[squid-users] squid 4.0.20 does not recognize ssl-bump option.

Alex Rousskov rousskov at measurement-factory.com
Mon Jun 19 17:23:16 UTC 2017


On 06/19/2017 03:12 AM, Amos Jeffries wrote:
> On 19/06/17 10:53, Alex Rousskov wrote:
>> * Squid does not know anything about LibreSSL. Somebody added the
>> letters "LibreSSL" to squid.conf.documented, but that was a mistake IMO.

> The mentions of LibreSSL in the current file are for things which were
> tested before the recent round of LibreSSL issues. Specifically loading
> CA certs from a file. AFAIK that should still be working.

IMO, regardless of whether LibreSSL works for loading CA certs from a
file, it is a mistake for Squid documentation to potentially imply,
however indirectly, that Squid supports LibreSSL today. Besides, I do
not think that loading CA is somehow meaningful in isolation from 100
other actions participating in TLS traffic processing.

It may be possible to meaningfully divide TLS-related code into SslBump
and everything else, but Squid offers proper LibreSSL support for
neither SslBump nor "everything else" IMO.


> the release notes still say "This release does not
> support LibreSSL" at present since we have had no positive feedback on
> anything actually working yet.

Please do not remove that "does not support" disclaimer even if somebody
says that they are using LibreSSL successfully.


>> are taking significant additional risks by
>> using LibreSSL with SslBump. Whether those risks are worth using
>> something other than OpenSSL is your call, of course.

> Since the risk here is due to lack of testing... More testing is very
> welcome of course. Especially with feedback about what works and what
> does not.

I disagree. The Project should not welcome more bug reports about an
unsupported library unless we want to spend our cycles on actually
supporting that library. IMHO, we must spend those cycles on other, more
important/higher priority things.

Alex.


More information about the squid-users mailing list