNORE_UNEXPECTED_EOF in squid.conf for outgoing tls session with enabled ssl_bump
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 2025-10-31 11:38, Dieter Bloms wrote:
> Hello Alex,
> 
> thank you for your answer,
> yes, with:
> 
> tls_outgoing_options options=0x80
> 
> squid doesn't complain this parameter anymore and is running, but I think it will not be taken in account.
> 
> I still get the errorpage "ERR_READ_ERROR" when I try to reach https://www.zeitwertkonten.ruv.de/web/webSealContent/login/login.do with enabled bumping.

 > ... for me it looks like squid doesn't set the ssl option

... or Squid sets the option, but setting it has no effect due to other 
problems (e.g., Squid does not use the SSL context for which the option 
was set). We probably solved the initial "How to set" problem, but more 
triage is needed to figure out why that site does not work for you.

Personally, I am overloaded with other Squid volunteering work and 
dealing with other Squid Project-created overheads, so I cannot promise 
to look into this right now, unfortunately.

Alex.


> With the openssl command it makes a difference (the error message is gone when SSL_OP_IGNORE_UNEXPECTED_EOF is given as option)
> 
> without SSL_OP_IGNORE_UNEXPECTED_EOF you get an error:
> 
> --snip--
> root at trixie:/# echo -e "GET https:////www.zeitwertkonten.ruv.de/web/webSealContent/login/login.do HTTP/1.1\r\nHost: www.zeitwertkonten.ruv.de\r\n\r\n" | openssl s_client -quiet -connect www.zeitwertkonten.ruv.de:443 >/dev/null
> Connecting to 91.235.236.137
> depth=3 C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2
> verify return:1
> depth=2 C=CH, O=SwissSign AG, CN=SwissSign RSA TLS Root CA 2022 - 1
> verify return:1
> depth=1 C=CH, O=SwissSign AG, CN=SwissSign RSA TLS OV ICA 2022 - 1
> verify return:1
> depth=0 C=DE, ST=HE, L=Wiesbaden, O=R+V Allgemeine Versicherung AG, CN=www.zeitwertkonten.ruv.de
> verify return:1
> 40876FE3EB7F0000:error:0A000126:SSL routines::unexpected eof while reading:../ssl/record/rec_layer_s3.c:696:
> root at trixie:/#
> --snip--
> 
> with SSL_OP_IGNORE_UNEXPECTED_EOF the error message is gone:
> 
> --snip--
> root at trixie:/# echo -e "GET https:////www.zeitwertkonten.ruv.de/web/webSealContent/login/login.do HTTP/1.1\r\nHost: www.zeitwertkonten.ruv.de\r\n\r\n" | openssl s_client -ignore_unexpected_eof  -quiet -connect www.zeitwertkonten.ruv.de:443 >/dev/null
> Connecting to 91.235.236.137
> depth=3 C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2
> verify return:1
> depth=2 C=CH, O=SwissSign AG, CN=SwissSign RSA TLS Root CA 2022 - 1
> verify return:1
> depth=1 C=CH, O=SwissSign AG, CN=SwissSign RSA TLS OV ICA 2022 - 1
> verify return:1
> depth=0 C=DE, ST=HE, L=Wiesbaden, O=R+V Allgemeine Versicherung AG, CN=www.zeitwertkonten.ruv.de
> verify return:1
> root at trixie:/#
> --snip--
> 
> so for me it looks like squid doesn't set the ssl option
> 
> 
> On Fri, Oct 31, Alex Rousskov wrote:
> 
>> On 2025-10-31 08:12, Dieter Bloms wrote:
>>
>>> Does anybody know, howto set the SSL Option SSL_OP_IGNORE_UNEXPECTED_EOF
>>
>> Squid does not recognize that option by name[^1]. Use option's hex value as
>> a workaround until [^1]. If my math is correct[^2], that option hex value is
>> 0x80.
>>
>> [^1]: A quality pull request adding by-name support for all known OpenSSL
>> v3.5 options is welcome.
>>
>> [^2]: From OpenSSL include/openssl/ssl.h.in sources:
>> #define SSL_OP_BIT(n)  ((uint64_t)1 << (uint64_t)n)
>> #define SSL_OP_IGNORE_UNEXPECTED_EOF  SSL_OP_BIT(7)
>>
>>
>> HTH,
>>
>> Alex.
>>
>>> there are some websites like https://www.zeitwertkonten.ruv.de/web/webSealContent/login/login.do
>>> which don't send the close_notify alert on shutdown and squid sends an error page to the browser.
>>> For a workaround I want to set the SSL_OP_IGNORE_UNEXPECTED_EOF option, but it doesn't work.
>>>
>>> I added one of following lines, but everytime squid claims about unknown TLS options.
>>>
>>> tls_outgoing_options options=SSL_OP_IGNORE_UNEXPECTED_EOF
>>> or
>>> tls_outgoing_options options=IGNORE_UNEXPECTED_EOF
>>>
>>> but everytime I get an error message like
>>> 2025/10/31 11:56:35 kid1| ERROR: Unknown TLS option SSL_OP_IGNORE_UNEXPECTED_EOF
>>> or
>>> 2025/10/31 12:53:20 kid1| ERROR: Unknown TLS option IGNORE_UNEXPECTED_EOF
>>>
>>> My ssl_bump related configlines look like:
>>>
>>> http_port 8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB tls-cert=/secrets/ca.pem tls-dh=/etc/squid/dhparams.pem
>>> sslcrtd_program /usr/sbin/security_file_certgen -s /var/cache/squid/sslcert_db -M 32MB
>>> sslcrtd_children 32 startup=10 idle=3
>>> tls_outgoing_options capath=/etc/ssl/certs min-version=1.2
>>> tls_outgoing_options options=IGNORE_UNEXPECTED_EOF
>>> ssl_bump peek step1
>>> ssl_bump splice nohttpsscandomain
>>> ssl_bump bump all
>>>
>>> I use squid 7.3 on an up to date debian trixie with openssl 3.5.1:
>>>
>>> Here some details of my system:
>>>
>>> ~# cat /etc/os-release
>>> PRETTY_NAME="Debian GNU/Linux 13 (trixie)"
>>> NAME="Debian GNU/Linux"
>>> VERSION_ID="13"
>>> VERSION="13 (trixie)"
>>> VERSION_CODENAME=trixie
>>> DEBIAN_VERSION_FULL=13.1
>>> ID=debian
>>> HOME_URL="https://www.debian.org/"
>>> SUPPORT_URL="https://www.debian.org/support"
>>> BUG_REPORT_URL="https://bugs.debian.org/"
>>>
>>> root at cdxhttpproxyiapdev01-v2465:/etc/squid# squid -v
>>> Squid Cache: Version 7.3
>>> Service Name: squid
>>>
>>> This binary uses OpenSSL 3.5.1 1 Jul 2025. configure options:  '--prefix=/usr' '--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--mandir=/usr/share/man' '--with-default-user=squid' '--with-filedescriptors=131072' '--with-logdir=/var/log/squid' '--disable-auto-locale' '--disable-eui' '--disable-carp' '--disable-htcp' '--disable-ident-lookups' '--disable-translation' '--disable-wccp' '--disable-wccpv2' '--disable-arch-native' '--disable-auth-negotiate' '--disable-auth-ntlm' '--enable-async-io=128' '--enable-auth-basic=LDAP,NCSA' '--enable-auth-digest=file,LDAP' '--enable-epoll' '--enable-log-daemon-helpers=file' '--enable-icap-client' '--enable-inline' '--enable-snmp' '--enable-disk-io=AIO,DiskThreads,IpcIo,Blocking' '--enable-storeio=ufs,aufs,rock' '--enable-referer-log' '--enable-useragent-log' '--enable-large-cache-files' '--enable-removal-policies=lru,heap' '--enable-follow-x-forwarded
>>>    -for' '--enable-ssl-crtd' '--with-openssl' 'CFLAGS=-g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -ffile-prefix-map=/=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection'
>>>
>>>
>>
>
Previous message (by thread): [squid-users] Howto set SSL_OP_IGNORE_UNEXPECTED_EOF in squid.conf for outgoing tls session with enabled ssl_bump
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the squid-users mailing list