Hello Amos and Dean, Thank you very much, I found a "workaround" in the same time you sent your openssl compil procedure
In /usr/src/openssl/openssl-1.0.0a I have create a symlink lib -> /usr/local/ssl/lib64 lrwxrwxrwx 1 root src 20 2010-11-16 16:43 lib -> /usr/local/ssl/lib64 and --with-openssl=/usr/src/openssl/openssl-1.0.0a Now, all is green in Qualys report: https://www.ssllabs.com/ssldb/analyze.html?d=webmail.wenske.fr :-) Thanks you again for your support, Cheers, Sebastian ________________________________________ De : Dean Weimer [dwei...@orscheln.com] Date d'envoi : mardi 16 novembre 2010 16:13 À : Sébastien WENSKE Cc : squid-users@squid-cache.org Objet : RE: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported >Hi Amos, > >Glad to hear you, I have already try and retry this one, but no changes... >this is freaky and I'm tired :) > >I will continue tomorrow, I think I need to find a guide to compile squid with >"non-system" ssl >libraries/headers. > >Otherwise, is there a way to know with wich openssl squid is compiled??? >Because à every time squid will run >correctly in ssl mode... :-/ > >Man thanks, > >Sebastian -----Message d'origine----- De : Amos Jeffries [mailto:squ...@treenet.co.nz] Envoyé : lundi 15 novembre 2010 23:55 À : Sébastien WENSKE Cc : Dean Weimer; squid-users@squid-cache.org Objet : RE: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported On Mon, 15 Nov 2010 21:33:40 +0000, Sébastien WENSKE <sebast...@wenske.fr> wrote: >I think this should be > --with-openssl=/usr/src/openssl/openssl-1.0.0a/ > > > I'm lost ... I need to fix this issue before implementing this in my > company ... > Sébastien, If it helps, my system had openssl installed with the following options. ./config --prefix=/usr/local --openssldir=/usr/local/etc/ssl -fPIC shared make make install Squid had the following options for enabling openssl --enable-ssl --with-openssl=/usr/local In your squid source directory, look for the config.log Amos mentioned, and in it the following lines should indicate which path it found your openssl libraries under. configure:26112: checking openssl/err.h usability configure:26129: g++ -c -g -O2 -I/usr/local/include conftest.cpp >&5 configure:26136: $? = 0 configure:26150: result: yes configure:26154: checking openssl/err.h presence configure:26169: g++ -E -I/usr/local/include conftest.cpp configure:26176: $? = 0 configure:26190: result: yes configure:26223: checking for openssl/err.h configure:26232: result: yes configure:26112: checking openssl/md5.h usability configure:26129: g++ -c -g -O2 -I/usr/local/include conftest.cpp >&5 configure:26136: $? = 0 configure:26150: result: yes configure:26154: checking openssl/md5.h presence configure:26169: g++ -E -I/usr/local/include conftest.cpp configure:26176: $? = 0 configure:26190: result: yes configure:26223: checking for openssl/md5.h configure:26232: result: yes configure:26112: checking openssl/ssl.h usability configure:26129: g++ -c -g -O2 -I/usr/local/include conftest.cpp >&5 configure:26136: $? = 0 configure:26150: result: yes configure:26154: checking openssl/ssl.h presence configure:26169: g++ -E -I/usr/local/include conftest.cpp configure:26176: $? = 0 configure:26190: result: yes configure:26223: checking for openssl/ssl.h configure:26232: result: yes configure:26112: checking openssl/x509v3.h usability configure:26129: g++ -c -g -O2 -I/usr/local/include conftest.cpp >&5 configure:26136: $? = 0 configure:26150: result: yes configure:26154: checking openssl/x509v3.h presence configure:26169: g++ -E -I/usr/local/include conftest.cpp configure:26176: $? = 0 configure:26190: result: yes configure:26223: checking for openssl/x509v3.h configure:26232: result: yes >From examining these paths on mine, and looking under the source build >directory for openssl-1.0.0a, it looks like Amos is indeed correct that the >path for your system should be --with-openssl=/usr/src/openssl/openssl-1.0.0a >also verify that /usr/src/openssl/openssl-1.0.0a/include/openssl does indeed >exist on your system and it contains the *.h files shown in the output from >the config.log listed above (should actually be linked files under the source >tree, but that shouldn't matter). Thanks, Dean Weimer Network Administrator Orscheln Management Co
