Discussion:
[squid-users] (113) Software caused connection abort
Patrick Flaherty
10 years ago
Permalink
Hello,



I trying to back into the error below that shows up in my cache log with
reasonable frequency. Please see below the conversation that created this
error. It seems to happen after an “Encryption Alert” where I then see RST
packets.



Any help or insight would be greatly appreciated.



Thanks

Patrick



kid1| local=192.168.1.1:3128 remote=192.168.1.216:61171 FD 9 flags=1:
read/write failure: (113) Software caused connection abort



----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------------------

No. Time Source Destination
Protocol Length Info

310 2015-11-17 08:42:11.549082000 192.168.1.216 192.168.1.1
TCP 66 61171→3128 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4
SACK_PERM=1



Frame 310: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on
interface 0

Ethernet II, Src: CadmusCo_60:e7:c8 (08:00:27:60:e7:c8), Dst:
CadmusCo_c2:e9:c4 (08:00:27:c2:e9:c4)

Internet Protocol Version 4, Src: 192.168.1.216 (192.168.1.216), Dst:
192.168.1.1 (192.168.1.1)

Transmission Control Protocol, Src Port: 61171 (61171), Dst Port: 3128
(3128), Seq: 0, Len: 0



No. Time Source Destination
Protocol Length Info

311 2015-11-17 08:42:11.549381000 192.168.1.1 192.168.1.216
TCP 66 3128→61171 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
WS=4 SACK_PERM=1



Frame 311: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on
interface 0

Ethernet II, Src: CadmusCo_c2:e9:c4 (08:00:27:c2:e9:c4), Dst:
CadmusCo_60:e7:c8 (08:00:27:60:e7:c8)

Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 192.168.1.
216 (192.168.1.216)

Transmission Control Protocol, Src Port: 3128 (3128), Dst Port: 61171
(61171), Seq: 0, Ack: 1, Len: 0



No. Time Source Destination
Protocol Length Info

312 2015-11-17 08:42:11.549424000 192.168.1.216 192.168.1.1
TCP 54 61171→3128 [ACK] Seq=1 Ack=1 Win=65700 Len=0



Frame 312: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on
interface 0

Ethernet II, Src: CadmusCo_60:e7:c8 (08:00:27:60:e7:c8), Dst:
CadmusCo_c2:e9:c4 (08:00:27:c2:e9:c4)

Internet Protocol Version 4, Src: 192.168.1.216 (192.168.1.216), Dst:
192.168.1.1 (192.168.1.1)

Transmission Control Protocol, Src Port: 61171 (61171), Dst Port: 3128
(3128), Seq: 1, Ack: 1, Len: 0



No. Time Source Destination
Protocol Length Info

313 2015-11-17 08:42:11.549745000 192.168.1.216 192.168.1.1
HTTP 286 CONNECT www.smart911.com:443 HTTP/1.1



Frame 313: 286 bytes on wire (2288 bits), 286 bytes captured (2288 bits) on
interface 0

Ethernet II, Src: CadmusCo_60:e7:c8 (08:00:27:60:e7:c8), Dst:
CadmusCo_c2:e9:c4 (08:00:27:c2:e9:c4)

Internet Protocol Version 4, Src: 192.168.1.216 (192.168.1.216), Dst:
192.168.1.1 (192.168.1.1)

Transmission Control Protocol, Src Port: 61171 (61171), Dst Port: 3128
(3128), Seq: 1, Ack: 1, Len: 232

Hypertext Transfer Protocol



No. Time Source Destination
Protocol Length Info

314 2015-11-17 08:42:11.573548000 192.168.1.1 192.168.1.216
HTTP 93 HTTP/1.1 200 Connection established



Frame 314: 93 bytes on wire (744 bits), 93 bytes captured (744 bits) on
interface 0

Ethernet II, Src: CadmusCo_c2:e9:c4 (08:00:27:c2:e9:c4), Dst:
CadmusCo_60:e7:c8 (08:00:27:60:e7:c8)

Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 192.168.1.
216 (192.168.1.216)

Transmission Control Protocol, Src Port: 3128 (3128), Dst Port: 61171
(61171), Seq: 1, Ack: 233, Len: 39

Hypertext Transfer Protocol



No. Time Source Destination
Protocol Length Info

315 2015-11-17 08:42:11.573973000 192.168.1.216 192.168.1.1
TLSv1 270 Client Hello



Frame 315: 270 bytes on wire (2160 bits), 270 bytes captured (2160 bits) on
interface 0

Ethernet II, Src: CadmusCo_60:e7:c8 (08:00:27:60:e7:c8), Dst:
CadmusCo_c2:e9:c4 (08:00:27:c2:e9:c4)

Internet Protocol Version 4, Src: 192.168.1.216 (192.168.1.216), Dst:
192.168.1.1 (192.168.1.1)

Transmission Control Protocol, Src Port: 61171 (61171), Dst Port: 3128
(3128), Seq: 233, Ack: 40, Len: 216

Hypertext Transfer Protocol

Secure Sockets Layer



No. Time Source Destination
Protocol Length Info

316 2015-11-17 08:42:11.600880000 192.168.1.1 192.168.1.216
TLSv1 199 Server Hello, Change Cipher Spec, Encrypted Handshake
Message



Frame 316: 199 bytes on wire (1592 bits), 199 bytes captured (1592 bits) on
interface 0

Ethernet II, Src: CadmusCo_c2:e9:c4 (08:00:27:c2:e9:c4), Dst:
CadmusCo_60:e7:c8 (08:00:27:60:e7:c8)

Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 192.168.1.
216 (192.168.1.216)

Transmission Control Protocol, Src Port: 3128 (3128), Dst Port: 61171
(61171), Seq: 40, Ack: 449, Len: 145

Hypertext Transfer Protocol

Secure Sockets Layer



No. Time Source Destination
Protocol Length Info

317 2015-11-17 08:42:11.601318000 192.168.1.216 192.168.1.1
TLSv1 113 Change Cipher Spec, Encrypted Handshake Message



Frame 317: 113 bytes on wire (904 bits), 113 bytes captured (904 bits) on
interface 0

Ethernet II, Src: CadmusCo_60:e7:c8 (08:00:27:60:e7:c8), Dst:
CadmusCo_c2:e9:c4 (08:00:27:c2:e9:c4)

Internet Protocol Version 4, Src: 192.168.1.216 (192.168.1.216), Dst:
192.168.1.1 (192.168.1.1)

Transmission Control Protocol, Src Port: 61171 (61171), Dst Port: 3128
(3128), Seq: 449, Ack: 185, Len: 59

Hypertext Transfer Protocol

Secure Sockets Layer



No. Time Source Destination
Protocol Length Info

318 2015-11-17 08:42:11.601634000 192.168.1.216 192.168.1.1
TLSv1 912 Application Data, Application Data



Frame 318: 912 bytes on wire (7296 bits), 912 bytes captured (7296 bits) on
interface 0

Ethernet II, Src: CadmusCo_60:e7:c8 (08:00:27:60:e7:c8), Dst:
CadmusCo_c2:e9:c4 (08:00:27:c2:e9:c4)

Internet Protocol Version 4, Src: 192.168.1.216 (192.168.1.216), Dst:
192.168.1.1 (192.168.1.1)

Transmission Control Protocol, Src Port: 61171 (61171), Dst Port: 3128
(3128), Seq: 508, Ack: 185, Len: 858

Hypertext Transfer Protocol

Secure Sockets Layer



No. Time Source Destination
Protocol Length Info

319 2015-11-17 08:42:11.602016000 192.168.1.1 192.168.1.216
TCP 60 3128→61171 [ACK] Seq=185 Ack=1366 Win=211624 Len=0



Frame 319: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on
interface 0

Ethernet II, Src: CadmusCo_c2:e9:c4 (08:00:27:c2:e9:c4), Dst:
CadmusCo_60:e7:c8 (08:00:27:60:e7:c8)

Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 192.168.1.
216 (192.168.1.216)

Transmission Control Protocol, Src Port: 3128 (3128), Dst Port: 61171
(61171), Seq: 185, Ack: 1366, Len: 0



No. Time Source Destination
Protocol Length Info

320 2015-11-17 08:42:11.661770000 192.168.1.1 192.168.1.216
TLSv1 395 Application Data



Frame 320: 395 bytes on wire (3160 bits), 395 bytes captured (3160 bits) on
interface 0

Ethernet II, Src: CadmusCo_c2:e9:c4 (08:00:27:c2:e9:c4), Dst:
CadmusCo_60:e7:c8 (08:00:27:60:e7:c8)

Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 192.168.1.
216 (192.168.1.216)

Transmission Control Protocol, Src Port: 3128 (3128), Dst Port: 61171
(61171), Seq: 185, Ack: 1366, Len: 341

Hypertext Transfer Protocol

Secure Sockets Layer



No. Time Source Destination
Protocol Length Info

321 2015-11-17 08:42:11.662675000 192.168.1.216 192.168.1.1
TCP 54 61171→3128 [FIN, ACK] Seq=1366 Ack=526 Win=65172 Len=0



Frame 321: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on
interface 0

Ethernet II, Src: CadmusCo_60:e7:c8 (08:00:27:60:e7:c8), Dst:
CadmusCo_c2:e9:c4 (08:00:27:c2:e9:c4)

Internet Protocol Version 4, Src: 192.168.1.216 (192.168.1.216), Dst:
192.168.1.1 (192.168.1.1)

Transmission Control Protocol, Src Port: 61171 (61171), Dst Port: 3128
(3128), Seq: 1366, Ack: 526, Len: 0



No. Time Source Destination
Protocol Length Info

322 2015-11-17 08:42:11.662848000 192.168.1.1 192.168.1.216
TLSv1 91 Encrypted Alert



Frame 322: 91 bytes on wire (728 bits), 91 bytes captured (728 bits) on
interface 0

Ethernet II, Src: CadmusCo_c2:e9:c4 (08:00:27:c2:e9:c4), Dst:
CadmusCo_60:e7:c8 (08:00:27:60:e7:c8)

Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 192.168.1.
216 (192.168.1.216)

Transmission Control Protocol, Src Port: 3128 (3128), Dst Port: 61171
(61171), Seq: 526, Ack: 1366, Len: 37

Hypertext Transfer Protocol

Secure Sockets Layer



No. Time Source Destination
Protocol Length Info

323 2015-11-17 08:42:11.662877000 192.168.1.216 192.168.1.1
TCP 54 61171→3128 [RST, ACK] Seq=1367 Ack=563 Win=0 Len=0



Frame 323: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on
interface 0

Ethernet II, Src: CadmusCo_60:e7:c8 (08:00:27:60:e7:c8), Dst:
CadmusCo_c2:e9:c4 (08:00:27:c2:e9:c4)

Internet Protocol Version 4, Src: 192.168.1.216 (192.168.1.216), Dst:
192.168.1.1 (192.168.1.1)

Transmission Control Protocol, Src Port: 61171 (61171), Dst Port: 3128
(3128), Seq: 1367, Ack: 563, Len: 0



No. Time Source Destination
Protocol Length Info

324 2015-11-17 08:42:11.663343000 192.168.1.1 192.168.1.216
TCP 60 3128→61171 [ACK] Seq=563 Ack=1367 Win=211624 Len=0



Frame 324: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on
interface 0

Ethernet II, Src: CadmusCo_c2:e9:c4 (08:00:27:c2:e9:c4), Dst:
CadmusCo_60:e7:c8 (08:00:27:60:e7:c8)

Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 192.168.1.
216 (192.168.1.216)

Transmission Control Protocol, Src Port: 3128 (3128), Dst Port: 61171
(61171), Seq: 563, Ack: 1367, Len: 0



No. Time Source Destination
Protocol Length Info

325 2015-11-17 08:42:11.663358000 192.168.1.216 192.168.1.1
TCP 54 61171→3128 [RST] Seq=1367 Win=0 Len=0



Frame 325: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on
interface 0

Ethernet II, Src: CadmusCo_60:e7:c8 (08:00:27:60:e7:c8), Dst:
CadmusCo_c2:e9:c4 (08:00:27:c2:e9:c4)

Internet Protocol Version 4, Src: 192.168.1.216 (192.168.1.216), Dst:
192.168.1.1 (192.168.1.1)

Transmission Control Protocol, Src Port: 61171 (61171), Dst Port: 3128
(3128), Seq: 1367, Len: 0
Amos Jeffries
10 years ago
Permalink
Post by Patrick Flaherty
Hello,
Here is my squid config.
-Patrick
With this configuration Squid is relaying CONNECT messages as-is. squid
has nothing to do with the crypto layer(s) inside the tunnel being
setup, it is just a blind relay for the data.

From the packet trace I see a 200 status being sent by Squid to the
client. So as far as Squid is concerned the tunnel setup is successfully
completed.

==> Meaning those crypto problems are directly and only between the
client and the server software. Nothing to do with Squid.
Post by Patrick Flaherty
# Squid Proxy Configuration
http_port 3128
# acl and http_access to ("whitelist.txt")
acl whitelist dstdomain "c:/squid/etc/squid/whitelist.txt"
http_access allow whitelist
# network source of proxy traffic
acl localnet src 0.0.0.0/0.0.0.0
You have defined the *entire IPv4 Internet* as being your LAN.
This is terrible in several ways:

1) the ACL definition for that should correctly be:

acl localnet src ipv4


2) it would allows almost unrestricted use of your proxy by any attacker
who can find it. (if it was actually working, see #4 below)


3) entire IPv4-space is not yours to own.

If the intention was to not service IPv6 cleints at all, use this

http_port 0.0.0.0:3128

or this if you want to continue actively sending "Access Denied" for all
IPv6 clients:

acl ipv4 src ipv4
http_access deny !ipv4
Post by Patrick Flaherty
# acl directives for ports and protocols
acl http proto http
acl https proto https
acl port_80 port 80
acl sslports port 443
acl CONNECT method CONNECT
# rules allowing proxy access
http_access allow http port_80 whitelist localnet
http_access allow https sslports whitelist localnet
4) You already did "allow whitelist" with no restrictions. These
controls with extra restrictions are doing nothing.
Post by Patrick Flaherty
# dns servers (Change dns_nameservers to client dns servers for
consistency and better performance)
Post by Patrick Flaherty
dns_nameservers 8.8.8.8 8.8.4.4
Why not setup a proper *working* recursive resolver within your network?
it will most probably be actually faster than sending your DNS traffic
to halfway around the world and back.

You can have that local resolver use 8.8.8.8/8.8.4.4 if they really are
faster than your own ISPs resolver. And divert the LAN clients port 53
traffic through it if your clients insist on using other resolvers.
Post by Patrick Flaherty
# cache web pages directory
#cache_dir ufs C:/Squid/var/cache/squid 100 16 256
cache_mem 64 MB
# log file roll weekly
logfile_rotate 7
# access log rules
logformat squid %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
The basic log formats are now built-in. Please do not re-define them.
Squid-3 will ignore your config.

Amos

Loading...