[squid-users] Squid with custom openssl path is using the openssl installed in default path

Wed Feb 27 13:44:56 UTC 2019

On 27/02/19 11:39 pm, Stilyan Georgiev wrote:
> Modified Makefile, replacing LIBOPENSSL_CFLAGS = -I/usr/local/include
> with LIBOPENSSL_CFLAGS = -I/usr/local/include/openssl
> 

Please do not touch the Makefile.

To set build environment variables such as those you simply pass them as
arguments to ./configure.

Like so:

 ./configure LIBOPENSSL_CFLAGS="-I/usr/local/include/openssl"

Though the best solution is to fix the issue with your OpenSSL build my
earlier response mentions.

> Afterwards I got squid reporting it uses my custom-path openssl:
> 
> -- 
> Squid Cache: Version 4.5-20190208-r568e66b7c
> Service Name: squid
> 
> This binary uses OpenSSL 1.1.1b  26 Feb 2019. For legal restrictions on
> distribution see https://www.openssl.org/source/license.html
> 
> configure options:  '--prefix=/usr/local/squid' '--with-openssl=/usr/local'
> -- 
> 
> And even though I built the openssl without tls 1.3 support, I'm still
> being able to use it when browsing through the proxy.
> 
> Also tried tls_outgoing_options options=NO_TLSv1_3 in config .. then in
> cache.log I got -- 2019/02/27 10:32:10 kid1| ERROR: Unknown TLS option
> NO_TLSv1_3

That squid.conf directive controls connections *leaving * Squid towards
origin servers.

Also, your build of OpenSSL explicitly disabled TLS/1.3 functionality.
That included disabling the ability of external programs like Squid to
control whether or not TLS/1.3 is used.

> 
> Which makes me thing even though squid reports it uses openssl 1.1.1 ,
> it lies to me and still uses the ubuntu version :)
> 

No lie. That version number is not something built into Squid. It is a
string produced by the specific libssl library loaded at runtime.
So unless the library is lying about its own version that is actually
the library being loaded and used.

Keep in mind that there are multiple TCP connections, and thus multiple
agents involved. Any of the agents may be using either of the libraries
you have installed on your system.

Whatever agent you are connecting to Squid with is using one library,
Squid using the one claimed by 'squid -v', and the remote server is
using whatever exists out there.

Depending on exactly what setup you are using and how you are testing it
there are also between 1 and 3 "TLS connections" going on with TLS
version negotiated separately for each. You may only get one of those
reported by some test approaches.

If you want some assistance figuring out if our tests are accurate
and/or how to better see what is going on please provide details of whet
your production setup is intended to be, any differences in your test
setup, and how you are testing (what commands exactly). As much details
as you can provide would be helpful to anyone following up (exact crypto
key/cert values do not matter, though cert _type_ may).

Amos