Squid: Compile with --enable-ssl

Bug #16669 reported by Christian Hartmann on 2005-05-03
98
This bug affects 15 people
Affects Status Importance Assigned to Milestone
Squid
Confirmed
Medium
squid (Debian)
Fix Released
Unknown
squid (Ubuntu)
Undecided
Andreas Hasenack
squid3 (Ubuntu)
Wishlist
Andreas Hasenack

Bug Description

Squid 2.5.8-3ubuntu1 misses the --enable-ssl option. Because of that one cannot
use squid as a https proxy. This makes this package useless to me (and many
others too I guess). It would be very nice to have a package with --enable-ssl
enabled.

$ squid -v
Squid Cache: Version 2.5.STABLE8
configure options: --prefix=/usr --exec_prefix=/usr --bindir=/usr/sbin
--sbindir=/usr/sbin --libexecdir=/usr/lib/squid --sysconfdir=/etc/squid
--localstatedir=/var/spool/squid --datadir=/usr/share/squid --enable-async-io
--with-pthreads --enable-storeio=ufs,aufs,diskd,null --enable-linux-netfilter
--enable-arp-acl --enable-removal-policies=lru,heap --enable-snmp
--enable-delay-pools --enable-htcp --enable-poll --enable-cache-digests
--enable-underscores --enable-referer-log --enable-useragent-log
--enable-auth=basic,digest,ntlm --enable-carp --enable-large-files i386-debian-linux

Matt Zimmerman (mdz) wrote :

The SSL support was explicitly disabled, because the OpenSSL license is not
compatible with Squid's license

squid (2.5.5-4) unstable; urgency=low

  * debian/control
    - Removed depdendecies on libssl-dev (linking GPL with SSL is not free)
      (Closes: #251988)

  * debian/rules
    - Removed --enable-ssl from configure
    - Added --enable-carp to configure (Closes: #180884)

Matt Sicker (jvz) wrote :

Would it be possible to create a squid-ssl package that enables SSL and put it in multiverse or something? Get permission from the squid guys to use a modified GPL that allows SSL.

Either that, or look into a GNU TLS version of squid.

Steven Harms (sharms) wrote :

Is this still an issue in feisty?

Changed in squid:
status: Unconfirmed → Needs Info
Changed in squid:
status: Incomplete → Confirmed
Soren Hansen (soren) wrote :

Yes, still an issue. Also in Gutsy. This thread on the squid-dev ml tells most of the story.

http://www.squid-cache.org/mail-archive/squid-dev/200406/0011.html

There are loads of copyright holders of the squid code, so there's no "just" about asking the copyright holders to change it. Noone has just stepped up to the plate and made Squid use gnutls. Volunteers? Until then, you can rebuild it yourself.

Mathias Gug (mathiaz) on 2008-01-03
Changed in squid:
status: Confirmed → Triaged
Changed in squid:
status: Unknown → New

Due some copyright problems Squid is not built with openssl support, adding support for gnutls, which can be used as a replacement of openssl, doesn't have those legal problems, there for it will be nice if squid supports gnutls for avoiding this lack of functionality o-o-t-b in some distros.

Nicolas Valcarcel (nvalcarcel) wrote :

Are there still issues with the license and no gnutls support?

Robert Collins (lifeless) wrote :

I don't think any gnutls patches have happened, and the code base still has as many (C) holders from way back that haven't contacted us to ok an exemption.

ANd RedHat/Fedora want's Squid to use NSS instead, but for slightly different reasons.

https://bugzilla.redhat.com/show_bug.cgi?id=348261

Neither is a high priority for the Squid project at this time as OpenSSL works reasonably well, but we will happily accept contributions toward these goals.

Thomas (t.c) wrote :

still an issue on Ubuntu 12.04

please do something to enable ssl support by default

Mac also require us to build against a new "common crypto" library they have developed as OpenSSL replacement. http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man3/CC_crypto.3cc.html

We need to work on a flexible a pluggable TLS interface component which any one of these libraries can be linked to.

Separating the crypto code from OpenSSL dependency would also be good.

Tomasz Klicki (tklicki) wrote :

Any updates on this bug?

Amos Jeffries (yadi) wrote :

GnuTLS has been passed to the upstream bugzilla, so is on the TODO list. However all we are seeing is demands that we do the *enormous* conversion task for free. Nobody supposedly "needing" SSL has been willing to contribute towards development, even as patch submissions to assist.

I have finally got around to starting https://code.launchpad.net/~yadi/squid/crypto-ng as a tracker to begin forward progress. however, without support you can expect it to go just as slowly as before. Any assistance is VERY welcome.

alternatively there are several proposals to make a special Squid package using OpenSSL available through non-free repositories. AFAIK the packaging maintainers have not made their thoughts on that known.

A ssl enabled squid would help many users, which are concerned about the lack of anonymity in the web.

With request_header_replace where are a lot of guides to fix some information leaks for your users.
But all effort is failing if https is used.
To test this, have a look on https://panopticlick.eff.org/
You see that the origin User-Agent and not the rewritten User-Agent is reported.

Another point is that more and more sites are migration to https. This will reduce the traffic reduction of squid because the lack of https caching.

Gábor Lipták (gliptak) wrote :

Yes, https caching would be a feature many users are looking for.

Changed in squid (Debian):
status: New → Confirmed

I have done a build of squid 3.4.4 with ssl enabled.
See https://launchpad.net/~dirk-computer42/+archive/c42-other

Update:
 GnuTLS support is now begun in 3.5 with the addition of TLS / HTTPS support for squidclient.

 libnettle support as a replacement for OpenSSL libcrypto is also begun some days back in 3.5 and 3.4 with its use for MD5 hashing.

Both of these are enabled by default whenever the relevant libraries are available during build.

Changed in squid:
importance: Unknown → Medium
status: Unknown → Confirmed
god (humper) wrote :

So the only thing needed to fix this bug is to update squid to 3.5 and rebuild with --enable-ssl while having libnettle and gnutls installed? Or there are some changes to package build-depends required?

So, is it possible to configure with --enable-ssl and something like --disable-openssl at the same time?

The auto-detect default is equivalent to "--with-gnutls --without-openssl".

god (humper) wrote :

Workaround until ubuntu will finally decide to migrate from ancient squid version is to use ppa:
https://launchpad.net/~brightbox/+archive/ubuntu/squid-ssl

Still not resolved please fix this

In this is my workaround for Xenial en trustie :

https://launchpad.net/~bas-dikkenberg/+archive/ubuntu/squid3-ssl

Robie Basak (racb) on 2016-12-27
affects: squid (Ubuntu) → squid3 (Ubuntu)
Changed in squid (Debian):
status: Confirmed → Fix Released
Changed in squid3 (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
status: Triaged → In Progress
Andreas Hasenack (ahasenack) wrote :

Squid-4.x is in cosmic, with gnutls support.

Changed in squid (Ubuntu):
status: New → Fix Released
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in squid3 (Ubuntu):
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.