Squid: Compile with --enable-ssl

The SSL support was explicitly disabled, because the OpenSSL license is not
compatible with Squid's license

squid (2.5.5-4) unstable; urgency=low

  * debian/control
    - Removed depdendecies on libssl-dev (linking GPL with SSL is not free)
      (Closes: #251988)

  * debian/rules
    - Removed --enable-ssl from configure
    - Added --enable-carp to configure (Closes: #180884)

Would it be possible to create a squid-ssl package that enables SSL and put it in multiverse or something? Get permission from the squid guys to use a modified GPL that allows SSL.

Either that, or look into a GNU TLS version of squid.

Is this still an issue in feisty?

Yes, still an issue. Also in Gutsy. This thread on the squid-dev ml tells most of the story.

http://www.squid-cache.org/mail-archive/squid-dev/200406/0011.html

There are loads of copyright holders of the squid code, so there's no "just" about asking the copyright holders to change it. Noone has just stepped up to the plate and made Squid use gnutls. Volunteers? Until then, you can rebuild it yourself.

Are there still issues with the license and no gnutls support?

I don't think any gnutls patches have happened, and the code base still has as many (C) holders from way back that haven't contacted us to ok an exemption.

still an issue on Ubuntu 12.04

please do something to enable ssl support by default

Any updates on this bug?

GnuTLS has been passed to the upstream bugzilla, so is on the TODO list. However all we are seeing is demands that we do the *enormous* conversion task for free. Nobody supposedly "needing" SSL has been willing to contribute towards development, even as patch submissions to assist.

I have finally got around to starting https://code.launchpad.net/~yadi/squid/crypto-ng as a tracker to begin forward progress. however, without support you can expect it to go just as slowly as before. Any assistance is VERY welcome.

alternatively there are several proposals to make a special Squid package using OpenSSL available through non-free repositories. AFAIK the packaging maintainers have not made their thoughts on that known.

A ssl enabled squid would help many users, which are concerned about the lack of anonymity in the web.

With request_header_replace where are a lot of guides to fix some information leaks for your users.
But all effort is failing if https is used.
To test this, have a look on https://panopticlick.eff.org/
You see that the origin User-Agent and not the rewritten User-Agent is reported.

Another point is that more and more sites are migration to https. This will reduce the traffic reduction of squid because the lack of https caching.

Yes, https caching would be a feature many users are looking for.

I have done a build of squid 3.4.4 with ssl enabled.
See https://launchpad.net/~dirk-computer42/+archive/c42-other

So the only thing needed to fix this bug is to update squid to 3.5 and rebuild with --enable-ssl while having libnettle and gnutls installed? Or there are some changes to package build-depends required?

Workaround until ubuntu will finally decide to migrate from ancient squid version is to use ppa:
https://launchpad.net/~brightbox/+archive/ubuntu/squid-ssl

Still not resolved please fix this

In this is my workaround for Xenial en trustie :

https://launchpad.net/~bas-dikkenberg/+archive/ubuntu/squid3-ssl

Squid-4.x is in cosmic, with gnutls support.

please also backport to Bionic - a secure proxy connection should really be possible in 2019!

And I am not talking about a intercepting HTTPS connection which breaks privacy!

https://wiki.squid-cache.org/Features/HTTPS

That's a ton of work. If you'd like to volunteer your time, please see https://wiki.ubuntu.com/StableReleaseUpdates