Table of Contents

About

Squid can be compiled against LibreSSL in order to avoid compilation errors as well as avoiding to mess up the distribution by attempting a manual upgrade of OpenSSL. Alternatively to this guide, the squid-openssl package can be installed instead that should provide an SSL enabled Squid:

aptitude install squid-openssl

The current guide is kept here for future reference but Debian has started providing an SSL enabled Squid.

Strategy

The strategy is to download LibreSSL and then manually compile the library to be installed under /opt/libressl such that it does not interfere with the operating system. After that, the plan is to download the Debian squid source package and change parameters and compile it against LibreSSL found in /opt/libressl.

Backup

It is wise to make a backup of your /etc/squid* configuration folder such that you do not lose your Squid configuration files when reinstalling the newly compiled Squid.

Getting the Build Essentials

Issue:

apt-get install build-essential fakeroot dpkg-dev devscripts

to install the build essentials.

Compiling LibreSSL

Download the latest LibreSSL source package:

wget -c https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.5.4.tar.gz

and unpack:

tar -zxpvf libressl-2.5.4.tar.gz

and change into the source directory:

cd libressl-2.5.4

Now compile LibreSSL by setting the prefix to /opt/libressl:

./configure --prefix=/opt/libressl
make -j2

and when it is compiled, install:

make install

You can now get rid of the LibreSSL source folder and archive but keep /opt/libressl.

Compiling Squid

Fetch the Debian squid source package and dependencies:

apt-get source squid
apt-get build-dep squid

This will create various files and folders in the current directory. Change into the squid source directory, ie:

cd squid3-3.5.23/

Now change debian/rules in order to append:

                --enable-ssl \
                --with-openssl=/opt/libressl \
                --enable-ssl-crtd

to DEB_CONFIGURE_EXTRA_FLAGS.

If you attempt to compile now, Debian will try to search library info from LibreSSL - which will not be available since LibreSSL is not part of Debian. In order to prevent the error on package creation, at the end of rules/debian, add:

override_dh_shlibdeps:
        dh_shlibdeps --dpkg-shlibdeps-params=--ignore-missing-info

Note that the space before dh_shlibdeps should be a single tab.

Additionally, execute the following command:

export DEB_DH_SHLIBDEPS_ARGS_ALL=--dpkg-shlibdeps-params=--ignore-missing-info

to make sure that the package creation does not fail.

Next, use dch to append a local version tag to the built Squid package in order to differentiate between the Debian Squid and the Squid you will be compiling. In order to do that, issue:

dch --local supersquid

where:

You will be prompted to add some text for the changes you have made - you can enter anything you like.

Finally, compile the package by issuing:

dpkg-buildpackage -rfakeroot -b

and after a lengthy process, the deb files should be placed in the upper-level directory which you can then install, for instance, by issuing:

dpkg -i squid-common_3.5.23-5supersquid1_all.deb
dpkg -i squid_3.5.23-5supersquid1_amd64.deb
dpkg -i squid3_3.5.23-5supersquid1_all.deb