I am using Canonical's Multipass tool to spin up a fresh Ubuntu 20.04 Focal Fossa virtual machine, to act as a Squid cache. I need the SSL Bump feature enabled, however I noticed that the pre-compiled apt package does not have this feature available.
When I try to run Squid with my squid.conf, I get the following error in the journalctl.
ubuntu@primary:~/$ sudo systemctl status squid.service
● squid.service - Squid Web Proxy Server
Loaded: loaded (/lib/systemd/system/squid.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2020-09-14 12:10:10 MDT; 2s ago
Docs: man:squid(8)
Process: 118850 ExecStartPre=/usr/sbin/squid --foreground -z (code=exited, status=1/FAILURE)
Sep 14 12:10:10 primary squid[118850]: 2020/09/14 12:10:10| FATAL: Unknown https_port option 'ssl-bump'.
Sep 14 12:10:10 primary squid[118850]: 2020/09/14 12:10:10| FATAL: Bungled /etc/squid/squid.conf line 28: generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
Sep 14 12:10:10 primary squid[118850]: FATAL: Bungled /etc/squid/squid.conf line 28: generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
Sep 14 12:10:10 primary squid[118850]: 2020/09/14 12:10:10| Squid Cache (Version 4.10): Terminated abnormally.
-----------------
I also noticed that the necessary options to enable SSL Bump are not in the output of squid --version.
Squid Cache: Version 4.10
Service Name: squid
Ubuntu linux
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fdebug-prefix-map=/build/squid-H3xa74/squid-4.10=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' 'BUILDCXX=x86_64-linux-gnu-g++' '--with-build-environment=default' '--enable-build-info=Ubuntu linux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,SMB_LM' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group' '--enable-security-cert-validators=fake' '--enable-storeid-rewrite-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-gnutls' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CC=x86_64-linux-gnu-gcc' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/squid-H3xa74/squid-4.10=. -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXX=x86_64-linux-gnu-g++' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/build/squid-H3xa74/squid-4.10=. -fstack-protector-strong -Wformat -Werror=format-security'
Please consider adding SSL Bump support to the pre-compiled Squid package for Ubuntu Linux. Thanks!
Thanks for taking the time to file this bug and trying to make Ubuntu better.
The SSL bump feature was replaced by other similar features by upstream, it is available only from version 3.1 until 3.4, and in Focal we have 4.10. Take a look at this upstream wiki page:
https:/ /wiki.squid- cache.org/ Features/ SslBump
So please consider using a different feature for this purpose.
Since enabling this feature in Focal is not possible, I am marking this bug as Invalid.