On 06/19/2017 03:12 AM, Amos Jeffries wrote: > On 19/06/17 10:53, Alex Rousskov wrote: >> * Squid does not know anything about LibreSSL. Somebody added the >> letters "LibreSSL" to squid.conf.documented, but that was a mistake IMO. > The mentions of LibreSSL in the current file are for things which were > tested before the recent round of LibreSSL issues. Specifically loading > CA certs from a file. AFAIK that should still be working. IMO, regardless of whether LibreSSL works for loading CA certs from a file, it is a mistake for Squid documentation to potentially imply, however indirectly, that Squid supports LibreSSL today. Besides, I do not think that loading CA is somehow meaningful in isolation from 100 other actions participating in TLS traffic processing. It may be possible to meaningfully divide TLS-related code into SslBump and everything else, but Squid offers proper LibreSSL support for neither SslBump nor "everything else" IMO. > the release notes still say "This release does not > support LibreSSL" at present since we have had no positive feedback on > anything actually working yet. Please do not remove that "does not support" disclaimer even if somebody says that they are using LibreSSL successfully. >> are taking significant additional risks by >> using LibreSSL with SslBump. Whether those risks are worth using >> something other than OpenSSL is your call, of course. > Since the risk here is due to lack of testing... More testing is very > welcome of course. Especially with feedback about what works and what > does not. I disagree. The Project should not welcome more bug reports about an unsupported library unless we want to spend our cycles on actually supporting that library. IMHO, we must spend those cycles on other, more important/higher priority things. Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
