[squid-users] Question about squid 3.5.x and SSL

Amos Jeffries squid3 at treenet.co.nz
Wed Oct 22 01:48:29 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 22/10/2014 5:40 a.m., Mike wrote:
> I was reading through the release notes for squid 3.5, and in
> section 2.4 regarding HTTPS, it mentions "When Squid is built with
> the GnuTLS encryption library the tool is able to open TLS (or
> SSL/3.0) connections to servers", and the wording makes me think
> that when openssl is in use, squid cannot open TLS/SSL connections
> to servers...
> 
> So my question is if it will still properly able to open TLS/SSL 
> connections to server when openssl is in use (like we currently
> are using with 3.4.6 and ssl_bump)? Or is gnutls recommended for
> use with squid 3.5.x (despite its massive bugs and vulnerabilities
> compared to openssl)?

"Squid" is a small collection of related programs. There is a "squid"
proxy binary, and also there is a separate "squidclient" binary which
is a tool for manual command line or scripted HTTP requests. Somewhat
like curl or wget but more oriented at debugging traffic.

Section 2.4 applies *only* to that squidclient tool. The main squid
and other binaries do not yet have any use of GnuTLS, which is
mentioned in section 4.1 build options. That is planned to change, but
timeline is flexible still as its one of my spare-time unpaid efforts.

Regarding:
> the wording makes me think that when openssl is in use, squid
> cannot open TLS/SSL connections to servers...

Correct, at least within the context of squidclient tool which section
2.4 is all about.

When using only OpenSSL the squidclient tool does not have any HTTPS
support. Never has.


> 
> and my last question, regarding squid usage by people on HTTPS
> websites, what are some primary differences of using gnutls versus
> openssl?

Primary difference as applies to Squid is that OpenSSL support has
been present across most of the Squid code for years and GnuTLS
support is only just now being added.

The main reason for adding it is GnuTLS is popular, portable, feature
compatible with what we use in OpenSSL, and also GPL license
compatibile. By using it our downstream distributors are able to
package HTTPS enabled binaries where previously they were prohibited
by OpenSSL license conditions.


PS. if you are building Squid I highly recommend you add libnettle and
libgnutls to your build environment. Both of them should be easily
available in any OS.

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJURwztAAoJELJo5wb/XPRj7rkH/32jQaVSVKRRAYywHtLbBbaW
z+OVN6BwdoZES58JfZKupJFGb9RvOEb+wI+eCYb7RGXgFWOOqO7HUyZtCVDNYDpu
1pOoxIYiZ0pIsnjgLdSLTkffMIbywKWmSH7l4JGIna+UduJbYSIY1hCEqqGof96o
2kUE7aV2/Z9gNZtjK1/sJMgmrnnVV/ZHXWKcIiAsZBq2LxcLbtvmFutLUfBhoGw5
KzbocDh3dpUA95dwSYmNCji98YXCzo7Gz7qUeROdJj+ca9ReMAlmwU3975/T5hNY
tEeynBvPZa1HWZm9XpXA2WvAhjRRm4TaKsBFLtpo3ojv9NvgePXMRw9Cha3OQfM=
=8EVN
-----END PGP SIGNATURE-----

More information about the squid-users mailing list