From squid3 at treenet.co.nz Fri Jan 4 14:37:47 2019 From: squid3 at treenet.co.nz (Amos Jeffries) Date: Sat, 5 Jan 2019 03:37:47 +1300 Subject: [squid-announce] Squid-4.5 is available Message-ID: The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-4.5 release! This release is a security and bug fix release resolving several issues found in the prior Squid releases. The major changes to be aware of: * Bug 4253: ssl_bump prevents access to some web contents The SSL-Bump initial implementation was entangled with reverse-proxy handling of decrypted HTTPS messages. This was a mistake we have been reversing across the 3.5 and 4 cycles. With this release SSL-Bump traffic handling is no longer tied to reverse-proxy mode. As a result complications with ESI and Surrogate-Control header handling have finally been resolved. * Redesign forward_max_tries to count TCP connection attempts This release includes an overhaul of the counting for HTTP message forwarding and re-send attempts. This has an impact on how long it takes Squid to detect and report connection errors to clients, persistent connection overload recovery and detection of DEAD peer states. The documentation for forward_max_tries and connect_retries has been updated to more clearly specify the current expected behaviour. Any users with systems tuned to optimize these behaviours should read the updated squid.conf documentation and check their tuning after upgrade to this release or any later. * Fix client_connection_mark ACL handling of clientless transactions This bug shows up as crashes when a client_connection_mark or clientside_mark type ACL is used for access control. From this release transactions without a client TCP connection will now produce a non-match result when this ACL is tested. * Multiple NetDB behaviour updates NetDB state was not being recorded for connections to peers using TLS nor for CONNECT tunnels. With the growth of HTTPS in recent times these are increasingly important to optimize. This release will now ping and record the latency information for these connections to aid with optimizing connection setup of future transactions. * The logformat code %>handshake is added This code allows logging of initial bytes received for many protocols to allow better debugging of unknown-protocol issues and external ACL decision making. * Use pkg-config for detecting libxml2 This release adds support for auto-detection of libxml2 location using the pkg-config tools at build time. This may affect users of OS placing libraries at a location outside the FHS layout. For example cross-building or multi-architecture systems. Note that support for custom PATH parameter is not yet implemented for the --with-libxml2 build option. It is planned but did not make this release. The pkg-config environment variables may be used for that if necessary. All users of Squid-4 with SSL-Bump functionality are urged to upgrade as soon as possible. All other users of Squid-4 are encouraged to upgrade as time permits. All users of Squid-3 are encouraged to upgrade where possible. See the ChangeLog for the full list of changes in this and earlier releases. Please refer to the release notes at http://www.squid-cache.org/Versions/v4/RELEASENOTES.html when you are ready to make the switch to Squid-4 This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v4/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/4/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries