Ubuntu
squid package

SSL Bump not supported in Ubuntu squid package

Bug #1895579 reported by pcgeek86
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
squid (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

I am using Canonical's Multipass tool to spin up a fresh Ubuntu 20.04 Focal Fossa virtual machine, to act as a Squid cache. I need the SSL Bump feature enabled, however I noticed that the pre-compiled apt package does not have this feature available.

When I try to run Squid with my squid.conf, I get the following error in the journalctl.

ubuntu@primary:~/$ sudo systemctl status squid.service
● squid.service - Squid Web Proxy Server
     Loaded: loaded (/lib/systemd/system/squid.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Mon 2020-09-14 12:10:10 MDT; 2s ago
       Docs: man:squid(8)
    Process: 118850 ExecStartPre=/usr/sbin/squid --foreground -z (code=exited, status=1/FAILURE)

Sep 14 12:10:10 primary squid[118850]: 2020/09/14 12:10:10| FATAL: Unknown https_port option 'ssl-bump'.
Sep 14 12:10:10 primary squid[118850]: 2020/09/14 12:10:10| FATAL: Bungled /etc/squid/squid.conf line 28: generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
Sep 14 12:10:10 primary squid[118850]: FATAL: Bungled /etc/squid/squid.conf line 28: generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
Sep 14 12:10:10 primary squid[118850]: 2020/09/14 12:10:10| Squid Cache (Version 4.10): Terminated abnormally.

-----------------

I also noticed that the necessary options to enable SSL Bump are not in the output of squid --version.

Squid Cache: Version 4.10
Service Name: squid
Ubuntu linux
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fdebug-prefix-map=/build/squid-H3xa74/squid-4.10=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' 'BUILDCXX=x86_64-linux-gnu-g++' '--with-build-environment=default' '--enable-build-info=Ubuntu linux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,SMB_LM' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group' '--enable-security-cert-validators=fake' '--enable-storeid-rewrite-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-gnutls' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CC=x86_64-linux-gnu-gcc' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/squid-H3xa74/squid-4.10=. -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXX=x86_64-linux-gnu-g++' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/build/squid-H3xa74/squid-4.10=. -fstack-protector-strong -Wformat -Werror=format-security'

Please consider adding SSL Bump support to the pre-compiled Squid package for Ubuntu Linux. Thanks!

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thanks for taking the time to file this bug and trying to make Ubuntu better.

The SSL bump feature was replaced by other similar features by upstream, it is available only from version 3.1 until 3.4, and in Focal we have 4.10. Take a look at this upstream wiki page:

https://wiki.squid-cache.org/Features/SslBump

So please consider using a different feature for this purpose.

Since enabling this feature in Focal is not possible, I am marking this bug as Invalid.

Changed in squid (Ubuntu):
status: New → Invalid
Revision history for this message
Simon Déziel (sdeziel) wrote :

SSL bump was replaced by "peek and splice" (https://wiki.squid-cache.org/Features/SslPeekAndSplice) but neither are possible on Ubuntu due to how squid is configured. When I asked in LP: #1860807 for reconsidering to switch to OpenSSL instead of GnuTLS, it was rejected.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Just to complement what Simon said, his request was rejected because of licensing incompatibilities between OpenSSL and squid. This issue has also been raise on Debian (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966395). I think there is nothing actionable right now.

Revision history for this message
GGrandes (ggrandes) wrote :

I have same problem with transparent mode with peek-and-splice (without mimicking):

> FATAL: Unknown https_port option 'ssl-bump'.
> FATAL: Bungled /etc/squid/squid.conf line 37: https_port 8443 ssl-bump intercept tls-cert=/etc/squid/ssl/squid.pem

Revision history for this message
Sergiu Bivol (sergiu-bivol) wrote :

The package squid-openssl is available starting with Ubuntu 22.04, and that package does support ssl-bump.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.