?
Solved

PfSense Box - Squid3 Proxy ... will not work.

Posted on 2014-09-19
1
Medium Priority
?
1,476 Views
Last Modified: 2014-10-03
Hi Guys,

I'm hoping someone's came across this problem.

Got a Pfsense box which is happily handling OpenVPN with SSL.  However, got a problem while trying to configure a BASIC proxy on it ... yes it won't work.  I have built a replica on a VM platform which works well, and have examined the conf, to see if there is anything different (which there isn;t), so still no joy.  I am not gettting any Squid errors when trying to connect through the proxy by broswer, it is indicating "Internet explorer cannot display the web page".

Here is my conf.

$ tail -300 /usr/pbi/squid-i386/etc/squid/squid.conf
# This file is automatically generated by pfSense
# Do not edit manually !

http_port 192.168.1.28:3128
http_port 127.0.0.1:3128 intercept
icp_port 0
dns_v4_first off
pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_default_language en
icon_directory /usr/pbi/squid-i386/etc/squid/icons
visible_hostname localhost
cache_mgr groupit@XXXXXXX.co.uk
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/pbi/squid-i386/libexec/squid/pinger

logfile_rotate 0
debug_options rotate=0
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  192.168.1.0/24
uri_whitespace strip

acl dynamic urlpath_regex cgi-bin \?
cache deny dynamic
      
cache_mem 8 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir ufs /var/squid/cache 100 16 256
minimum_object_size 0 KB
maximum_object_size 4 KB
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all

Here is my cache log

2014/09/19 09:25:49 kid1| WARNING: failed to find or read error text file error-details.txt
2014/09/19 09:25:49 kid1| sendto FD 32: (1) Operation not permitted
2014/09/19 09:25:49 kid1| ipcCreate: CHILD: hello write test failed
2014/09/19 10:35:14 kid1| Starting Squid Cache version 3.3.10 for i386-portbld-freebsd8.3...
2014/09/19 10:35:14 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/en/error-details.txt
2014/09/19 10:35:14 kid1| Unable to load default error language files. Reset to backups.
2014/09/19 10:35:14 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/templates/error-details.txt
2014/09/19 10:35:14 kid1| WARNING: failed to find or read error text file error-details.txt
2014/09/19 10:35:14 kid1| sendto FD 19: (1) Operation not permitted
2014/09/19 10:35:14 kid1| ipcCreate: CHILD: hello write test failed
2014/09/19 10:43:42 kid1| Starting Squid Cache version 3.3.10 for i386-portbld-freebsd8.3...
2014/09/19 10:43:43 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/en/error-details.txt
2014/09/19 10:43:43 kid1| Unable to load default error language files. Reset to backups.
2014/09/19 10:43:43 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/templates/error-details.txt
2014/09/19 10:43:43 kid1| WARNING: failed to find or read error text file error-details.txt
2014/09/19 10:43:43 kid1| sendto FD 22: (1) Operation not permitted
2014/09/19 10:43:43 kid1| ipcCreate: CHILD: hello write test failed


and here are the two TXT files mentioned in this log.


In Templates folder:


$ tail -3000 /usr/pbi/squid-i386/etc/squid/errors/templates/error-details.txt
name: SQUID_ERR_SSL_HANDSHAKE
detail: "%ssl_error_descr: %ssl_lib_error"
descr: "Handshake with SSL server failed"

name: SQUID_X509_V_ERR_DOMAIN_MISMATCH
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate does not match domainname"

name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name"
descr: "Unable to get issuer certificate"

name: X509_V_ERR_UNABLE_TO_GET_CRL
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unable to get certificate CRL"

name: X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unable to decrypt certificate's signature"

name: X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unable to decrypt CRL's signature"

name: X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
detail: "Unable to decode issuer (CA) public key: %ssl_ca_name"
descr: "Unable to decode issuer public key"

name: X509_V_ERR_CERT_SIGNATURE_FAILURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate signature failure"

name: X509_V_ERR_CRL_SIGNATURE_FAILURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "CRL signature failure"

name: X509_V_ERR_CERT_NOT_YET_VALID
detail: "SSL Certficate is not valid before: %ssl_notbefore"
descr: "Certificate is not yet valid"

name: X509_V_ERR_CERT_HAS_EXPIRED
detail: "SSL Certificate expired on: %ssl_notafter"
descr: "Certificate has expired"

name: X509_V_ERR_CRL_NOT_YET_VALID
detail: "%ssl_error_descr: %ssl_subject"
descr: "CRL is not yet valid"

name: X509_V_ERR_CRL_HAS_EXPIRED
detail: "%ssl_error_descr: %ssl_subject"
descr: "CRL has expired"

name: X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
detail: "SSL Certificate has invalid start date (the 'not before' field): %ssl_subject"
descr: "Format error in certificate's notBefore field"

name: X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
detail: "SSL Certificate has invalid expiration date (the 'not after' field): %ssl_subject"
descr: "Format error in certificate's notAfter field"

name: X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
detail: "%ssl_error_descr: %ssl_subject"
descr: "Format error in CRL's lastUpdate field"

name: X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
detail: "%ssl_error_descr: %ssl_subject"
descr: "Format error in CRL's nextUpdate field"

name: X509_V_ERR_OUT_OF_MEM
detail: "%ssl_error_descr"
descr: "Out of memory"

name: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
detail: "Self-signed SSL Certificate: %ssl_subject"
descr: "Self signed certificate"

name: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
detail: "Self-signed SSL Certificate in chain: %ssl_subject"
descr: "Self signed certificate in certificate chain"

name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name"
descr: "Unable to get local issuer certificate"

name: X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unable to verify the first certificate"

name: X509_V_ERR_CERT_CHAIN_TOO_LONG
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate chain too long"

name: X509_V_ERR_CERT_REVOKED
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate revoked"

name: X509_V_ERR_INVALID_CA
detail: "%ssl_error_descr: %ssl_ca_name"
descr: "Invalid CA certificate"

name: X509_V_ERR_PATH_LENGTH_EXCEEDED
detail: "%ssl_error_descr: %ssl_subject"
descr: "Path length constraint exceeded"

name: X509_V_ERR_INVALID_PURPOSE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unsupported certificate purpose"

name: X509_V_ERR_CERT_UNTRUSTED
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate not trusted"

name: X509_V_ERR_CERT_REJECTED
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate rejected"

name: X509_V_ERR_SUBJECT_ISSUER_MISMATCH
detail: "%ssl_error_descr: %ssl_ca_name"
descr: "Subject issuer mismatch"

name: X509_V_ERR_AKID_SKID_MISMATCH
detail: "%ssl_error_descr: %ssl_subject"
descr: "Authority and subject key identifier mismatch"

name: X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
detail: "%ssl_error_descr: %ssl_ca_name"
descr: "Authority and issuer serial number mismatch"

name: X509_V_ERR_KEYUSAGE_NO_CERTSIGN
detail: "%ssl_error_descr: %ssl_subject"
descr: "Key usage does not include certificate signing"

name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
detail: "%ssl_error_descr: %ssl_subject"
descr: "unable to get CRL issuer certificate"

name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
detail: "%ssl_error_descr: %ssl_subject"
descr: "unhandled critical extension"

name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
detail: "%ssl_error_descr: %ssl_subject"
descr: "key usage does not include CRL signing"

name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
detail: "%ssl_error_descr: %ssl_subject"
descr: "unhandled critical CRL extension"

name: X509_V_ERR_INVALID_NON_CA
detail: "%ssl_error_descr: %ssl_subject"
descr: "invalid non-CA certificate (has CA markings)"

name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
detail: "%ssl_error_descr: %ssl_subject"
descr: "proxy path length constraint exceeded"

name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "key usage does not include digital signature"

name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
detail: "%ssl_error_descr: %ssl_subject"
descr: "proxy certificates not allowed, please set the appropriate flag"

name: X509_V_ERR_INVALID_EXTENSION
detail: "%ssl_error_descr: %ssl_subject"
descr: "invalid or inconsistent certificate extension"

name: X509_V_ERR_INVALID_POLICY_EXTENSION
detail: "%ssl_error_descr: %ssl_subject"
descr: "invalid or inconsistent certificate policy extension"

name: X509_V_ERR_NO_EXPLICIT_POLICY
detail: "%ssl_error_descr: %ssl_subject"
descr: "no explicit policy"

name: X509_V_ERR_DIFFERENT_CRL_SCOPE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Different CRL scope"

name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unsupported extension feature"

name: X509_V_ERR_UNNESTED_RESOURCE
detail: "%ssl_error_descr: %ssl_subject"
descr: "RFC 3779 resource not subset of parent's resources"

name: X509_V_ERR_PERMITTED_VIOLATION
detail: "%ssl_error_descr: %ssl_subject"
descr: "permitted subtree violation"

name: X509_V_ERR_EXCLUDED_VIOLATION
detail: "%ssl_error_descr: %ssl_subject"
descr: "excluded subtree violation"

name: X509_V_ERR_SUBTREE_MINMAX
detail: "%ssl_error_descr: %ssl_subject"
descr: "name constraints minimum and maximum not supported"

name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
detail: "%ssl_error_descr: %ssl_subject"
descr: "unsupported name constraint type"

name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
detail: "%ssl_error_descr: %ssl_subject"
descr: "unsupported or invalid name constraint syntax"

name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
detail: "%ssl_error_descr: %ssl_subject"
descr: "unsupported or invalid name syntax"

name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
detail: "%ssl_error_descr: %ssl_subject"
descr: "CRL path validation error"

name: X509_V_ERR_APPLICATION_VERIFICATION
detail: "%ssl_error_descr: %ssl_subject"


In EN folder


$ tail -3000 /usr/pbi/squid-i386/etc/squid/errors/en/error-details.txt
name: SQUID_ERR_SSL_HANDSHAKE
detail: "%ssl_error_descr: %ssl_lib_error"
descr: "Handshake with SSL server failed"

name: SQUID_X509_V_ERR_DOMAIN_MISMATCH
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate does not match domainname"

name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name"
descr: "Unable to get issuer certificate"

name: X509_V_ERR_UNABLE_TO_GET_CRL
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unable to get certificate CRL"

name: X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unable to decrypt certificate's signature"

name: X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unable to decrypt CRL's signature"

name: X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
detail: "Unable to decode issuer (CA) public key: %ssl_ca_name"
descr: "Unable to decode issuer public key"

name: X509_V_ERR_CERT_SIGNATURE_FAILURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate signature failure"

name: X509_V_ERR_CRL_SIGNATURE_FAILURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "CRL signature failure"

name: X509_V_ERR_CERT_NOT_YET_VALID
detail: "SSL Certficate is not valid before: %ssl_notbefore"
descr: "Certificate is not yet valid"

name: X509_V_ERR_CERT_HAS_EXPIRED
detail: "SSL Certificate expired on: %ssl_notafter"
descr: "Certificate has expired"

name: X509_V_ERR_CRL_NOT_YET_VALID
detail: "%ssl_error_descr: %ssl_subject"
descr: "CRL is not yet valid"

name: X509_V_ERR_CRL_HAS_EXPIRED
detail: "%ssl_error_descr: %ssl_subject"
descr: "CRL has expired"

name: X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
detail: "SSL Certificate has invalid start date (the 'not before' field): %ssl_subject"
descr: "Format error in certificate's notBefore field"

name: X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
detail: "SSL Certificate has invalid expiration date (the 'not after' field): %ssl_subject"
descr: "Format error in certificate's notAfter field"

name: X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
detail: "%ssl_error_descr: %ssl_subject"
descr: "Format error in CRL's lastUpdate field"

name: X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
detail: "%ssl_error_descr: %ssl_subject"
descr: "Format error in CRL's nextUpdate field"

name: X509_V_ERR_OUT_OF_MEM
detail: "%ssl_error_descr"
descr: "Out of memory"

name: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
detail: "Self-signed SSL Certificate: %ssl_subject"
descr: "Self signed certificate"

name: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
detail: "Self-signed SSL Certificate in chain: %ssl_subject"
descr: "Self signed certificate in certificate chain"

name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name"
descr: "Unable to get local issuer certificate"

name: X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unable to verify the first certificate"

name: X509_V_ERR_CERT_CHAIN_TOO_LONG
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate chain too long"

name: X509_V_ERR_CERT_REVOKED
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate revoked"

name: X509_V_ERR_INVALID_CA
detail: "%ssl_error_descr: %ssl_ca_name"
descr: "Invalid CA certificate"

name: X509_V_ERR_PATH_LENGTH_EXCEEDED
detail: "%ssl_error_descr: %ssl_subject"
descr: "Path length constraint exceeded"

name: X509_V_ERR_INVALID_PURPOSE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unsupported certificate purpose"

name: X509_V_ERR_CERT_UNTRUSTED
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate not trusted"

name: X509_V_ERR_CERT_REJECTED
detail: "%ssl_error_descr: %ssl_subject"
descr: "Certificate rejected"

name: X509_V_ERR_SUBJECT_ISSUER_MISMATCH
detail: "%ssl_error_descr: %ssl_ca_name"
descr: "Subject issuer mismatch"

name: X509_V_ERR_AKID_SKID_MISMATCH
detail: "%ssl_error_descr: %ssl_subject"
descr: "Authority and subject key identifier mismatch"

name: X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
detail: "%ssl_error_descr: %ssl_ca_name"
descr: "Authority and issuer serial number mismatch"

name: X509_V_ERR_KEYUSAGE_NO_CERTSIGN
detail: "%ssl_error_descr: %ssl_subject"
descr: "Key usage does not include certificate signing"

name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
detail: "%ssl_error_descr: %ssl_subject"
descr: "unable to get CRL issuer certificate"

name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
detail: "%ssl_error_descr: %ssl_subject"
descr: "unhandled critical extension"

name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
detail: "%ssl_error_descr: %ssl_subject"
descr: "key usage does not include CRL signing"

name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
detail: "%ssl_error_descr: %ssl_subject"
descr: "unhandled critical CRL extension"

name: X509_V_ERR_INVALID_NON_CA
detail: "%ssl_error_descr: %ssl_subject"
descr: "invalid non-CA certificate (has CA markings)"

name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
detail: "%ssl_error_descr: %ssl_subject"
descr: "proxy path length constraint exceeded"

name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "key usage does not include digital signature"

name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
detail: "%ssl_error_descr: %ssl_subject"
descr: "proxy certificates not allowed, please set the appropriate flag"

name: X509_V_ERR_INVALID_EXTENSION
detail: "%ssl_error_descr: %ssl_subject"
descr: "invalid or inconsistent certificate extension"

name: X509_V_ERR_INVALID_POLICY_EXTENSION
detail: "%ssl_error_descr: %ssl_subject"
descr: "invalid or inconsistent certificate policy extension"

name: X509_V_ERR_NO_EXPLICIT_POLICY
detail: "%ssl_error_descr: %ssl_subject"
descr: "no explicit policy"

name: X509_V_ERR_DIFFERENT_CRL_SCOPE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Different CRL scope"

name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
detail: "%ssl_error_descr: %ssl_subject"
descr: "Unsupported extension feature"

name: X509_V_ERR_UNNESTED_RESOURCE
detail: "%ssl_error_descr: %ssl_subject"
descr: "RFC 3779 resource not subset of parent's resources"

name: X509_V_ERR_PERMITTED_VIOLATION
detail: "%ssl_error_descr: %ssl_subject"
descr: "permitted subtree violation"

name: X509_V_ERR_EXCLUDED_VIOLATION
detail: "%ssl_error_descr: %ssl_subject"
descr: "excluded subtree violation"

name: X509_V_ERR_SUBTREE_MINMAX
detail: "%ssl_error_descr: %ssl_subject"
descr: "name constraints minimum and maximum not supported"

name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
detail: "%ssl_error_descr: %ssl_subject"
descr: "unsupported name constraint type"

name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
detail: "%ssl_error_descr: %ssl_subject"
descr: "unsupported or invalid name constraint syntax"

name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
detail: "%ssl_error_descr: %ssl_subject"
descr: "unsupported or invalid name syntax"

name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
detail: "%ssl_error_descr: %ssl_subject"
descr: "CRL path validation error"

name: X509_V_ERR_APPLICATION_VERIFICATION
detail: "%ssl_error_descr: %ssl_subject"
descr: "Application verification failure"



Any suggests as to what the problem might be?

Any help appreciated.

IM
0
Comment
Question by:ianmclachlan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 

Accepted Solution

by:
ianmclachlan earned 0 total points
ID: 40359081
I have fixed this by dropping squid 3 - Dev and going with Squid 3.

IM
0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's say you need to move the data of a file system from one partition to another. This generally involves dismounting the file system, backing it up to tapes, and restoring it to a new partition. You may also copy the file system from one place to…
This tech tip describes how to install the Solaris Operating System from a tape backup that was created using the Solaris flash archive utility. I have used this procedure on the Solaris 8 and 9 OS, and it shoudl also work well on the Solaris 10 rel…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.
Suggested Courses
Course of the Month13 days, 23 hours left to enroll

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question