[squid-users] Howto set SSL_OP_IGNORE_UNEXPECTED_EOF in squid.conf for outgoing tls session with enabled ssl_bump

Dieter Bloms squid.org at bloms.de
Fri Oct 31 15:38:56 UTC 2025

Previous message (by thread): [squid-users] Howto set SSL_OP_IGNORE_UNEXPECTED_EOF in squid.conf for outgoing tls session with enabled ssl_bump
Next message (by thread): [squid-users] Howto set SSL_OP_IGNORE_UNEXPECTED_EOF in squid.conf for outgoing tls session with enabled ssl_bump
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello Alex,

thank you for your answer,
yes, with:

tls_outgoing_options options=0x80

squid doesn't complain this parameter anymore and is running, but I think it will not be taken in account.

I still get the errorpage "ERR_READ_ERROR" when I try to reach https://www.zeitwertkonten.ruv.de/web/webSealContent/login/login.do with enabled bumping.

With the openssl command it makes a difference (the error message is gone when SSL_OP_IGNORE_UNEXPECTED_EOF is given as option)

without SSL_OP_IGNORE_UNEXPECTED_EOF you get an error:

--snip--
root at trixie:/# echo -e "GET https:////www.zeitwertkonten.ruv.de/web/webSealContent/login/login.do HTTP/1.1\r\nHost: www.zeitwertkonten.ruv.de\r\n\r\n" | openssl s_client -quiet -connect www.zeitwertkonten.ruv.de:443 >/dev/null
Connecting to 91.235.236.137
depth=3 C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2
verify return:1
depth=2 C=CH, O=SwissSign AG, CN=SwissSign RSA TLS Root CA 2022 - 1
verify return:1
depth=1 C=CH, O=SwissSign AG, CN=SwissSign RSA TLS OV ICA 2022 - 1
verify return:1
depth=0 C=DE, ST=HE, L=Wiesbaden, O=R+V Allgemeine Versicherung AG, CN=www.zeitwertkonten.ruv.de
verify return:1
40876FE3EB7F0000:error:0A000126:SSL routines::unexpected eof while reading:../ssl/record/rec_layer_s3.c:696:
root at trixie:/# 
--snip--

with SSL_OP_IGNORE_UNEXPECTED_EOF the error message is gone:

--snip--
root at trixie:/# echo -e "GET https:////www.zeitwertkonten.ruv.de/web/webSealContent/login/login.do HTTP/1.1\r\nHost: www.zeitwertkonten.ruv.de\r\n\r\n" | openssl s_client -ignore_unexpected_eof  -quiet -connect www.zeitwertkonten.ruv.de:443 >/dev/null
Connecting to 91.235.236.137
depth=3 C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2
verify return:1
depth=2 C=CH, O=SwissSign AG, CN=SwissSign RSA TLS Root CA 2022 - 1
verify return:1
depth=1 C=CH, O=SwissSign AG, CN=SwissSign RSA TLS OV ICA 2022 - 1
verify return:1
depth=0 C=DE, ST=HE, L=Wiesbaden, O=R+V Allgemeine Versicherung AG, CN=www.zeitwertkonten.ruv.de
verify return:1
root at trixie:/# 
--snip--

so for me it looks like squid doesn't set the ssl option


On Fri, Oct 31, Alex Rousskov wrote:

> On 2025-10-31 08:12, Dieter Bloms wrote:
> 
> > Does anybody know, howto set the SSL Option SSL_OP_IGNORE_UNEXPECTED_EOF
> 
> Squid does not recognize that option by name[^1]. Use option's hex value as
> a workaround until [^1]. If my math is correct[^2], that option hex value is
> 0x80.
> 
> [^1]: A quality pull request adding by-name support for all known OpenSSL
> v3.5 options is welcome.
> 
> [^2]: From OpenSSL include/openssl/ssl.h.in sources:
> #define SSL_OP_BIT(n)  ((uint64_t)1 << (uint64_t)n)
> #define SSL_OP_IGNORE_UNEXPECTED_EOF  SSL_OP_BIT(7)
> 
> 
> HTH,
> 
> Alex.
> 
> > there are some websites like https://www.zeitwertkonten.ruv.de/web/webSealContent/login/login.do
> > which don't send the close_notify alert on shutdown and squid sends an error page to the browser.
> > For a workaround I want to set the SSL_OP_IGNORE_UNEXPECTED_EOF option, but it doesn't work.
> > 
> > I added one of following lines, but everytime squid claims about unknown TLS options.
> > 
> > tls_outgoing_options options=SSL_OP_IGNORE_UNEXPECTED_EOF
> > or
> > tls_outgoing_options options=IGNORE_UNEXPECTED_EOF
> > 
> > but everytime I get an error message like
> > 2025/10/31 11:56:35 kid1| ERROR: Unknown TLS option SSL_OP_IGNORE_UNEXPECTED_EOF
> > or
> > 2025/10/31 12:53:20 kid1| ERROR: Unknown TLS option IGNORE_UNEXPECTED_EOF
> > 
> > My ssl_bump related configlines look like:
> > 
> > http_port 8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB tls-cert=/secrets/ca.pem tls-dh=/etc/squid/dhparams.pem
> > sslcrtd_program /usr/sbin/security_file_certgen -s /var/cache/squid/sslcert_db -M 32MB
> > sslcrtd_children 32 startup=10 idle=3
> > tls_outgoing_options capath=/etc/ssl/certs min-version=1.2
> > tls_outgoing_options options=IGNORE_UNEXPECTED_EOF
> > ssl_bump peek step1
> > ssl_bump splice nohttpsscandomain
> > ssl_bump bump all
> > 
> > I use squid 7.3 on an up to date debian trixie with openssl 3.5.1:
> > 
> > Here some details of my system:
> > 
> > ~# cat /etc/os-release
> > PRETTY_NAME="Debian GNU/Linux 13 (trixie)"
> > NAME="Debian GNU/Linux"
> > VERSION_ID="13"
> > VERSION="13 (trixie)"
> > VERSION_CODENAME=trixie
> > DEBIAN_VERSION_FULL=13.1
> > ID=debian
> > HOME_URL="https://www.debian.org/"
> > SUPPORT_URL="https://www.debian.org/support"
> > BUG_REPORT_URL="https://bugs.debian.org/"
> > 
> > root at cdxhttpproxyiapdev01-v2465:/etc/squid# squid -v
> > Squid Cache: Version 7.3
> > Service Name: squid
> > 
> > This binary uses OpenSSL 3.5.1 1 Jul 2025. configure options:  '--prefix=/usr' '--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--mandir=/usr/share/man' '--with-default-user=squid' '--with-filedescriptors=131072' '--with-logdir=/var/log/squid' '--disable-auto-locale' '--disable-eui' '--disable-carp' '--disable-htcp' '--disable-ident-lookups' '--disable-translation' '--disable-wccp' '--disable-wccpv2' '--disable-arch-native' '--disable-auth-negotiate' '--disable-auth-ntlm' '--enable-async-io=128' '--enable-auth-basic=LDAP,NCSA' '--enable-auth-digest=file,LDAP' '--enable-epoll' '--enable-log-daemon-helpers=file' '--enable-icap-client' '--enable-inline' '--enable-snmp' '--enable-disk-io=AIO,DiskThreads,IpcIo,Blocking' '--enable-storeio=ufs,aufs,rock' '--enable-referer-log' '--enable-useragent-log' '--enable-large-cache-files' '--enable-removal-policies=lru,heap' '--enable-follow-x-forwarded
> >   -for' '--enable-ssl-crtd' '--with-openssl' 'CFLAGS=-g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -ffile-prefix-map=/=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection'
> > 
> > 
> 

-- 
Gruß

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.

Previous message (by thread): [squid-users] Howto set SSL_OP_IGNORE_UNEXPECTED_EOF in squid.conf for outgoing tls session with enabled ssl_bump
Next message (by thread): [squid-users] Howto set SSL_OP_IGNORE_UNEXPECTED_EOF in squid.conf for outgoing tls session with enabled ssl_bump
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the squid-users mailing list