[squid-users] Squid Error SQUID_TLS_ERR_ACCEPT -- Transparent proxy

[Usama Mehboob]

My squid version is 6 and running on amazon linux 2023.

root at ip-172-24-9-245:/var/log/squid# squid --version
Squid Cache: Version 6.13
Service Name: squid

This binary uses OpenSSL 3.2.2 4 Jun 2024. configure options:
 '--build=x86_64-amazon-linux-gnu' '--host=x86_64-amazon-linux-gnu'
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--localstatedir=/var'
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--libexecdir=/usr/lib64/squid'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--with-logdir=/var/log/squid' '--with-pidfile=/run/squid.pid'
'--disable-dependency-tracking' '--enable-eui'
'--enable-follow-x-forwarded-for' '--enable-auth'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM'
'--enable-auth-ntlm=SMB_LM,fake' '--enable-auth-digest=file,LDAP'
'--enable-auth-negotiate=kerberos'
'--enable-external-acl-helpers=LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group'
'--enable-storeid-rewrite-helpers=file' '--enable-cache-digests'
'--enable-cachemgr-hostname=localhost' '--enable-delay-pools'
'--enable-epoll' '--enable-icap-client' '--enable-ident-lookups'
'--enable-linux-netfilter' '--enable-removal-policies=heap,lru'
'--enable-snmp' '--enable-ssl' '--enable-ssl-crtd'
'--enable-storeio=aufs,diskd,ufs,rock' '--enable-diskio' '--enable-wccpv2'
'--disable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid'
'--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native'
'--disable-security-cert-validators' '--disable-strict-error-checking'
'--with-swapdir=/var/spool/squid' '--enable-translation'
'build_alias=x86_64-amazon-linux-gnu' 'host_alias=x86_64-amazon-linux-gnu'
'CC=gcc' 'CFLAGS=-O2 -ftree-vectorize -flto=auto -ffat-lto-objects
-fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64 -march=x86-64-v2
-mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection
-fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed  -Wl,-z,now
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -Wl,--build-id=sha1
-Wl,-dT,/builddir/build/BUILD/squid-6.13/.package_note-squid-6.13-1.amzn2023.0.1.x86_64.ld'
'CXX=g++' 'CXXFLAGS=-O2 -ftree-vectorize -flto=auto -ffat-lto-objects
-fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64 -march=x86-64-v2
-mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection
-fcf-protection'
'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
'LT_SYS_LIBRARY_PATH=/usr/lib64:'


I am seeing this error in my cache-log
=============================
```
2025/09/14 09:46:34 kid1| ERROR: failure while accepting a TLS connection
on conn122766 local=3.225.139.255:443 remote=172.25.239.18:59114 FD 11
flags=33: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
    current master transaction: master73677
2025/09/14 09:47:04 kid1| ERROR: failure while accepting a TLS connection
on conn122771 local=3.225.139.255:443 remote=172.25.239.18:46344 FD 11
flags=33: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
```


open-ssl version
+++++++++++++
OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024)


My squid.conf file is this
====================
visible_hostname squid
cache deny all

acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

http_port 3128
http_port 3129 intercept
https_port 3130 cert=/path/to/squid.pem ssl-bump intercept
http_access allow SSL_ports

acl instance_metadata dst 169.254.169.254
http_access deny instance_metadata

acl allowed_https_sites ssl::server_name .domain1.com .domain2.com .
domain3.com

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate step2 all
sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db
-M 8MB
sslcrtd_children 5

server_idle_pconn_timeout 60 minute
connect_timeout 60 minute
read_timeout 60 minute
write_timeout 60 minute
request_timeout 60 minute

http_access allow localnet allowed_https_sites
http_access allow localhost allowed_https_sites
http_access deny all

coredump_dir /var/spool/squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

logformat fqdn_log %tg:UTC %6tr client:%>a %Ss/%03>Hs %<st %rm %ru %[un
%Sh/%<A %mt %ssl::>sni
access_log /var/log/squid/access.log fqdn_log

logfile_rotate 10
debug_options ALL,1, rotate=1


Can somebody please recommend some changes to try out?, also it drops
connection sometime when trying to connect to salesforce BulkAPI and upon
contacting salesforce, their team mentioned that it happens if client
(squid) closes connection before salesforce server. will appreciate the
help. thanks

Usama
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20250915/ebcbffa3/attachment.htm>