gnutls options for www/squid3 (Re: c-icap-modules not available anymore on pkgin command)

[Matthias Ferdinand <mf+ml.pkgsrc-users%netzwerkagentursaarland.de@localhost>]

On Wed, Jan 22, 2020 at 08:09:56PM +0100, Andries Annema wrote:
> On 22/01/2020 17.28, Jonathan Perkin wrote:
> > update, we're still on the obsolete 3.5.x branch in pkgsrc, and the
> > wip/samba4 package does not look at all suitable yet for replacing it.
> > 
> > Now is a great time for someone to step up and take maintainership of
> > the package ;)
> > 
> Ow boy.. I wasn't even aware that the 3.5.x branch of Squid was in fact
> obsolete and a 4.x branch has already replaced it.

While obsolete, depending on use case, squid3 is still usable and can be
compiled without any openssl support at all ("-ssl" option).

CONNECT needs no crypto or certificate checking per se in squid, only
the SSL inspection feature (certificate daemon) requires openssl.

For encrypted connections between squidclient/cachemgr and squid gnutls
can be used.

Attached patch for www/squid3/options.mk adds an early check (before
extracting/compiling) for openssl<1.1.0 and adds a "gnutls" option to
add encryption to squidclient connections.

Regards
Matthias

--- www/squid3/options.mk.orig	2020-01-26 22:45:51.516224008 +0100
+++ www/squid3/options.mk	2020-01-27 00:00:18.103932719 +0100
@@ -4,7 +4,7 @@ PKG_OPTIONS_VAR=		PKG_OPTIONS.squid
 PKG_SUPPORTED_OPTIONS=		ecap inet6 snmp ssl squid-backend-aufs \
 				squid-backend-diskd squid-backend-rock squid-backend-ufs \
 				squid-carp squid-unlinkd squid-kerberos-helper \
-				squid-ldap-helper squid-pam-helper
+				squid-ldap-helper squid-pam-helper gnutls
 PKG_OPTIONS_LEGACY_OPTS+=	diskd:squid-backend-diskd \
 	null:squid-backend-null ufs:squid-backend-ufs \
 	linux-netfilter:squid-netfilter ipf-transparent:squid-ipf \
@@ -134,9 +134,20 @@ CONFIGURE_ARGS+=	--disable-snmp
 CONFIGURE_ARGS+=	--enable-ssl --with-openssl=${SSLBASE:Q}
 CONFIGURE_ARGS+=	--enable-ssl-crtd
 .  include "../../security/openssl/buildlink3.mk"
+# squid3 not compatible with openssl >= 1.1.x
+DEPENDS+=             openssl<1.1.0:../../security/openssl
 PLIST.ssl=		yes
 .endif
 
+# gnutls can be used to encrypt connections between squidclient/cachemgr and squid server
+.if !empty(PKG_OPTIONS:Mgnutls)
+.  if !empty(PKG_OPTIONS:Mssl)
+PKG_FAIL_REASON+= 'Conflicting options "gnutls" and "ssl" selected - choose only one'
+.  endif
+CONFIGURE_ARGS+=	--enable-ssl --with-gnutls
+.  include "../../security/gnutls/buildlink3.mk"
+.endif
+
 .if !empty(PKG_OPTIONS:Msquid-backend-aufs)
 SQUID_BACKENDS+=	aufs
 .  include "../../mk/pthread.buildlink3.mk"