Re: [squid-users] Are there any distros with SSL Bump compiled by default?
I'd seen this licensing issue mentioned briefly before, but now I actually understand what's going on. Thanks for explaining it in detail. Good to know there's 2 paths moving along to solve the distro problem. I feel more confident in moving forward with my little project now that I know it's only going to be a temporary annoyance to recompile. Thanks everyone who answered. TB On 16/05/2016 7:25 PM, Amos Jeffries wrote: What is being attempted above is not a GPL violation AFAIK. So long as the Squid ./configure && make system is used to construct the binary and Squid source is not altered in any way by the builder. * GPL permits linking against OpenSSL because both softwares sources are available publicly. * It is GPL violation to distribute the OpenSSL and Squid sources together as parts of someting else. In source form. Thus distributors like Diladele can provide binary-only formats with no source changes to Squid or OpenSSL. Each component of the offering is publicly available (GPL compliant) and the pieces of OpenSSL, Squid and the packaging source code are distributed via separate channels (OpenSSL compliant). Debian and Ubuntu distribute sources of all binaries as part of their OS repository. The very act of adding package install scripts causes the issue here. The repository would contain all of Squid + OpenSSL + packaging scripts source code. But, but, but * It is OpenSSL violation to distribute any binary that does not advertise OpenSSL usage. In the binary outputs, even those not using OpenSSL logic (Ouch!). Unless the OS provides the library as part of its core system. Debian and Ubuntu use GnuTLS as the system preferrd library. OpenSSL license not being GPL compliant also makes it not DFSG compliant and so not part of the core OS repository. It and anything using it are in the non-free optional extras repository instead. There are some suggestions to build and put a version of Squid in there. But that still collides with the previous GPL issue about sources being together in the repo. Adding advertising clauses in the way required by OpenSSL would make Squid binaries no longer be GPL compliant unless we got explicit written permission from everyone who contributed patches. A lot of contributors have long-dead emails, requested anonimity or some in fact are now physically deceased. So we are stuck at our end as well even with that. I am working on GnuTLS support as a side project, and the OpenSSL people are apparently working on fixing their license to be GPL compliant. It is a lot of work and going quite slow on both fronts. You can see some of my work reflected in the squid.conf changes of Squid-4, and the latest Debian/Ubuntu squidclient packages :-) Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Are there any distros with SSL Bump compiled by default?
Hey Tim, I have been working for quite some time on packages for couple Linux distributions and in them Ubuntu and Debian. I was planning to publish them(Ubuntu + Debian) inside a tar.xz and to attach them a tiny "update\install" script. This is since I was trying to use the deb packaging system for quite some time and to try and build using them but compared to RPMs I keep forgetting every time what I did last time. So in the next couple weeks I will try to publish the next tar.xz - Ubuntu 14.04 32+64 bit - Ubuntu 16.04 32+64 bit - Debian 8 32+64 bit - Debian 7 32+64 bit This is a part of my trial to somehow publish a binary version of squid per release. I hope to have some time and to make it possible so also squid 4.X will also get the same attention. Eliezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Tim Bates Sent: Saturday, May 14, 2016 12:36 PM To: squid-us...@squid-cache.org Subject: [squid-users] Are there any distros with SSL Bump compiled by default? Are there any Linux distros with pre-compiled versions of Squid with SSL Bump support compiled in? Alternatively, does anyone reputable do a 3rd party repo for Debian/Ubuntu that includes SSL Bump? TB ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Are there any distros with SSL Bump compiled by default?
https://itcrowd72.ru/cloud/index.php/s/W4Sv8ojnf5dVKvc squid 3.5.19 with SSL. Compiled and build deb in Debian 8. Enjoy :) Amos Jeffries писал 2016-05-16 14:25: Please update those to 3.5.19. A dozen CVE's went out these past few months. :-( ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Are there any distros with SSL Bump compiled by default?
On 16/05/2016 7:20 p.m., Matus UHLAR - fantomas wrote: >>> Tim Bates писал 2016-05-14 14:36: >>> >>> Are there any Linux distros with pre-compiled versions of Squid with SSL >>> Bump support compiled in? >>> >>> Alternatively, does anyone reputable do a 3rd party repo for >>> Debian/Ubuntu that includes SSL Bump? > >>> On 16.05.16 10:36, admin wrote: I make deb's compiled squid in Debian 8: 3.5.8 3.5.17 Please update those to 3.5.19. A dozen CVE's went out these past few months. :-( 4.0.10 > >> Matus UHLAR - fantomas писал 2016-05-16 11:55: >>> OpenSSL? > > On 16.05.16 12:05, admin wrote: >> Yes > >> Can send to email if needed > > I just wanted to point out that distrib uting GPL'ed software (squid) > depending on (linked with) non-GPL/LGPL libraries is AFAIK GPL violation > and > therefore illegal copying... What is being attempted above is not a GPL violation AFAIK. So long as the Squid ./configure && make system is used to construct the binary and Squid source is not altered in any way by the builder. * GPL permits linking against OpenSSL because both softwares sources are available publicly. * It is GPL violation to distribute the OpenSSL and Squid sources together as parts of someting else. In source form. Thus distributors like Diladele can provide binary-only formats with no source changes to Squid or OpenSSL. Each component of the offering is publicly available (GPL compliant) and the pieces of OpenSSL, Squid and the packaging source code are distributed via separate channels (OpenSSL compliant). Debian and Ubuntu distribute sources of all binaries as part of their OS repository. The very act of adding package install scripts causes the issue here. The repository would contain all of Squid + OpenSSL + packaging scripts source code. But, but, but * It is OpenSSL violation to distribute any binary that does not advertise OpenSSL usage. In the binary outputs, even those not using OpenSSL logic (Ouch!). Unless the OS provides the library as part of its core system. Debian and Ubuntu use GnuTLS as the system preferrd library. OpenSSL license not being GPL compliant also makes it not DFSG compliant and so not part of the core OS repository. It and anything using it are in the non-free optional extras repository instead. There are some suggestions to build and put a version of Squid in there. But that still collides with the previous GPL issue about sources being together in the repo. Adding advertising clauses in the way required by OpenSSL would make Squid binaries no longer be GPL compliant unless we got explicit written permission from everyone who contributed patches. A lot of contributors have long-dead emails, requested anonimity or some in fact are now physically deceased. So we are stuck at our end as well even with that. I am working on GnuTLS support as a side project, and the OpenSSL people are apparently working on fixing their license to be GPL compliant. It is a lot of work and going quite slow on both fronts. You can see some of my work reflected in the squid.conf changes of Squid-4, and the latest Debian/Ubuntu squidclient packages :-) Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Are there any distros with SSL Bump compiled by default?
Tim Bates писал 2016-05-14 14:36: Are there any Linux distros with pre-compiled versions of Squid with SSL Bump support compiled in? Alternatively, does anyone reputable do a 3rd party repo for Debian/Ubuntu that includes SSL Bump? On 16.05.16 10:36, admin wrote: I make deb's compiled squid in Debian 8: 3.5.8 3.5.17 4.0.10 Matus UHLAR - fantomas писал 2016-05-16 11:55: OpenSSL? On 16.05.16 12:05, admin wrote: Yes Can send to email if needed I just wanted to point out that distrib uting GPL'ed software (squid) depending on (linked with) non-GPL/LGPL libraries is AFAIK GPL violation and therefore illegal copying... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "One World. One Web. One Program." - Microsoft promotional advertisement "Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Are there any distros with SSL Bump compiled by default?
Yes Can send to email if needed Matus UHLAR - fantomas писал 2016-05-16 11:55: > On 16.05.16 10:36, admin wrote: > >> I make deb's compiled squid in Debian 8: >> >> 3.5.8 >> >> 3.5.17 >> >> 4.0.10 > > OpenSSL? > > Tim Bates писал 2016-05-14 14:36: > > Are there any Linux distros with pre-compiled versions of Squid with SSL Bump > support compiled in? > > Alternatively, does anyone reputable do a 3rd party repo for Debian/Ubuntu > that includes SSL Bump?___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Are there any distros with SSL Bump compiled by default?
On 16.05.16 10:36, admin wrote: I make deb's compiled squid in Debian 8: 3.5.8 3.5.17 4.0.10 OpenSSL? Tim Bates писал 2016-05-14 14:36: Are there any Linux distros with pre-compiled versions of Squid with SSL Bump support compiled in? Alternatively, does anyone reputable do a 3rd party repo for Debian/Ubuntu that includes SSL Bump? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #9: Out of error messages. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Are there any distros with SSL Bump compiled by default?
I make deb's compiled squid in Debian 8: 3.5.8 3.5.17 4.0.10 Tim Bates писал 2016-05-14 14:36: > Are there any Linux distros with pre-compiled versions of Squid with SSL Bump > support compiled in? > > Alternatively, does anyone reputable do a 3rd party repo for Debian/Ubuntu > that includes SSL Bump? > > TB > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Are there any distros with SSL Bump compiled by default?
On 14/05/2016 9:41 PM, Rafael Akchurin wrote: The recompilation is quite easy btw Oh, yeah... I know it's easy. I've already done it once on Debian. My concern is that I won't be able to find time to keep it up to date. Asking a package manager to download available updates takes about 10 minutes a week (across a dozen or so virtual servers). Downloading the source and compiling took ages. I will probably take up the idea of Ubuntu 14 and use your packages, Rafael... Seems easiest, and I can include a Ubuntu server in my ClusterSSH group for "apt-get update" :) TB ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Are there any distros with SSL Bump compiled by default?
Hello Tim, By default Squid that is part of well known distributions is not compiled with SSL filtering support. This is due to some license restrictions as may be better explained by Amos. Default versions are also very old (except for Debian testing which is at the latest but still without SSL filtering capabilities compiled in). For CentOS 6 and 7 elizier's package has everything required. For Debian 8 you might need to recompile it yourself as described in http://docs.diladele.com/administrator_guide_4_5/install/debian8/squid.html For Ubuntu 14 LTS we humbly propose to use our repository at ubuntu.diladele.com. The recompilation is quite easy btw, the following github project shows how we do it https://github.com/diladele/squid-ubuntu. This tutorial may also be of interest http://docs.diladele.com/tutorials/build_squid_ubuntu14/index.html. Best regards, Rafael Akchurin Diladele B.V. -- Please take a look at Web Safety - our ICAP based web filter server for Squid proxy at http://www.diladele.com. -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Tim Bates Sent: Saturday, May 14, 2016 11:36 AM To: squid-us...@squid-cache.org Subject: [squid-users] Are there any distros with SSL Bump compiled by default? Are there any Linux distros with pre-compiled versions of Squid with SSL Bump support compiled in? Alternatively, does anyone reputable do a 3rd party repo for Debian/Ubuntu that includes SSL Bump? TB ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Are there any distros with SSL Bump compiled by default?
On 2016-05-14 14:36, Tim Bates wrote: Are there any Linux distros with pre-compiled versions of Squid with SSL Bump support compiled in? Alternatively, does anyone reputable do a 3rd party repo for Debian/Ubuntu that includes SSL Bump? Squid's SSL Bump support improves very fast, so it is recommended to always use newest version. Here, you can find packages for different distros http://wiki.squid-cache.org/SquidFaq/BinaryPackages. Most advanced SSL bump feature Peek and Splice requires configure options '--with-openssl' and '--enable-ssl-crtd'. For example, Eliezer's newest package (squid 3.5.19) for CentOS compiled with these options. HTH Garri ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Are there any distros with SSL Bump compiled by default?
Are there any Linux distros with pre-compiled versions of Squid with SSL Bump support compiled in? Alternatively, does anyone reputable do a 3rd party repo for Debian/Ubuntu that includes SSL Bump? TB ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users