Package: squid Version: 4.12-1 In order to do SSL bumping [1], it seems that squid needs to be configured '--with-openssl'.
I believe that Debian chose to use GnuTLS due to license incompatibility with OpenSSL. OpenSSL went through the process of re-licensing and were able to do so in 2017 according to: https://www.openssl.org/blog/blog/2017/03/22/license/ Now that OpenSSL is available under the Apache License v. 2.0, there should no longer be any incompatibility with Debian. As such, it would be great to benefit from the more features oferred by builds using --with-openssl. Justification/use cases: Nowadays, HTTPS represents the majority of the traffic and it cannot be observed as easily as HTTP. With SSL bumping, squid can use the SNI header that is (still) in the cleartext portion of the SSL/TLS connection and use that to allow/deny forwarding the connection. That is the 'peek-n-splice' mode in upstream docs [2]. This mode doesn't compromise the security/privacy of the intercepted traffic as SSL/TLS is not terminated. The SNI inspection may be considered a privacy concern by some. One can also do fancier things like implementing a corporate MITM that generates certs on the fly signed by locally trusted CA [3]. This terminates the SSL/TLS connection in order to inspect the inner communication. This "intrusion" is sometimes required by organization policies. I can only speak for my organization but we ran into multiple situations where the peek-n-splice capability would have been handy. In other scenarios, we would have appreciated the MITM version too, so I think there is demand for such feature. Regards, Simon 1: https://wiki.squid-cache.org/Features/SslBump 2: https://wiki.squid-cache.org/Features/SslPeekAndSplice 3: https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
