[squid-users] squid 4.0.20 does not recognize ssl-bump option.

Amos Jeffries squid3 at treenet.co.nz
Mon Jun 19 09:12:57 UTC 2017


On 19/06/17 10:53, Alex Rousskov wrote:
> On 06/18/2017 09:49 AM, meym wrote:
>>> On 06/17/2017 10:09 AM, meym wrote:
>>>> Squid Cache: Version 4.0.20
>>>> "FATAL: Unknown http_port option 'ssl-bump'."
>>>
>>> Your Squid thinks it was built without OpenSSL support. OpenSSL support
>>> is required for SslBump. Examine your ./configure options and output.
>
>> With libressl actually.
>
> I do not know what you mean by that remark exactly, but what I said
> applies to any library providing OpenSSL API, including LibreSSL.

To clarify that. This Squid is missing the --with-openssl build option, 
which is required both by OpenSSL and any library derived from it.

see "squid -v" for the details of a specific squid binary. This will now 
distinguish between the OpenSSL vs LibreSSL vs other situation.


> Moreover:
>
> * Squid does not know anything about LibreSSL. Somebody added the
> letters "LibreSSL" to squid.conf.documented, but that was a mistake IMO.

The mentions of LibreSSL in the current file are for things which were 
tested before the recent round of LibreSSL issues. Specifically loading 
CA certs from a file. AFAIK that should still be working.

ssl-bump is correctly not one of those options mentioning it. Also, note 
that the fatal error message does not mention any particular library. It 
is about lack of support from *any* library in the current build.

>
> * Primary SslBump developers do not normally use or test with LibreSSL.
>
> * LibreSSL provides OpenSSL API so you can tell Squid to use LibreSSL as
> if it was OpenSSL, and things should work as well as with OpenSSL itself
> if (and only if) LibreSSL does a good job providing that OpenSSL API.
>
> * LibreSSL does not do a good job providing OpenSSL API and/or Squid
> does not do a good job detecting OpenSSL API variations in a
> LibreSSL-compatible way (depending on your point of view). See bug #4662
> for more details.
>
> There have been recent improvements in LibreSSL-compatibility area, but
> I am not sure those improvements (or the problems) are in your Squid
> version and,

They are. Though the release notes still say "This release does not 
support LibreSSL" at present since we have had no positive feedback on 
anything actually working yet.


> at any rate, are taking significant additional risks by
> using LibreSSL with SslBump. Whether those risks are worth using
> something other than OpenSSL is your call, of course.
>

Since the risk here is due to lack of testing... More testing is very 
welcome of course. Especially with feedback about what works and what 
does not.

Amos


More information about the squid-users mailing list