High CPU utilization while using SSL Inspect (MITM) - 5.3.dev from github

[Fabricio Guzzy]

Hello everyone,

I am facing a very strange behavior of E2guardian when using it with SSL inspect (MITM) enabled.

It just need 3 browsers Tab opened loading pages to eat 100% CPU. (single user)

I tried it with many different CPUs like J1800 (2 cores), J1900 (4 cores), AMD GX420GI (4 cores) - All them showed the same behavior.

Now If I disable SSL inspection, everything goes fine. CPU stuck around 2 or 3% max.

I also tried to use different CAs (2048 bit, 4096 bit) with no success.

I am compiling straight from github - 5.3.dev version. (that goes for 5.3.4)

I was using it successfully for a long time with FreeBSD 11.x - now using 12.2 I got this problem.

Additionally, I was not able to compile the latest stable version (5.4) on FreeBSD - It is causing a lot of error while compiling. Any tip on this matter?

Any help will be very much appreciated.

Thanks Much!

Fabricio.

[Fabricio Guzzy]

Adding more information.

Here the options used to compile it:

Built with:  '--localstatedir=/var' '--with-logdir=/var/log' '--with-piddir=/var/run' '--disable-avastd' '--disable-clamd' '--disable-commandline' '--with-dgdebug=off' '--with-newdebug=off' '--enable-dnsauth' '--disable-email' '--enable-icap' '--disable-kavd' '--enable-ntlm' '--enable-sslmitm' '--prefix=/usr/local' '--mandir=/usr/local/man' '--disable-silent-rules' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.2' 'build_alias=amd64-portbld-freebsd12.2' 'CXX=c++' 'CXXFLAGS=-O2 -pipe  -I/usr/local/include -DLIBICONV_PLUG -fstack-protector-strong -fno-strict-aliasing   -DLIBICONV_PLUG -std=c++11 ' 'LDFLAGS=  -fstack-protector-strong ' 'LIBS=' 'CPPFLAGS=-I/usr/local/include -DLIBICONV_PLUG' 'CC=cc' 'CFLAGS=-O2 -pipe  -I/usr/local/include -DLIBICONV_PLUG -fstack-protector-strong -fno-strict-aliasing' 'CPP=cpp' 'PKG_CONFIG=pkgconf' 'OPENSSL_CFLAGS=-I/usr/include -L/usr/lib' 'OPENSSL_LIBS=-lssl -lcrypto'

[Philip Pearce]

Hello Fabrico,

E2g uses openssl libraries for the SSL inspection, so the problem is likely to be with the ssl libraries on FreeBSD v12.2.  Has openssl been replaced in v12.2 with a different ssl library?  If so, you may need to compile and install the latest OpenSSL libraries and development headers etc on the platform as we only support the OpenSSL libraries.  

On the v5.4 compile, if you post the errors, I'll have a look when I get a chance to see the area(s) that is causing the problem, but I have no experience with FreeBSD, so we will need to rely on the BSD community for any conditional code that may need changing.

Regards

Philip

---

--
E2guardian:
https://groups.google.com/d/forum/e2guardian
Github:
https://github.com/e2guardian/e2guardian
Follow us on twitter:
https://twitter.com/e2guardian
---
You received this message because you are subscribed to the Google Groups "e2guardian" group.
To unsubscribe from this group and stop receiving emails from it, send an email to e2guardian+...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/e2guardian/4f08cd78-da06-459e-8bf0-065a6214c47an%40googlegroups.com.

[Fabricio Guzzy]

Hello Phillip.

First of all, Thanks for you kind support on this.

Yes, the openssl version has changed for sure. Maybe that is the reason of the performance compared to the older version. If so, there is not much to do about it as I am forced to use the latest one because of the vulnerability issues.

Now about the ver 5.4 - I can compile it successfully, but when I try the "make install" step, it shows a lot of errors related to missing files like example.sample, ipbannedlist file, among others, It is like the install process cannot find the related files for some reason. Looking a little but closer, I have confirmed the files really don't exist.

Now I don't know if there is something missing in the "make install" scripts, or if I am compiling it in a wrong way.

commands used:

1-   ./autogen.sh

2- (edited the configure file and removed the -lresolv from it as FreeBSD will not use this)

3- make -j 8

4- make install

Here the latest error lines from "make install" process:

#################################################

/usr/bin/install -c -m 644 authexceptioniplist /usr/local/etc/e2guardian/lists/common/authexceptioniplist

/usr/bin/install -c -m 644 authexceptionsitelist /usr/local/etc/e2guardian/lists/common/authexceptionsitelist

/usr/bin/install -c -m 644 authexceptionurllist /usr/local/etc/e2guardian/lists/common/authexceptionurllist

/usr/bin/install -c -m 644 bannedclientlist /usr/local/etc/e2guardian/lists/common/bannedclientlist

/usr/bin/install -c -m 644 bannediplist /usr/local/etc/e2guardian/lists/common/bannediplist

/usr/bin/install -c -m 644 browserregexplist /usr/local/etc/e2guardian/lists/common/browserregexplist

/usr/bin/install -c -m 644 embededreferersiteiplist /usr/local/etc/e2guardian/lists/common/embededreferersiteiplist

/usr/bin/install -c -m 644 embededreferersitelist /usr/local/etc/e2guardian/lists/common/embededreferersitelist

/usr/bin/install -c -m 644 embededrefererurllist /usr/local/etc/e2guardian/lists/common/embededrefererurllist

/usr/bin/install -c -m 644 exceptionclientlist /usr/local/etc/e2guardian/lists/common/exceptionclientlist

/usr/bin/install -c -m 644 exceptioniplist /usr/local/etc/e2guardian/lists/common/exceptioniplist

/usr/bin/install -c -m 644 nologextensionlist /usr/local/etc/e2guardian/lists/common/nologextensionlist

/usr/bin/install -c -m 644 nologregexpurllist /usr/local/etc/e2guardian/lists/common/nologregexpurllist

/usr/bin/install -c -m 644 nologsiteiplist /usr/local/etc/e2guardian/lists/common/nologsiteiplist

/usr/bin/install -c -m 644 nologsitelist /usr/local/etc/e2guardian/lists/common/nologsitelist

/usr/bin/install -c -m 644 nologurllist /usr/local/etc/e2guardian/lists/common/nologurllist

/usr/bin/install -c -m 644 nomitmsiteiplist /usr/local/etc/e2guardian/lists/common/nomitmsiteiplist

/usr/bin/install -c -m 644 nomitmsitelist /usr/local/etc/e2guardian/lists/common/nomitmsitelist

/usr/bin/install -c -m 644 searchregexplist /usr/local/etc/e2guardian/lists/common/searchregexplist

/usr/bin/install -c -m 644 searchexceptionregexplist /usr/local/etc/e2guardian/lists/common/searchexceptionregexplist

/usr/bin/install -c -m 644 README /usr/local/etc/e2guardian/lists/common/README

Making install in example.group

Making install in .

/bin/sh /e2g-5.4-source/install-sh -d /usr/local/etc/e2guardian/lists/example.group &&  for l in addheaderregexplist  bannedsearchoveridelist  bannedextensionlist  bannediplist  bannedmimetypelist  bannedphraselist  oldbannedphraselist  bannedregexpheaderlist  bannedregexpurllist  bannedregexpuseragentlist  bannedsearchlist  bannedsiteiplist  bannedtimelist  exceptionvirussiteiplist  bannedsitelist  bannedsslsiteiplist  bannedsslsitelist  bannedurllist  blankettimelist  contentregexplist  exceptionextensionlist  exceptionvirusextensionlist  exceptionfilesiteiplist  exceptionfilesitelist  exceptionfileurllist  exceptionclientlist  exceptionmimetypelist  exceptionphraselist  oldexceptionphraselist  exceptionregexpurllist  exceptionregexpuseragentlist  exceptionsiteiplist  exceptionsitelist  exceptionregexpheaderlist  exceptionurllist  greysiteiplist  greysitelist  greysslsiteiplist  greysslsitelist  greyurllist  headerregexplist  localbannedsearchlist  localbannedsiteiplist  localbannedsitelist  localbannedsslsiteiplist  localbannedsslsitelist  localbannedurllist  localexceptionsiteiplist  localexceptionsitelist  localexceptionurllist  localgreysiteiplist  localgreysitelist  localgreysslsiteiplist  localgreysslsitelist  localgreyurllist  logregexpurllist  logsiteiplist  logsitelist  logurllist  nocheckcertsiteiplist  nocheckcertsitelist  refererexceptionsiteiplist  refererexceptionsitelist  refererexceptionurllist  responseheaderregexplist  sslsiteregexplist  urlredirectregexplist  urlregexplist  ipnobypass  domainsnobypass  urlnobypass  weightedphraselist  oldweightedphraselist  README ; do  echo "/usr/bin/install -c -m 644 $l /usr/local/etc/e2guardian/lists/example.group/$l";  /usr/bin/install -c -m 644 $l /usr/local/etc/e2guardian/lists/example.group/$l;  done

/usr/bin/install -c -m 644 addheaderregexplist /usr/local/etc/e2guardian/lists/example.group/addheaderregexplist

/usr/bin/install -c -m 644 bannedsearchoveridelist /usr/local/etc/e2guardian/lists/example.group/bannedsearchoveridelist

/usr/bin/install -c -m 644 bannedextensionlist /usr/local/etc/e2guardian/lists/example.group/bannedextensionlist

/usr/bin/install -c -m 644 bannediplist /usr/local/etc/e2guardian/lists/example.group/bannediplist

install: bannediplist: No such file or directory

*** Error code 71

Stop.

make[5]: stopped in /e2g-5.4-source/configs/lists/example.group

*** Error code 1

*** Error code 1

*** Error code 1

*** Error code 1

*** Error code 1

#################################################

Thanks Much!!!

Fabricio.

[Fabricio Guzzy]

Phillip, Did you have the chance to see this thread? 

Not sure if you guys have seem these errors before. Not sure if we are missing files for the ver 5.4 or some script changes.

Thank You

Fabricio.