From squid3 at treenet.co.nz Tue Jun 6 04:04:38 2017 From: squid3 at treenet.co.nz (Amos Jeffries) Date: Tue, 6 Jun 2017 16:04:38 +1200 Subject: [squid-announce] Squid 4.0.20 beta is available Message-ID: The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-4.0.20 release! This release is a bug fix release resolving several issues found in the prior Squid releases. The major changes to be aware of: * Regression Bug 4692: SSL-Bump breaks intercepted IPv6 connections This bug applies to all IPv6 intercepted traffic (TPROXY, etc.). It is especially visible with SSL/TLS (port 443) traffic. It affects Google searches, YouTube videos, and many other websites. With non-TLS/SSL requests, it can cause what appear to be timeouts as well as other problems. It is a regression specific to the Squid-4 release series, not affecting any other installations. * Regression Bug 4659: sslproxy_foreign_intermediate_certs does not work This bug appears as loading of custom intermediate certificates not working since the auto-download feature was implemented in Squid-4. This release is now able to verify a certificate chain with both configured intermediates and auto-downloaded CA certificates. * Bug 4662: build errors with LibreSSL 2.4.4 This release updates the OpenSSL v1.1 support to use API feature detection to resolve many issues identified with LibreSSL and potentially other OpenSSL derived libraries. New tests have been added, existing feature tests have been updated to obey the --with-openssl=PATH parameter more accurately for custom library locations, and the squid -v output is updated to report which library is being loaded and used at run-time. As such there are some potentially significant changes to the code being used by LibreSSL and other derivative libraries. These should build and work now, but are not specifically tested by the Squid team developing the TLS/SSL code. Community testing and feedback is very welcome. * Bug 4321: ssl_bump terminate does not terminate at step1 This release adds support for terminating TLS connections before any TLS protocol has been received. Previous versions of Squid would require some of the handshake to be received before terminate would work. This also causes non-TLS connections to be able to properly terminate before step1 of the SSL-Bump process. * Improved cache_peer handling This release updates the DEAD peer probe behaviour and handling to reduce HTTP response times when a cache_peer previously marked DEAD is involved as a potential destination for the request. For example as a failover destination after an initial attempt to a LIVE peer failed, or as a probe to investigate peer recovery when ICP, HTCP, Digest, NetDB and ICMP are all disabled. Also, as of this release a new DNS query no longer revives DEAD peers unconditionally. This prevents periodic timeouts on transactions when DNS TTL is short and a peer is unavailable for extended periods of time relative to that TTL. These changes will impact all Squid installations depending on these passive DNS or HTTP revival methods as the sole ways for peers to be detected as usable once they go down. An active probe of at least one type mentioned above is now required to avoid an increase in user visible connection failures. * Make PID file check/creation atomic and earlier This release adds further improvements to the Squid startup process for better PID file related behaviour to set the file contents earlier and in an atomic manner. Fixing many race condition issues when SMP workers are involved or an init system such as systemd, upstart, and OpenRC with potentially parallel startup procedures is used. * OpenSSL support better compliance with license requirements The OpenSSL license requires that all binaries which are built to utilize the library API (that includes any library derived from OpenSSL) must publicly advertise that OpenSSL or derivative library in all documentation detailing features of that software. This release of Squid will now include the required OpenSSL advertisement on builds -v output where features are displayed. This is primarily intended as a way to easily identify which library is being used by Squid at run-time when multiple libraries are present on a system. Please note even with this update Squid is still not directly compatible with the OpenSSL terms of distribution. Distributors of OpenSSL enabled Squid are required to ensure they meet both GPL and OpenSSL licensing requirements. All users of Squid-4.x are urged to upgrade to this release as soon as possible. All users of Squid-3 are encouraged to test this release out and plan for upgrades where possible. See the ChangeLog for the full list of changes in this and earlier releases. Please refer to the release notes at http://www.squid-cache.org/Versions/v4/RELEASENOTES.html when you are ready to make the switch to Squid-4 This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v4/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/4/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries From squid3 at treenet.co.nz Tue Jun 6 04:04:49 2017 From: squid3 at treenet.co.nz (Amos Jeffries) Date: Tue, 6 Jun 2017 16:04:49 +1200 Subject: [squid-announce] Squid 3.5.26 is available Message-ID: <67fef825-dea4-ecf0-817e-590ae2b29082@treenet.co.nz> The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-3.5.26 release! This release is a bug fix release resolving several issues found in the prior Squid releases. The major changes to be aware of: * Bug 4711: SubjectAlternativeNames is missing in some generated certificates Previous releases of Squid were not able to generate valid mimic certificates from AltName server certificate field only. This leads to security error [missing_subjectAltName] in modern browsers (both Chrome/Firefox this time), and, net::ERR_CERT_COMMON_NAME_INVALID errors visible to users. * Bug 4682: ignoring http_access deny when client-first bumping mode is used This bug appears as Squid failing to identify some HTTP requests which are tunneled inside an already established client-first bumped tunnel, and this is results in ignoring http_access denied for these requests. * Bug 4589: ssl_crtd: returning zero on failure This bug has been affecting some init scripts that were depending on the tool return values to detect when it failed to initialize the certificate database. This does not resolve any initialization issues directly, merely allows init scripts to be made aware of them before Squid is started. * Bug 3102 and 3772: FTP directory listings display issues These bugs appears as line wrap and path truncation errors in FTP directory listings from some FTP servers. * OpenSSL support better compliance with license requirements The OpenSSL license requires that all binaries which are built to utilize the library API (that includes any library derived from OpenSSL) must publicly advertise that OpenSSL or derivative library in all documentation detailing features of that software. This release of Squid will now include the required OpenSSL advertisement on builds -v output where features are displayed. This is primarily intended as a way to easily identify which library is being used by Squid at run-time when multiple libraries are present on a system. Please note even with this update Squid is still not directly compatible with the OpenSSL terms of distribution. Distributors of OpenSSL enabled Squid are required to ensure they meet both GPL and OpenSSL licensing requirements. All users of Squid-3 with SSL-Bump functionality are encouraged to upgrade to this release as soon as possible. All other users of Squid-3 are encouraged to upgrade to this release as time permits. See the ChangeLog for the full list of changes in this and earlier releases. Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html when you are ready to make the switch to Squid-3.5 Upgrade tip: "squid -k parse" is starting to display even more useful hints about squid.conf changes. This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.5/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/3.5/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries