RE: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported

From: Dean Weimer <dweimer_at_ORSCHELN.com>
Date: Tue, 16 Nov 2010 09:13:48 -0600

>Hi Amos,
>
>Glad to hear you, I have already try and retry this one, but no changes... this is freaky and I'm tired :)
>
>I will continue tomorrow, I think I need to find a guide to compile squid with "non-system" ssl >libraries/headers.
>
>Otherwise, is there a way to know with wich openssl squid is compiled??? Because à every time squid will run >correctly in ssl mode... :-/
>
>Man thanks,
>
>Sebastian

-----Message d'origine-----
De : Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Envoyé : lundi 15 novembre 2010 23:55
À : Sébastien WENSKE
Cc : Dean Weimer; squid-users_at_squid-cache.org
Objet : RE: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported

On Mon, 15 Nov 2010 21:33:40 +0000, Sébastien WENSKE <sebastien_at_wenske.fr>
wrote:
>I think this should be
> --with-openssl=/usr/src/openssl/openssl-1.0.0a/
>
>
> I'm lost ... I need to fix this issue before implementing this in my
> company ...
>

Sébastien,

If it helps, my system had openssl installed with the following options.

./config --prefix=/usr/local --openssldir=/usr/local/etc/ssl -fPIC shared
make
make install

Squid had the following options for enabling openssl

--enable-ssl --with-openssl=/usr/local

In your squid source directory, look for the config.log Amos mentioned, and in it the following lines should indicate which path it found your openssl libraries under.

configure:26112: checking openssl/err.h usability
configure:26129: g++ -c -g -O2 -I/usr/local/include conftest.cpp >&5
configure:26136: $? = 0
configure:26150: result: yes
configure:26154: checking openssl/err.h presence
configure:26169: g++ -E -I/usr/local/include conftest.cpp
configure:26176: $? = 0
configure:26190: result: yes
configure:26223: checking for openssl/err.h
configure:26232: result: yes
configure:26112: checking openssl/md5.h usability
configure:26129: g++ -c -g -O2 -I/usr/local/include conftest.cpp >&5
configure:26136: $? = 0
configure:26150: result: yes
configure:26154: checking openssl/md5.h presence
configure:26169: g++ -E -I/usr/local/include conftest.cpp
configure:26176: $? = 0
configure:26190: result: yes
configure:26223: checking for openssl/md5.h
configure:26232: result: yes
configure:26112: checking openssl/ssl.h usability
configure:26129: g++ -c -g -O2 -I/usr/local/include conftest.cpp >&5
configure:26136: $? = 0
configure:26150: result: yes
configure:26154: checking openssl/ssl.h presence
configure:26169: g++ -E -I/usr/local/include conftest.cpp
configure:26176: $? = 0
configure:26190: result: yes
configure:26223: checking for openssl/ssl.h
configure:26232: result: yes
configure:26112: checking openssl/x509v3.h usability
configure:26129: g++ -c -g -O2 -I/usr/local/include conftest.cpp >&5
configure:26136: $? = 0
configure:26150: result: yes
configure:26154: checking openssl/x509v3.h presence
configure:26169: g++ -E -I/usr/local/include conftest.cpp
configure:26176: $? = 0
configure:26190: result: yes
configure:26223: checking for openssl/x509v3.h
configure:26232: result: yes

From examining these paths on mine, and looking under the source build directory for openssl-1.0.0a, it looks like Amos is indeed correct that the path for your system should be --with-openssl=/usr/src/openssl/openssl-1.0.0a also verify that /usr/src/openssl/openssl-1.0.0a/include/openssl does indeed exist on your system and it contains the *.h files shown in the output from the config.log listed above (should actually be linked files under the source tree, but that shouldn't matter).

Thanks,
     Dean Weimer
     Network Administrator
     Orscheln Management Co
Received on Tue Nov 16 2010 - 15:17:59 MST

This archive was generated by hypermail 2.2.0 : Tue Nov 16 2010 - 12:00:03 MST