From squid3 at treenet.co.nz  Sun Mar 18 10:20:22 2018
From: squid3 at treenet.co.nz (Amos Jeffries)
Date: Sun, 18 Mar 2018 23:20:22 +1300
Subject: [squid-announce] Squid 4.0.24 beta is available
Message-ID: <1d461c24-6ddd-fb99-1e8e-0c719c33e219@treenet.co.nz>

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.24 release!


This release is a bug fix release resolving several issues found in the
prior Squid releases.


The major changes to be aware of:


* GnuTLS support for https_port

When built with GnuTLS instead of OpenSSL this Squid is now able to open
listening ports and receive HTTPS traffic in explicit proxy or reverse
proxy modes. SSL-Bump and intercept proxy are not yet supported.

With GnuTLS comes the ability to configure multiple static (or wildcard)
certificates for a single https_port. This ability is sadly not shared
by OpenSSL.

WARNING: A regression in handling of the cafile= option has been found
in this release. It may be resolved by combining the CA chain into the
PEM file configured with cert=.

With the new multi-cert support combining the certificate and its CA
chain in one PEM file becomes the new Best Practice configuration to
ensure the CA chain is associated only with the relevant certificate(s)
and keys.


* Fix SSL-Bump with an authentication type other than the Basic

This improves the Squid behaviour working with SSL-Bump'ed CONNECT
messages when the original CONNECT contained authentication credentials.

Earlier releases would unconditionally treat all such bumped traffic as
successfully authenticated. When a configuration used proxy_auth ACLs to
check access on a per-user basis or for methods other than the Basic
scheme that could incorrectly allow access to resources intended to be
hidden to some users.

This release now processes the proxy_auth ACL checks normally, but with
the CONNECT credentials so allow/deny can work as intended. ACL results
requiring re-authentication should act as an ACL non-match instead of
generating a re-authenticate challenge.


* Improved compiler support

This release fixes a number of compile errors seen with GCC-7 and
Clang-3.9 versions across several operating systems.

There are still a number of outstanding issues when building with the
latest GCC-8 versions. Fixes for those are expected to be in the next
release.



  All users of Squid-4.x are urged to upgrade to this release as
  soon as possible.

  All users of Squid-3 are encouraged to test this release out and plan
  for upgrades where possible.


See the ChangeLog for the full list of changes in this and earlier
releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

  http://www.squid-cache.org/Versions/v4/
  ftp://ftp.squid-cache.org/pub/squid/
  ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

  http://www.squid-cache.org/Download/http-mirrors.html
  http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
  http://bugs.squid-cache.org/


Amos Jeffries