[squid-users] Howto set SSL_OP_IGNORE_UNEXPECTED_EOF in squid.conf for outgoing tls session with enabled ssl_bump

Dieter Bloms squid.org at bloms.de
Fri Oct 31 12:12:50 UTC 2025 

Hello,

there are some websites like https://www.zeitwertkonten.ruv.de/web/webSealContent/login/login.do
which don't send the close_notify alert on shutdown and squid sends an error page to the browser.
For a workaround I want to set the SSL_OP_IGNORE_UNEXPECTED_EOF option, but it doesn't work.

I added one of following lines, but everytime squid claims about unknown TLS options.

tls_outgoing_options options=SSL_OP_IGNORE_UNEXPECTED_EOF
or
tls_outgoing_options options=IGNORE_UNEXPECTED_EOF

but everytime I get an error message like
2025/10/31 11:56:35 kid1| ERROR: Unknown TLS option SSL_OP_IGNORE_UNEXPECTED_EOF
or
2025/10/31 12:53:20 kid1| ERROR: Unknown TLS option IGNORE_UNEXPECTED_EOF

My ssl_bump related configlines look like:

http_port 8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB tls-cert=/secrets/ca.pem tls-dh=/etc/squid/dhparams.pem
sslcrtd_program /usr/sbin/security_file_certgen -s /var/cache/squid/sslcert_db -M 32MB
sslcrtd_children 32 startup=10 idle=3
tls_outgoing_options capath=/etc/ssl/certs min-version=1.2
tls_outgoing_options options=IGNORE_UNEXPECTED_EOF
ssl_bump peek step1
ssl_bump splice nohttpsscandomain
ssl_bump bump all

I use squid 7.3 on an up to date debian trixie with openssl 3.5.1:

Here some details of my system:

~# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 13 (trixie)"
NAME="Debian GNU/Linux"
VERSION_ID="13"
VERSION="13 (trixie)"
VERSION_CODENAME=trixie
DEBIAN_VERSION_FULL=13.1
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

root at cdxhttpproxyiapdev01-v2465:/etc/squid# squid -v
Squid Cache: Version 7.3
Service Name: squid

This binary uses OpenSSL 3.5.1 1 Jul 2025. configure options:  '--prefix=/usr' '--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--mandir=/usr/share/man' '--with-default-user=squid' '--with-filedescriptors=131072' '--with-logdir=/var/log/squid' '--disable-auto-locale' '--disable-eui' '--disable-carp' '--disable-htcp' '--disable-ident-lookups' '--disable-translation' '--disable-wccp' '--disable-wccpv2' '--disable-arch-native' '--disable-auth-negotiate' '--disable-auth-ntlm' '--enable-async-io=128' '--enable-auth-basic=LDAP,NCSA' '--enable-auth-digest=file,LDAP' '--enable-epoll' '--enable-log-daemon-helpers=file' '--enable-icap-client' '--enable-inline' '--enable-snmp' '--enable-disk-io=AIO,DiskThreads,IpcIo,Blocking' '--enable-storeio=ufs,aufs,rock' '--enable-referer-log' '--enable-useragent-log' '--enable-large-cache-files' '--enable-removal-policies=lru,heap' '--enable-follow-x-forwarded-for' '--enable-ssl-crtd' '--with-openssl' 'CFLAGS=-g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -ffile-prefix-map=/=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection'

Does anybody know, howto set the SSL Option SSL_OP_IGNORE_UNEXPECTED_EOF

-- 
Regdards

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.

More information about the squid-users mailing list