Re: [squid-users] Windows Squid built using MinGW and running, trying to get adapter linked in at run time
On 12/20/18 7:46 AM, Russel McDonald wrote: > 2018/12/19 22:57:32| Loading Squid module from > 'C:/MinGW/src/ecap_adapter_sample-1.0.0/src/.libs/ecap_adapter_modifying.la' > 2018/12/19 22:57:32| FATAL: dying from an unhandled exception: file not found I do not know enough to help with Windows-specific questions, but please note that the "file not found" error in this context is often lying. IIRC, the libtool library that Squid uses to handle dynamic library loading returns an essentially invalid/incorrect error message on many dynamic loading errors. This is not something Squid itself can fix. On Unix, one can use environment variables like LD_DEBUG=ALL and LD_WARN=1 to see why the dynamic loader is unhappy with the adapter library. I do not know whether something like that works on Windows. Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Multiple SSL certificates on same IP
On 12/20/18 5:45 AM, Bruno de Paula Larini wrote: > why Squid would have problems with SNI and > OpenSSL when other webservers/proxies have this feature using > OpenSSL/LibreSSL libs? Squid lacks the necessary code to support SNI in accelerator mode when using OpenSSL. > Why SNI would be such a big deal? SNI support with OpenSSL is not a "big deal"[1]. Apparently, nobody has needed that support badly enough to either add that support or sponsor that addition. [1] https://stackoverflow.com/questions/511/how-to-implement-server-name-indication-sni Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL / TLS
On 12/20/18 3:06 AM, Squid users wrote: > Slightly off topic but am I correct in thinking TLS supersedes SSL? Yes, the protocol name has changed. Newer versions are called TLS. However, please keep in mind that the term "SSL" is commonly used to describe "secure" connections and related technologies, regardless of the specific protocol being used for that security. Squid still uses that classic "SSL" terminology, especially in old documentation and code. In most cases where exact identifiers are not required, the letters "SSL" and "TLS" are used interchangeably. Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Windows Squid built using MinGW and running, trying to get adapter linked in at run time
Hi, I switched from Cygwin to building with MinGW, and after 8 squid code modifications, mostly include and define settings but one flat out access violation crash, I now have Squid proxy running and accessible via browser on Windows :) And now I have built the ecap library, successfully rebuilt squid with --enable-ecap, and built the adapter.All good! However I'm at the apparent crux of getting the adapter loaded at squid run time and failing. I understand that(1) squid needs to link in the same exact ecap library binary that the adapter does so they can communicate correctly through that ecap,(2) we don't want to statically link in the adapter to squid.exe,(3) so that adapter needs to be a shared such library, but(4) building with MinGW creates a static library. And I see a comment output during make: > *** Warning: This system can not link to static lib archive > /usr/local/lib/libecap.la. *** I have the capability to make that > library automatically link in when *** you link to this library. > But I can only do this if you have a *** shared version of the > library, which you do not appear to have. *** But as you try to > build a module library, libtool will still create *** a static > module, that should work as long as the dlopening application *** > is linked with the -dlopen flag to resolve symbols at runtime. So I did use this ./configure for squid, specifying the dlopen: ./configure LDFLAGS="-dlopen=C:/MinGW/src/ecap_adapter_sample-1.0.0/src/.libs/ecap_adapter_modifying.la" --prefix=c:/squid --enable-ecap --enable-default-hostsfile=none --disable-strict-error-checking --enable-win32-service --disable-optimizations --enable-debug-cbdata --with-pidfile=/var/run/squid.pid --enable-delay-pools --disable-eui --with-filedescriptors=65536 --enable-removal-policies=lru,heap my understanding further being that the dlopen will cause squid to not link in the adapter until run time even though that library is static. And since it is not a native Windows format library (not a dll) then squid has to run in a MinGW window. Correct? Yet I still get:2018/12/19 22:57:32| Loading Squid module from 'C:/MinGW/src/ecap_adapter_sample-1.0.0/src/.libs/ecap_adapter_modifying.la'2018/12/19 22:57:32| FATAL: dying from an unhandled exception: file not foundterminate called after throwing an instance of 'TextException' what(): file not found If I change my squid.conf instead to load in .a instead of .la just as a test, I get this:2018/12/20 08:39:58| Loading Squid module from 'C:/MinGW/src/ecap_adapter_sample-1.0.0/src/.libs/ecap_adapter_modifying.a'2018/12/20 08:39:58| FATAL: dying from an unhandled exception: %1 is not a valid Win32 application.terminate called after throwing an instance of 'TextException' what(): %1 is not a valid Win32 application. So I know it's actually accessing that .la, which does exist at that location, yet still complains that "file not found".Is it as well trying to link in another library that the adapter needs? Russel ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Multiple SSL certificates on same IP
Em 19/12/2018 20:09, Amos Jeffries escreveu: OpenSSL definitely can use only one certificate per http(s)_port. Either the _last_ loaded if several PEM files are loaded (each call to the OpenSSL API *replaces* the certs loaded), or if one tries to work around that by merging everything into a single PEM and only loading it all at once - only the _first_ cert chain is ever used from that set. Sorry for maybe going a bit off-topic, just curious about it. I'm mostly clueless about the implications and intricacies of "behind the scenes" of SNI, but most modern webservers support it (Apache, nginx, IIS). Apache, for instance, says it should be built with "OpenSSL with the TLS Extensions option enabled", since OpenSSL v0.9.8f. And their configuration for Virtual Hosts and SSL/TLS is rather simple on a user's view . So, my question would be: why Squid would have problems with SNI and OpenSSL when other webservers/proxies have this feature using OpenSSL/LibreSSL libs? In my (user's) opinion, Squid has far more complex features with SSL Bump and other forward proxy handling for SSL/TLS. Why SNI would be such a big deal? -Bruno ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL / TLS
On Thursday 20 December 2018 at 11:06:58, Squid users wrote: > Slightly off topic but am I correct in thinking TLS supersedes SSL? Short answer: yes. Long answer: https://en.wikipedia.org/wiki/Transport_Layer_Security Antony. -- #define SIX 1+5 #define NINE 8+1 int main() { printf("%d\n", SIX * NINE); } - thanks to ECB for bringing this to my attention Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] SSL / TLS
Slightly off topic but am I correct in thinking TLS supersedes SSL? ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users