From squid.org at bloms.de  Sat Nov  1 16:32:54 2025
From: squid.org at bloms.de (Dieter Bloms)
Date: Sat, 1 Nov 2025 17:32:54 +0100
Subject: [squid-users] Howto set SSL_OP_IGNORE_UNEXPECTED_EOF in
 squid.conf for outgoing tls session with enabled ssl_bump
In-Reply-To: <ca7800a8-6586-4610-a0a5-786310e66c25@treenet.co.nz>
References: <zxr4za4wmsitpr7z5ithmbratoqwxgzgmy47fnqhnqozngwpdo@tatzi5ulsxn5>
 <0d65c949-b64b-4187-976b-aff82c0286e8@measurement-factory.com>
 <tajeibcnfo6jp6zir35slsjkgcqguhf244qiwtoaajdrhew44p@bvidk5mpbbjn>
 <ca7800a8-6586-4610-a0a5-786310e66c25@treenet.co.nz>
Message-ID: <el3oe4pew6vat7m44n7tetwxkd5zmq2eu7rssgzmcwhs4ucexv@4evgn6qyxrv2>

Hello Amos,

On Sat, Nov 01, Amos Jeffries wrote:

> On 01/11/2025 04:38, Dieter Bloms wrote:
> > Hello Alex,
> > 
> > thank you for your answer,
> > yes, with:
> > 
> > tls_outgoing_options options=0x80
> > 
> > squid doesn't complain this parameter anymore and is running, but I think it will not be taken in account.
> > 
> > I still get the errorpage "ERR_READ_ERROR" when I try to reach https://www.zeitwertkonten.ruv.de/web/webSealContent/login/login.do with enabled bumping.
> > 
> 
> Did you do a full shutdown and restart for Squid?
>  If not, please try that just in case there is old session state hanging
> around.

yes, full restart.

> Is the error pages reporting the same error message and OpenSSL
> "error:0A000126" code with and without the setting?

I don't see such message in the error page, because it is from type ERR_READ_ERROR not ERR_SECURE_CONNECT_FAIL

Here the output:

--snip--
The following error was encountered while trying to retrieve the URL: https://www.zeitwertkonten.ruv.de/web/webSealContent/login/login.do
    Read Error
The system returned: [No Error]
An error condition occurred while reading data from the network. Please retry your request.
Your cache administrator is xxxx at yyyyy.
--snip--

Shall I enable debug mode and send the cache.log to you are Alex?


-- 
Regards

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

From rousskov at measurement-factory.com  Sat Nov  1 20:57:22 2025
From: rousskov at measurement-factory.com (Alex Rousskov)
Date: Sat, 1 Nov 2025 16:57:22 -0400
Subject: [squid-users] Howto set SSL_OP_IGNORE_UNEXPECTED_EOF in
 squid.conf for outgoing tls session with enabled ssl_bump
In-Reply-To: <tajeibcnfo6jp6zir35slsjkgcqguhf244qiwtoaajdrhew44p@bvidk5mpbbjn>
References: <zxr4za4wmsitpr7z5ithmbratoqwxgzgmy47fnqhnqozngwpdo@tatzi5ulsxn5>
 <0d65c949-b64b-4187-976b-aff82c0286e8@measurement-factory.com>
 <tajeibcnfo6jp6zir35slsjkgcqguhf244qiwtoaajdrhew44p@bvidk5mpbbjn>
Message-ID: <15ffb792-cf62-4a82-be03-9105b8741c1d@measurement-factory.com>

On 2025-10-31 11:38, Dieter Bloms wrote:
> Hello Alex,
> 
> thank you for your answer,
> yes, with:
> 
> tls_outgoing_options options=0x80
> 
> squid doesn't complain this parameter anymore and is running, but I think it will not be taken in account.
> 
> I still get the errorpage "ERR_READ_ERROR" when I try to reach https://www.zeitwertkonten.ruv.de/web/webSealContent/login/login.do with enabled bumping.

 > ... for me it looks like squid doesn't set the ssl option

... or Squid sets the option, but setting it has no effect due to other 
problems (e.g., Squid does not use the SSL context for which the option 
was set). We probably solved the initial "How to set" problem, but more 
triage is needed to figure out why that site does not work for you.

Personally, I am overloaded with other Squid volunteering work and 
dealing with other Squid Project-created overheads, so I cannot promise 
to look into this right now, unfortunately.

Alex.


> With the openssl command it makes a difference (the error message is gone when SSL_OP_IGNORE_UNEXPECTED_EOF is given as option)
> 
> without SSL_OP_IGNORE_UNEXPECTED_EOF you get an error:
> 
> --snip--
> root at trixie:/# echo -e "GET https:////www.zeitwertkonten.ruv.de/web/webSealContent/login/login.do HTTP/1.1\r\nHost: www.zeitwertkonten.ruv.de\r\n\r\n" | openssl s_client -quiet -connect www.zeitwertkonten.ruv.de:443 >/dev/null
> Connecting to 91.235.236.137
> depth=3 C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2
> verify return:1
> depth=2 C=CH, O=SwissSign AG, CN=SwissSign RSA TLS Root CA 2022 - 1
> verify return:1
> depth=1 C=CH, O=SwissSign AG, CN=SwissSign RSA TLS OV ICA 2022 - 1
> verify return:1
> depth=0 C=DE, ST=HE, L=Wiesbaden, O=R+V Allgemeine Versicherung AG, CN=www.zeitwertkonten.ruv.de
> verify return:1
> 40876FE3EB7F0000:error:0A000126:SSL routines::unexpected eof while reading:../ssl/record/rec_layer_s3.c:696:
> root at trixie:/#
> --snip--
> 
> with SSL_OP_IGNORE_UNEXPECTED_EOF the error message is gone:
> 
> --snip--
> root at trixie:/# echo -e "GET https:////www.zeitwertkonten.ruv.de/web/webSealContent/login/login.do HTTP/1.1\r\nHost: www.zeitwertkonten.ruv.de\r\n\r\n" | openssl s_client -ignore_unexpected_eof  -quiet -connect www.zeitwertkonten.ruv.de:443 >/dev/null
> Connecting to 91.235.236.137
> depth=3 C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2
> verify return:1
> depth=2 C=CH, O=SwissSign AG, CN=SwissSign RSA TLS Root CA 2022 - 1
> verify return:1
> depth=1 C=CH, O=SwissSign AG, CN=SwissSign RSA TLS OV ICA 2022 - 1
> verify return:1
> depth=0 C=DE, ST=HE, L=Wiesbaden, O=R+V Allgemeine Versicherung AG, CN=www.zeitwertkonten.ruv.de
> verify return:1
> root at trixie:/#
> --snip--
> 
> so for me it looks like squid doesn't set the ssl option
> 
> 
> On Fri, Oct 31, Alex Rousskov wrote:
> 
>> On 2025-10-31 08:12, Dieter Bloms wrote:
>>
>>> Does anybody know, howto set the SSL Option SSL_OP_IGNORE_UNEXPECTED_EOF
>>
>> Squid does not recognize that option by name[^1]. Use option's hex value as
>> a workaround until [^1]. If my math is correct[^2], that option hex value is
>> 0x80.
>>
>> [^1]: A quality pull request adding by-name support for all known OpenSSL
>> v3.5 options is welcome.
>>
>> [^2]: From OpenSSL include/openssl/ssl.h.in sources:
>> #define SSL_OP_BIT(n)  ((uint64_t)1 << (uint64_t)n)
>> #define SSL_OP_IGNORE_UNEXPECTED_EOF  SSL_OP_BIT(7)
>>
>>
>> HTH,
>>
>> Alex.
>>
>>> there are some websites like https://www.zeitwertkonten.ruv.de/web/webSealContent/login/login.do
>>> which don't send the close_notify alert on shutdown and squid sends an error page to the browser.
>>> For a workaround I want to set the SSL_OP_IGNORE_UNEXPECTED_EOF option, but it doesn't work.
>>>
>>> I added one of following lines, but everytime squid claims about unknown TLS options.
>>>
>>> tls_outgoing_options options=SSL_OP_IGNORE_UNEXPECTED_EOF
>>> or
>>> tls_outgoing_options options=IGNORE_UNEXPECTED_EOF
>>>
>>> but everytime I get an error message like
>>> 2025/10/31 11:56:35 kid1| ERROR: Unknown TLS option SSL_OP_IGNORE_UNEXPECTED_EOF
>>> or
>>> 2025/10/31 12:53:20 kid1| ERROR: Unknown TLS option IGNORE_UNEXPECTED_EOF
>>>
>>> My ssl_bump related configlines look like:
>>>
>>> http_port 8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB tls-cert=/secrets/ca.pem tls-dh=/etc/squid/dhparams.pem
>>> sslcrtd_program /usr/sbin/security_file_certgen -s /var/cache/squid/sslcert_db -M 32MB
>>> sslcrtd_children 32 startup=10 idle=3
>>> tls_outgoing_options capath=/etc/ssl/certs min-version=1.2
>>> tls_outgoing_options options=IGNORE_UNEXPECTED_EOF
>>> ssl_bump peek step1
>>> ssl_bump splice nohttpsscandomain
>>> ssl_bump bump all
>>>
>>> I use squid 7.3 on an up to date debian trixie with openssl 3.5.1:
>>>
>>> Here some details of my system:
>>>
>>> ~# cat /etc/os-release
>>> PRETTY_NAME="Debian GNU/Linux 13 (trixie)"
>>> NAME="Debian GNU/Linux"
>>> VERSION_ID="13"
>>> VERSION="13 (trixie)"
>>> VERSION_CODENAME=trixie
>>> DEBIAN_VERSION_FULL=13.1
>>> ID=debian
>>> HOME_URL="https://www.debian.org/"
>>> SUPPORT_URL="https://www.debian.org/support"
>>> BUG_REPORT_URL="https://bugs.debian.org/"
>>>
>>> root at cdxhttpproxyiapdev01-v2465:/etc/squid# squid -v
>>> Squid Cache: Version 7.3
>>> Service Name: squid
>>>
>>> This binary uses OpenSSL 3.5.1 1 Jul 2025. configure options:  '--prefix=/usr' '--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--mandir=/usr/share/man' '--with-default-user=squid' '--with-filedescriptors=131072' '--with-logdir=/var/log/squid' '--disable-auto-locale' '--disable-eui' '--disable-carp' '--disable-htcp' '--disable-ident-lookups' '--disable-translation' '--disable-wccp' '--disable-wccpv2' '--disable-arch-native' '--disable-auth-negotiate' '--disable-auth-ntlm' '--enable-async-io=128' '--enable-auth-basic=LDAP,NCSA' '--enable-auth-digest=file,LDAP' '--enable-epoll' '--enable-log-daemon-helpers=file' '--enable-icap-client' '--enable-inline' '--enable-snmp' '--enable-disk-io=AIO,DiskThreads,IpcIo,Blocking' '--enable-storeio=ufs,aufs,rock' '--enable-referer-log' '--enable-useragent-log' '--enable-large-cache-files' '--enable-removal-policies=lru,heap' '--enable-follow-x-forwarded
>>>    -for' '--enable-ssl-crtd' '--with-openssl' 'CFLAGS=-g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -ffile-prefix-map=/=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection'
>>>
>>>
>>
>