Hi Heiko, You’re right regarding squid_4.0.24-1~exp15 not being built with TLS support and thus not correctly closing the bug you reported. We missed the compiling option in the build and I am building it again right now to upload 4.0.24-1~exp16 as soon as possible.
The reason we missed it is that we were so excited that we could finally enable TLS support in Squid in Debian and I’m sure I’ll understand why. As you know, squid has support SSL/TLS for years, but due to OpenSSL licensing issues in Debian we could not just easily add ‘—enable-ssl’ and upload the package. More info is available in this old bug from 2003: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=180886 <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=180886> Up until squid 4.0.24, thus, we weren’t able to provide an SSL/TLS-enabled version of squid in Debian main archive. I’m happy to announce that you’ll find one in experimental in a short while. Regards, L > On 29 Apr 2018, at 23:12, Heiko Richter <em...@heikorichter.name> wrote: > > The bug 895993 *has not been fixed*. Please reopen, as the listed fix has > nothing to do with the problem described. > > --- > > While it is true that upstream has added GnuTLS support to https_port that > has nothing to do with the bug I reported. SSL is still not available on > client connections because *it is disabled by you during builds*. This makes > forward proxies incrediby insecure and reverse proxies almost completely > unsusable. Currently any Debian packeged Squid can only be deployed securely > by modifying source packages because https_port is not available. > > 1) The Debian package is compiled without ssl or tls support (configure > options to enable SSL are not included and squid's default is to disable SSL) > and therefor either https support added by upstream is disabled during > package builds. > > 2) SSL support has always been in the source code (TLS has just been added > additionally) but it could never be used in Debian without modifying the > source packages. Neither can TLS because that is also disabled by default and > needs to be activated during build. > > 3) Please add the appropriate configure options and package dependencies > * configure options should be extended by --enable-ssl > --with-open-ssl="/etc/ssl/openssl.cnf" > * dependencies should be extended by libssl -- Luigi Gangitano -- <lu...@debian.org <mailto:lu...@debian.org>> -- <gangit...@lugroma3.org <mailto:gangit...@lugroma3.org>> GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 GPG: 4096R/2BA97CED: 8D48 5A35 FF1E 6EB7 90E5 0F6D 0284 F20C 2BA9 7CED
