Discussion:
[squid-users] squid 4.0.20 does not recognize ssl-bump option.
meym
2017-06-17 16:09:08 UTC
Permalink
Squid Cache: Version 4.0.20
"FATAL: Unknown http_port option 'ssl-bump'."

ssl-bump mode still exist, according to documentation for the Squid
configuration file.
--
0x9E688B76E4064CD0
Alex Rousskov
2017-06-17 16:31:52 UTC
Permalink
Post by meym
Squid Cache: Version 4.0.20
"FATAL: Unknown http_port option 'ssl-bump'."
Your Squid thinks it was built without OpenSSL support. OpenSSL support
is required for SslBump. Examine your ./configure options and output.
Post by meym
ssl-bump mode still exist, according to documentation for the Squid
configuration file.
Unfortunately, squid.conf.documented generator is not flexible enough to
exclude portions of a supported directive based on build options. It can
only exclude whole directives. For example, you should see not ssl_bump
directive in your squid.conf.documented.

HTH,

Alex.
Alex Rousskov
2017-06-18 22:53:15 UTC
Permalink
Post by Alex Rousskov
Post by meym
Squid Cache: Version 4.0.20
"FATAL: Unknown http_port option 'ssl-bump'."
Your Squid thinks it was built without OpenSSL support. OpenSSL support
is required for SslBump. Examine your ./configure options and output.
With libressl actually.
I do not know what you mean by that remark exactly, but what I said
applies to any library providing OpenSSL API, including LibreSSL. Moreover:

* Squid does not know anything about LibreSSL. Somebody added the
letters "LibreSSL" to squid.conf.documented, but that was a mistake IMO.

* Primary SslBump developers do not normally use or test with LibreSSL.

* LibreSSL provides OpenSSL API so you can tell Squid to use LibreSSL as
if it was OpenSSL, and things should work as well as with OpenSSL itself
if (and only if) LibreSSL does a good job providing that OpenSSL API.

* LibreSSL does not do a good job providing OpenSSL API and/or Squid
does not do a good job detecting OpenSSL API variations in a
LibreSSL-compatible way (depending on your point of view). See bug #4662
for more details.

There have been recent improvements in LibreSSL-compatibility area, but
I am not sure those improvements (or the problems) are in your Squid
version and, at any rate, are taking significant additional risks by
using LibreSSL with SslBump. Whether those risks are worth using
something other than OpenSSL is your call, of course.

Alex.
Amos Jeffries
2017-06-19 09:12:57 UTC
Permalink
Post by Alex Rousskov
Post by Alex Rousskov
Post by meym
Squid Cache: Version 4.0.20
"FATAL: Unknown http_port option 'ssl-bump'."
Your Squid thinks it was built without OpenSSL support. OpenSSL support
is required for SslBump. Examine your ./configure options and output.
With libressl actually.
I do not know what you mean by that remark exactly, but what I said
applies to any library providing OpenSSL API, including LibreSSL.
To clarify that. This Squid is missing the --with-openssl build option,
which is required both by OpenSSL and any library derived from it.

see "squid -v" for the details of a specific squid binary. This will now
distinguish between the OpenSSL vs LibreSSL vs other situation.
Post by Alex Rousskov
* Squid does not know anything about LibreSSL. Somebody added the
letters "LibreSSL" to squid.conf.documented, but that was a mistake IMO.
The mentions of LibreSSL in the current file are for things which were
tested before the recent round of LibreSSL issues. Specifically loading
CA certs from a file. AFAIK that should still be working.

ssl-bump is correctly not one of those options mentioning it. Also, note
that the fatal error message does not mention any particular library. It
is about lack of support from *any* library in the current build.
Post by Alex Rousskov
* Primary SslBump developers do not normally use or test with LibreSSL.
* LibreSSL provides OpenSSL API so you can tell Squid to use LibreSSL as
if it was OpenSSL, and things should work as well as with OpenSSL itself
if (and only if) LibreSSL does a good job providing that OpenSSL API.
* LibreSSL does not do a good job providing OpenSSL API and/or Squid
does not do a good job detecting OpenSSL API variations in a
LibreSSL-compatible way (depending on your point of view). See bug #4662
for more details.
There have been recent improvements in LibreSSL-compatibility area, but
I am not sure those improvements (or the problems) are in your Squid
version and,
They are. Though the release notes still say "This release does not
support LibreSSL" at present since we have had no positive feedback on
anything actually working yet.
Post by Alex Rousskov
at any rate, are taking significant additional risks by
using LibreSSL with SslBump. Whether those risks are worth using
something other than OpenSSL is your call, of course.
Since the risk here is due to lack of testing... More testing is very
welcome of course. Especially with feedback about what works and what
does not.

Amos
Alex Rousskov
2017-06-19 17:23:16 UTC
Permalink
Post by Amos Jeffries
Post by Alex Rousskov
* Squid does not know anything about LibreSSL. Somebody added the
letters "LibreSSL" to squid.conf.documented, but that was a mistake IMO.
The mentions of LibreSSL in the current file are for things which were
tested before the recent round of LibreSSL issues. Specifically loading
CA certs from a file. AFAIK that should still be working.
IMO, regardless of whether LibreSSL works for loading CA certs from a
file, it is a mistake for Squid documentation to potentially imply,
however indirectly, that Squid supports LibreSSL today. Besides, I do
not think that loading CA is somehow meaningful in isolation from 100
other actions participating in TLS traffic processing.

It may be possible to meaningfully divide TLS-related code into SslBump
and everything else, but Squid offers proper LibreSSL support for
neither SslBump nor "everything else" IMO.
Post by Amos Jeffries
the release notes still say "This release does not
support LibreSSL" at present since we have had no positive feedback on
anything actually working yet.
Please do not remove that "does not support" disclaimer even if somebody
says that they are using LibreSSL successfully.
Post by Amos Jeffries
Post by Alex Rousskov
are taking significant additional risks by
using LibreSSL with SslBump. Whether those risks are worth using
something other than OpenSSL is your call, of course.
Since the risk here is due to lack of testing... More testing is very
welcome of course. Especially with feedback about what works and what
does not.
I disagree. The Project should not welcome more bug reports about an
unsupported library unless we want to spend our cycles on actually
supporting that library. IMHO, we must spend those cycles on other, more
important/higher priority things.

Alex.

Loading...