[squid-users] Squid Error SQUID_TLS_ERR_ACCEPT -- Transparent proxy

Amos Jeffries squid3 at treenet.co.nz
Thu Oct 9 04:03:40 UTC 2025
Previous message (by thread): [squid-users] HTTPS Proxy
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 16/09/2025 08:32, Usama Mehboob wrote:
> My squid version is 6 and running on amazon linux 2023.
> 
> root at ip-172-24-9-245:/var/log/squid# squid --version
> Squid Cache: Version 6.13
> Service Name: squid
> 
> This binary uses OpenSSL 3.2.2 4 Jun 2024. configure options:  '-- 
...>
> I am seeing this error in my cache-log
> =============================
> ```
> 2025/09/14 09:46:34 kid1| ERROR: failure while accepting a TLS 
> connection on conn122766 local=3.225.139.255:443 remote=172.25.239.18:59114 FD 11 flags=33: 
> SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
>      current master transaction: master73677

OpenSSL library error code A000418 means "unknown CA".


When receiving a certificate chain, Squid found one of the CA was both 
unknown, and did not provide details on where to fetch it.


Things you can do:

* Ensure that your machines "ca-certificates" are up to date.

* Fix the 'mode' issue below with squid.conf.

  (I believe this is highly likely to be your problem).


* Try an upgrade to currently supported Squid. v7 these days.

* use "debug_options 11,2 ALL,1" to see what transactions are being 
processed.
   - Then "local=.. remote=.. FD .." on these errors should match 
(exactly) to a CONNECT message earlier in the log. Telling you what 
HTTPS server the client was try to connect to.
   - Use that information to further track down what certificate details 
are going bad. Ones from client (peek step1) or from server (peek step2).


> 
> My squid.conf file is this
> ====================
> visible_hostname squid

FYI, The above should be an FQDN and resolvable in what your clients see 
as the "public" DNS system.



> 
> http_port 3128
> http_port 3129 intercept
> https_port 3130 cert=/path/to/squid.pem ssl-bump intercept

Mode ("intercept ssl-bump") goes first. This is to ensure that Squid 
loads the correct certificate type(s) etc.


  https_port 3130 intercept ssl-bump cert=/path/to/squid.pem


If the above change makes squid produces certificate validation errors 
about the CA, that may have been the problem. It needs fixing.



> http_access allow SSL_ports

Congratulations, you now have an "open proxy" free use for the entire world.

I recommend removing this line. The rules you have later restricting 
access to "localnet" is sufficient to allow LAN clients the access they 
need.



> 
> acl instance_metadata dst 169.254.169.254
> http_access deny instance_metadata
> 

The above is unnecessary when the proxy is limited to "localnet"  or 
"localhost" use.  You should be able to remove these once you stop doing 
the "allow SSL_Ports".



> acl allowed_https_sites ssl::server_name .domain1.com .domain2.com .domain3.com
> 
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> ssl_bump peek step1 all
> ssl_bump peek step2 allowed_https_sites
> ssl_bump splice step3 allowed_https_sites
> ssl_bump terminate step2 all


Okay. FYI, the default step #3 action after "peek step2" should be 
splice. Which means any traffic reaching step #3 will splice.
  You can clarify a bit by

Which is the same as this:

  # Step 1
  ssl_bump peek step1

  # Step 2
  ssl_bump peek allowed_https_sites
  ssl_bump terminate step2

  # Step 3
  ssl_bump splice step3



> 
> server_idle_pconn_timeout 60 minute
> connect_timeout 60 minute
> read_timeout 60 minute
> write_timeout 60 minute
> request_timeout 60 minute

You might want to add request_start_timeout to that set of extended 
timeouts.  No use allowing 60 minutes for the first read() of TLS bytes, 
if Squid is going to abort after 5 minutes of not seeing any HTTP request.



> 
> logformat fqdn_log %tg:UTC %6tr client:%>a %Ss/%03>Hs %<st %rm %ru %[un 
> %Sh/%<A %mt %ssl::>sni
> access_log /var/log/squid/access.log fqdn_log
> 
> logfile_rotate 10
> debug_options ALL,1, rotate=1
> 
> 
> Can somebody please recommend some changes to try out?, also it drops 
> connection sometime when trying to connect to salesforce BulkAPI and 
> upon contacting salesforce, their team mentioned that it happens if 
> client (squid) closes connection before salesforce server. will 
> appreciate the help. thanks


Yeah, it seems their service is a bit fragile. Not sure what is going 
bad there. Their service MUST cope with arbitrary closures, but Squid 
should not be closing a transaction too-early.


Maybe an upgrade to v7 will help with that (better code, more things 
fixed, etc), but no guarantees.


HTH
Amos
Previous message (by thread): [squid-users] HTTPS Proxy
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the squid-users mailing list