[squid-users] squid dies: ssl_crtd helpers are crashing too rapidly

From: Sean Boran <sean_at_boran.com>
Date: Fri, 2 Dec 2011 16:44:12 +0100

With squid running sslbump in routing mode, and used by a handful of
users, squid is crashing regularly, linked to visiting SSL sites.

Logs

--
2011/11/29 11:39:36| clientNegotiateSSL: Error negotiating SSL connection on FD
45: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number (1/-1)
2011/11/29 11:39:43| WARNING: ssl_crtd #2 (FD 11) exited
2011/11/29 11:39:43| Too few ssl_crtd processes are running (need 1/50)
2011/11/29 11:39:43| Starting new helpers
2011/11/29 11:39:43| helperOpenServers: Starting 1/50 'ssl_crtd' processes
2011/11/29 11:39:43| client_side.cc(3462) sslCrtdHandleReply: "ssl_crtd" helper
return <NULL> reply
2011/11/29 11:39:44| WARNING: ssl_crtd #1 (FD 9) exited
2011/11/29 11:39:44| Too few ssl_crtd processes are running (need 1/50)
2011/11/29 11:39:44| storeDirWriteCleanLogs: Starting...
2011/11/29 11:39:44|   Finished.  Wrote 0 entries.
2011/11/29 11:39:44|   Took 0.00 seconds (  0.00 entries/sec).
FATAL: The ssl_crtd helpers are crashing too rapidly, need help!
--
So ssl_crtd is dying which is one issue, but its also killing squid which is
even worse.
Initially I though it might be  lack of ssL_crtd resources, so the
process count was
increased up from 5 to 50, but that didn't help
Some config settings:
--
http_port 80 ssl-bump cert=/etc/squid/ssl/www.sample.com.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/squid_ssl_db -M
4MB
sslcrtd_children 50
--
This has happened with squid 3.1 and currently on 3.2 HEAD.
A bug report has been opened http://bugs.squid-cache.org/show_bug.cgi?id=3436
Has anyone a workaround to keep squid running and somehow reset its
run away ssl children?
Sean
Received on Fri Dec 02 2011 - 15:44:18 MST

This archive was generated by hypermail 2.2.0 : Fri Dec 02 2011 - 12:00:01 MST