Ubuntu
squid package

Please support SSL bumping with '--with-openssl' configure option

Bug #1860807 reported by Simon Déziel on 2020-01-24

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Squid	Fix Released	Unknown	debbugs #966395
	squid (Ubuntu)	Won't Fix	Undecided	Unassigned

Bug Description

In order to do SSL bumping [1], it seems that squid needs to be configured '--with-openssl'.

Justification/use cases:

Nowadays, HTTPS represents the majority of the traffic and it cannot be observed as easily as HTTP. With SSL bumping, squid can use the SNI header that is (still) in the cleartext portion of the SSL/TLS connection and use that to allow/deny forwarding the connection. That is the 'peek-n-splice' mode in upstream docs [2]. This mode doesn't compromise the security/privacy of the intercepted traffic as SSL/TLS is not terminated. The SNI inspection may be considered a privacy concern by some.

One can also do fancier things like implementing a corporate MITM that generates certs on the fly signed by locally trusted CA [3]. This terminates the SSL/TLS connection in order to inspect the inner communication. This "intrusion" is sometimes required by organization policies.

I can only speak for my organization but we ran into multiple situations where the peek-n-splice capability would have been handy. In other scenarios, we would have appreciated the MITM version too, so I think there is demand for such feature.

1: https://wiki.squid-cache.org/Features/SslBump
2: https://wiki.squid-cache.org/Features/SslPeekAndSplice
3: https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

Revision history for this message

Robie Basak (racb) wrote on 2020-02-06:

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Unfortunately squid cannot be distributed linked with OpenSSL for licensing reasons. We do build squid with GnuTLS since that support was added upstream, but as you have not stated what version of squid packaging you are using.

Your direct request "build with --with-openssl" is therefore Won't Fix because we can't for legal reasons.

If SSL bumping is possible with GnuTLS in squid upstream but isn't working in the squid package in Ubuntu then we need a full bug report please. Feel free to rename this bug or create a new one as you wish.

If SSL bumping is possible with GnuTLS but the version you're using is from before support was added and we started building with it, then it's possible that you will need to upgrade to a newer release of Ubuntu to make this work, but without version information I cannot determine this.

Changed in squid (Ubuntu):
status:	New → Won't Fix

Revision history for this message

Simon Déziel (sdeziel) wrote on 2020-02-06:

Thanks Robie! I should have mentioned that GnuTLS doesn't make SSL bumping possible. My request was to enable the compile option in future releases which is why I did not mention the one I was using.

Revision history for this message

Robie Basak (racb) wrote on 2020-02-06:

I see, thanks. Sorry we can't help with that as things stand. I think we either need an OpenSSL linking exception published by upstream copyright holders (unlikely if they've had many contributions as I guess they probably have had), or the necessary support in upstream GnuTLS and in upstream squid.

Bug Watch Updater (bug-watch-updater) on 2020-02-06

Changed in squid:
status:	Unknown → New

Revision history for this message

Simon Déziel (sdeziel) wrote on 2020-07-27:

OpenSSL did a re-licensing that was completed in 2017. This, I believe, makes it compatible with Ubuntu/Debian because it is now under the Apache License v. 2.0. I've reported it to Debian as it would be best to not incur a delta in Ubuntu for that.

Changed in squid:
status:	New → Unknown

Bug Watch Updater (bug-watch-updater) on 2020-07-27

Changed in squid:
status:	Unknown → New

Bug Watch Updater (bug-watch-updater) on 2021-02-25

Changed in squid:
status:	New → Fix Released

Revision history for this message

Amos Jeffries (yadi) wrote on 2021-02-25:

Please be aware the upstream fix is that Debian Legal and Technical teams finally decided to make it a matter of policy that OpenSSL was to be considered a core part of Debian rather than just a normal third-party library. That opens the GPL exception clause for incompatible core system licenses.

I am not sure of the policy position Ubuntu has about OpenSSL. It will need to match that new Debian policy for the package to be imported from Debian with the --with-openssl option intact.