Please support SSL bumping with '--with-openssl' configure option
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Squid |
Fix Released
|
Unknown
|
|||
squid (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
In order to do SSL bumping [1], it seems that squid needs to be configured '--with-openssl'.
Justification/use cases:
Nowadays, HTTPS represents the majority of the traffic and it cannot be observed as easily as HTTP. With SSL bumping, squid can use the SNI header that is (still) in the cleartext portion of the SSL/TLS connection and use that to allow/deny forwarding the connection. That is the 'peek-n-splice' mode in upstream docs [2]. This mode doesn't compromise the security/privacy of the intercepted traffic as SSL/TLS is not terminated. The SNI inspection may be considered a privacy concern by some.
One can also do fancier things like implementing a corporate MITM that generates certs on the fly signed by locally trusted CA [3]. This terminates the SSL/TLS connection in order to inspect the inner communication. This "intrusion" is sometimes required by organization policies.
I can only speak for my organization but we ran into multiple situations where the peek-n-splice capability would have been handy. In other scenarios, we would have appreciated the MITM version too, so I think there is demand for such feature.
1: https:/
2: https:/
3: https:/
Changed in squid: | |
status: | Unknown → New |
Changed in squid: | |
status: | Unknown → New |
Changed in squid: | |
status: | New → Fix Released |
Thank you for taking the time to report this bug and helping to make Ubuntu better.
Unfortunately squid cannot be distributed linked with OpenSSL for licensing reasons. We do build squid with GnuTLS since that support was added upstream, but as you have not stated what version of squid packaging you are using.
Your direct request "build with --with-openssl" is therefore Won't Fix because we can't for legal reasons.
If SSL bumping is possible with GnuTLS in squid upstream but isn't working in the squid package in Ubuntu then we need a full bug report please. Feel free to rename this bug or create a new one as you wish.
If SSL bumping is possible with GnuTLS but the version you're using is from before support was added and we started building with it, then it's possible that you will need to upgrade to a newer release of Ubuntu to make this work, but without version information I cannot determine this.