Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-107994

squid does not work with post-quantum crypto

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • rhel-10.2
    • rhel-10.1
    • squid
    • squid-6.10-8.el10
    • No
    • Important
    • 1
    • rhel-stacks-web-servers
    • 0
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • _WS-Refined_
    • Unspecified Release Note Type - Unknown
    • Unspecified
    • Unspecified
    • Unspecified
    • All
    • None

      What were you trying to do that didn't work?

      Use squid when SSL keys and certs (CA cert, client & server certs and keys) are PQC (namely mldsa65 cipher), squid fails with "FATAL: Unable to generate signing certificate for untrusted sites for HTTPS_port"

      What is the impact of this issue to you?

      The dnf beakerlib test https://pkgs.devel.redhat.com/cgit/tests/dnf/tree/Sanity/proxy-ssl-configuration-options fails due to squid. It passes when the cipher used is classic crypto (RSA). The test uses internal beakerlib library https://pkgs.devel.redhat.com/cgit/tests/squid/tree/Library/squid

      Please provide the package NVR for which the bug is seen:

      squid-6.10-5.el10

      How reproducible is this bug?:

      always

      Steps to reproduce

      1. use the dnf test proxy-ssl-configuration-options, set CIPH="mldsa65"
      2. run the test (using e.g. "tmt try rhel-10.1@minute")

      Expected results

      test passes

      Actual results

      test fails:

      rlServiceStart: Starting service squid failed
      Status of the failed service:
        Redirecting to /bin/systemctl status squid.service
        × squid.service - Squid caching proxy
        Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; preset: disabled)
        Active: failed (Result: exit-code) since Thu 2025-08-07 04:26:44 EDT; 55ms ago
        Invocation: 9e0521b4c3664980ab99c3e3a4ad0292
        Docs: man:squid(8)
        Process: 22762 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS)
        Process: 22765 ExecStart=/usr/sbin/squid --foreground $SQUID_OPTS -f ${SQUID_CONF} (code=exited, status=1/FAILURE)
        Main PID: 22765 (code=exited, status=1/FAILURE)
        Mem peak: 3.3M
        CPU: 27ms
      
        Aug 07 04:26:44 prereserve-1mt-rhel-10.1-20250804.1-37984-2025-08-07-08-01 squid[22765]: Page faults with physical i/o: 0
        Aug 07 04:26:44 prereserve-1mt-rhel-10.1-20250804.1-37984-2025-08-07-08-01 squid[22765]: 2025/08/07 04:26:44| Processing Configuration File: /etc/squid/squid.conf (depth 0)
        Aug 07 04:26:44 prereserve-1mt-rhel-10.1-20250804.1-37984-2025-08-07-08-01 squid[22765]: 2025/08/07 04:26:44| storeDirWriteCleanLogs: Starting...
        Aug 07 04:26:44 prereserve-1mt-rhel-10.1-20250804.1-37984-2025-08-07-08-01 squid[22765]: 2025/08/07 04:26:44|   Finished.  Wrote 0 entries.
        Aug 07 04:26:44 prereserve-1mt-rhel-10.1-20250804.1-37984-2025-08-07-08-01 squid[22765]: 2025/08/07 04:26:44|   Took 0.00 seconds (  0.00 entries/sec).
        Aug 07 04:26:44 prereserve-1mt-rhel-10.1-20250804.1-37984-2025-08-07-08-01 squid[22765]: 2025/08/07 04:26:44| FATAL: Unable to generate signing certificate for untrusted sites for HTTPS_port [::]:3128
        Aug 07 04:26:44 prereserve-1mt-rhel-10.1-20250804.1-37984-2025-08-07-08-01 squid[22765]: 2025/08/07 04:26:44| Squid Cache (Version 6.10): Terminated abnormally.
        Aug 07 04:26:44 prereserve-1mt-rhel-10.1-20250804.1-37984-2025-08-07-08-01 systemd[1]: squid.service: Main process exited, code=exited, status=1/FAILURE
        Aug 07 04:26:44 prereserve-1mt-rhel-10.1-20250804.1-37984-2025-08-07-08-01 systemd[1]: squid.service: Failed with result 'exit-code'.
        Aug 07 04:26:44 prereserve-1mt-rhel-10.1-20250804.1-37984-2025-08-07-08-01 systemd[1]: Failed to start squid.service - Squid caching proxy.
      Runnning while ss -tan | grep -q :3128; do sleep 1; done, with 120 seconds timeout
      Command ended itself, I am not killing it.
      

              luhliari@redhat.com Lubos Uhliarik
              emrakova@redhat.com Eva Mrakova
              Lubos Uhliarik Lubos Uhliarik
              Branislav Náter Branislav Náter
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: