-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 22/10/2014 5:40 a.m., Mike wrote: > I was reading through the release notes for squid 3.5, and in > section 2.4 regarding HTTPS, it mentions "When Squid is built with > the GnuTLS encryption library the tool is able to open TLS (or > SSL/3.0) connections to servers", and the wording makes me think > that when openssl is in use, squid cannot open TLS/SSL connections > to servers... > > So my question is if it will still properly able to open TLS/SSL > connections to server when openssl is in use (like we currently > are using with 3.4.6 and ssl_bump)? Or is gnutls recommended for > use with squid 3.5.x (despite its massive bugs and vulnerabilities > compared to openssl)? "Squid" is a small collection of related programs. There is a "squid" proxy binary, and also there is a separate "squidclient" binary which is a tool for manual command line or scripted HTTP requests. Somewhat like curl or wget but more oriented at debugging traffic. Section 2.4 applies *only* to that squidclient tool. The main squid and other binaries do not yet have any use of GnuTLS, which is mentioned in section 4.1 build options. That is planned to change, but timeline is flexible still as its one of my spare-time unpaid efforts. Regarding: > the wording makes me think that when openssl is in use, squid > cannot open TLS/SSL connections to servers... Correct, at least within the context of squidclient tool which section 2.4 is all about. When using only OpenSSL the squidclient tool does not have any HTTPS support. Never has. > > and my last question, regarding squid usage by people on HTTPS > websites, what are some primary differences of using gnutls versus > openssl? Primary difference as applies to Squid is that OpenSSL support has been present across most of the Squid code for years and GnuTLS support is only just now being added. The main reason for adding it is GnuTLS is popular, portable, feature compatible with what we use in OpenSSL, and also GPL license compatibile. By using it our downstream distributors are able to package HTTPS enabled binaries where previously they were prohibited by OpenSSL license conditions. PS. if you are building Squid I highly recommend you add libnettle and libgnutls to your build environment. Both of them should be easily available in any OS. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJURwztAAoJELJo5wb/XPRj7rkH/32jQaVSVKRRAYywHtLbBbaW z+OVN6BwdoZES58JfZKupJFGb9RvOEb+wI+eCYb7RGXgFWOOqO7HUyZtCVDNYDpu 1pOoxIYiZ0pIsnjgLdSLTkffMIbywKWmSH7l4JGIna+UduJbYSIY1hCEqqGof96o 2kUE7aV2/Z9gNZtjK1/sJMgmrnnVV/ZHXWKcIiAsZBq2LxcLbtvmFutLUfBhoGw5 KzbocDh3dpUA95dwSYmNCji98YXCzo7Gz7qUeROdJj+ca9ReMAlmwU3975/T5hNY tEeynBvPZa1HWZm9XpXA2WvAhjRRm4TaKsBFLtpo3ojv9NvgePXMRw9Cha3OQfM= =8EVN -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users