[squid-announce] Squid 4.0.18 beta is available

Amos Jeffries squid3 at treenet.co.nz
Sun Feb 12 10:20:21 UTC 2017


The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.18 release!


This release is a bug fix release resolving several issues found in the
prior Squid releases.


The major changes to be aware of:

* OpenSSL v1.1 support

Many compile issues when building with OpenSSL v1.1.* have been
resolved. The way this was fixed has uncovered a bug in the LibreSSL
library - so LibreSSL will no longer build with Squid-4.


* squidclient TLS debugging

The squidclient tool when built with GnuTLS has HTTPS support. This
version extends the -v debugging mechanism to also produce debug
information from the GnuTLS library about TLS operations.


There are also some major behaviour changes shared with Squid-3.5 which
are included in this release:

* Mitigate DoS attacks that use client-initiated SSL/TLS renegotiation.

Recent alterations to the SSL-Bump feature logic were found to be
breaking the measure put in place to disable TLS renegotiation.
Since some TLSv1.2+ mechanisms actively require it and the upcoming
OpenSSL v1.1+ make it quite hard to disable, we have decided to mitigate
the vulnerability by implementing a rate limit on renegotiation instead
of an outright disable.


* SSLv2 records force SslBump bumping despite a matching step2 peek rule.

This bug shows up as SSLv2 connections being bumped to deliver an error
when they should have been spliced as configured. Squid will now splice
all connections it has been configured to regardless of whether the
obsolete SSLv2 syntax is being used.

When bumping or receiving the connection itself Squid will still reject
SSLv2. Only spliced traffic is affected by this.


* Update External ACL helpers error handling and caching

The Squid helper protocol has undergone several important changes but
the external ACL logic and bundled helpers have not kept up. The ACL
logics handling helper replies also had some bugs in the event of helper
failures.

This release fixes those various bugs and updates all the bundled
helpers to make use of the BH (BrokenHelper) status to signal internal
errors differently to ACL denial.



 All users of Squid-4.x are urged to upgrade to this release as
soon as possible.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries


More information about the squid-announce mailing list