Hello Amos and Dean, Thank you very much, I found a "workaround" in the same time you sent your openssl compil procedure In /usr/src/openssl/openssl-1.0.0a I have create a symlink lib -> /usr/local/ssl/lib64 lrwxrwxrwx 1 root src 20 2010-11-16 16:43 lib -> /usr/local/ssl/lib64 and --with-openssl=/usr/src/openssl/openssl-1.0.0a Now, all is green in Qualys report: https://www.ssllabs.com/ssldb/analyze.html?d=webmail.wenske.fr :-) Thanks you again for your support, Cheers, Sebastian ________________________________________ De : Dean Weimer [dweimer@xxxxxxxxxxxx] Date d'envoi : mardi 16 novembre 2010 16:13 À : Sébastien WENSKE Cc : squid-users@xxxxxxxxxxxxxxx Objet : RE: RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported >Hi Amos, > >Glad to hear you, I have already try and retry this one, but no changes... this is freaky and I'm tired :) > >I will continue tomorrow, I think I need to find a guide to compile squid with "non-system" ssl >libraries/headers. > >Otherwise, is there a way to know with wich openssl squid is compiled??? Because à every time squid will run >correctly in ssl mode... :-/ > >Man thanks, > >Sebastian -----Message d'origine----- De : Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Envoyé : lundi 15 novembre 2010 23:55 À : Sébastien WENSKE Cc : Dean Weimer; squid-users@xxxxxxxxxxxxxxx Objet : RE: RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported On Mon, 15 Nov 2010 21:33:40 +0000, Sébastien WENSKE <sebastien@xxxxxxxxx> wrote: >I think this should be > --with-openssl=/usr/src/openssl/openssl-1.0.0a/ > > > I'm lost ... I need to fix this issue before implementing this in my > company ... > Sébastien, If it helps, my system had openssl installed with the following options. ./config --prefix=/usr/local --openssldir=/usr/local/etc/ssl -fPIC shared make make install Squid had the following options for enabling openssl --enable-ssl --with-openssl=/usr/local In your squid source directory, look for the config.log Amos mentioned, and in it the following lines should indicate which path it found your openssl libraries under. configure:26112: checking openssl/err.h usability configure:26129: g++ -c -g -O2 -I/usr/local/include conftest.cpp >&5 configure:26136: $? = 0 configure:26150: result: yes configure:26154: checking openssl/err.h presence configure:26169: g++ -E -I/usr/local/include conftest.cpp configure:26176: $? = 0 configure:26190: result: yes configure:26223: checking for openssl/err.h configure:26232: result: yes configure:26112: checking openssl/md5.h usability configure:26129: g++ -c -g -O2 -I/usr/local/include conftest.cpp >&5 configure:26136: $? = 0 configure:26150: result: yes configure:26154: checking openssl/md5.h presence configure:26169: g++ -E -I/usr/local/include conftest.cpp configure:26176: $? = 0 configure:26190: result: yes configure:26223: checking for openssl/md5.h configure:26232: result: yes configure:26112: checking openssl/ssl.h usability configure:26129: g++ -c -g -O2 -I/usr/local/include conftest.cpp >&5 configure:26136: $? = 0 configure:26150: result: yes configure:26154: checking openssl/ssl.h presence configure:26169: g++ -E -I/usr/local/include conftest.cpp configure:26176: $? = 0 configure:26190: result: yes configure:26223: checking for openssl/ssl.h configure:26232: result: yes configure:26112: checking openssl/x509v3.h usability configure:26129: g++ -c -g -O2 -I/usr/local/include conftest.cpp >&5 configure:26136: $? = 0 configure:26150: result: yes configure:26154: checking openssl/x509v3.h presence configure:26169: g++ -E -I/usr/local/include conftest.cpp configure:26176: $? = 0 configure:26190: result: yes configure:26223: checking for openssl/x509v3.h configure:26232: result: yes >From examining these paths on mine, and looking under the source build directory for openssl-1.0.0a, it looks like Amos is indeed correct that the path for your system should be --with-openssl=/usr/src/openssl/openssl-1.0.0a also verify that /usr/src/openssl/openssl-1.0.0a/include/openssl does indeed exist on your system and it contains the *.h files shown in the output from the config.log listed above (should actually be linked files under the source tree, but that shouldn't matter). Thanks, Dean Weimer Network Administrator Orscheln Management Co
