[squid-users] Compiling with OpenSSL 1.1+

Santschi Yann Yann.Santschi at hopitalvs.ch
Wed Feb 13 13:19:46 UTC 2019 

Many thanks for your help. I could have squid compiled.


Squid was unable to find the OpenSSL installation because I didn't set the "--prefix" flag when I compiled OpenSSL. Once I set it with the same value as "--openssldir" squid compilation worked.


I'm using CentOS 7 and OpenSSL 1.0.2 are installed. It explains why the squid compilation with OpenSSL 1.0.2 worked by "magic" without "--prefix".


Yann

________________________________
De : squid-users <squid-users-bounces at lists.squid-cache.org> de la part de Amos Jeffries <squid3 at treenet.co.nz>
Envoyé : mercredi, 13 février 2019 12:27:25
À : squid-users at lists.squid-cache.org
Objet : Re: [squid-users] Compiling with OpenSSL 1.1+

On 13/02/19 10:26 pm, Santschi Yann wrote:
> Hello everybody,
>
> I'm trying to compile Squid 4.4 with OpenSSL 1.1.1a and I'm getting
> compilation errors like this one :
>
>
> In file included from ../../src/security/Context.h:15:0,
>                  from ../../src/security/forward.h:13,
>                  from ../../src/SquidConfig.h:21,
>                  from old_api.cc:24:
> ../../compat/openssl.h:121:2: error: #error missing both OpenSSL API
> features EVP_PKEY_up_ref (v1.1) and CRYPTO_LOCK_EVP_PKEY (v1.0)
>  #error missing both OpenSSL API features EVP_PKEY_up_ref (v1.1) and
> CRYPTO_LOCK_EVP_PKEY (v1.0)
>

Squid is not able to find your OpenSSL libcrypto installation. Neither
1.0 nor 1.1 version headers are available to the compiler.

The config.log file generated during the ./configure build stage should
contain hints about why that is. It should really have existed with an
error when detecting the library files, but may not have if you have
some other version of libssl or libcrypto or derivatives such as
libressl installed on the build machine in the usual (FHS) location for
such things.


You have this:

> --with-openssl=/usr/local/ssl-1.1.1a/

So please check that the libssl and libcrypto library and header
includes have been successfully *installed* at that location. Simply
expanding the library source code to there is not installation - this is
a common mistake, it has to actually be built and installed at the path
you are telling the Squid compile system to use.



> If I compile with the deprecated OpenSSL 1.0.2 branch it works but I
> don't want to use this branch. My goal is to offload SSL-Bump with
> hardware that needs OpenSSL 1.1.1.
>
> I'm looking for a solution for a couple of days and I found absolutely
> nothing that helps in Squid documentation, source code and Google.
>
> According to the "CompilingSquid" FAQ it should be feasible with
> Squid-4. Page https://wiki.squid-cache.org/SquidFaq/CompilingSquid says
> following :
>
> However, please note that Squid-3.5
> <https://wiki.squid-cache.org/Squid-3.5> is not compatible with OpenSSL
> v1.1+. As of Debian Squeeze, or Ubuntu Zesty the *libssl1.0-dev* package
> must be used instead. This is resolved in the Squid-4
> <https://wiki.squid-cache.org/Squid-4> packages.
>

Since you are quoting the Debian and Ubuntu statements, are we to assume
that you are using one of those OS?
 If so, why not use the Debian Buster or Ubuntu Cosmic libssl-dev
package which is currently already at v1.1.1 ?


>
> The configure script is run with following parameters :
>
> ./configure LDFLAGS=-ldl --prefix=/usr --includedir=/usr/include
> --datadir=/usr/share --bindir=/usr/sbin --libexecdir=/usr/lib/squid
> -localstatedir=/var --sysconfdir=/etc/squid --with-default-user=squid
> --with-openssl=/usr/local/ssl-1.1.1a/ --enable-ssl --enable-ssl-crtd
> --enable-linux-netfilter --enable-snmp --enable-useragent-log
> --enable-referer-log --enable-cachemgr --enable-truncate
> --enable-underscores --enable-stacktrace --enable-async-io=160
> --enable-poll --enable-icmp --enable-ipfw-transparent
> --enable-forw-via-db --enable-cache-digests --with-included-ltdl
> --enable-ltdl-convenience

If you can spare some time please also run "./configure --help" and
remove the options from the above set which do not exist. At least the
--enable-ssl and log ones are non-existing.


HTH
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190213/a680d7df/attachment-0001.html>

More information about the squid-users mailing list