[squid-announce] Squid 4.0.20 beta is available

Amos Jeffries squid3 at treenet.co.nz
Tue Jun 6 04:04:38 UTC 2017 

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.20 release!


This release is a bug fix release resolving several issues found in the
prior Squid releases.


The major changes to be aware of:

* Regression Bug 4692: SSL-Bump breaks intercepted IPv6 connections

This bug applies to all IPv6 intercepted traffic (TPROXY, etc.). It is 
especially visible with SSL/TLS (port 443) traffic. It affects Google 
searches, YouTube videos, and many other websites. With non-TLS/SSL 
requests, it can cause what appear to be timeouts as well as other 
problems. It is a regression specific to the Squid-4 release series, not 
affecting any other installations.


* Regression Bug 4659: sslproxy_foreign_intermediate_certs does not work

This bug appears as loading of custom intermediate certificates not 
working since the auto-download feature was implemented  in Squid-4. 
This release is now able to verify a certificate chain with both 
configured intermediates and auto-downloaded CA certificates.


* Bug 4662: build errors with LibreSSL 2.4.4

This release updates the OpenSSL v1.1 support to use API feature 
detection to resolve many issues identified with LibreSSL and 
potentially other OpenSSL derived libraries. New tests have been added, 
existing feature tests have been updated to obey the --with-openssl=PATH 
parameter more accurately for custom library locations, and the squid -v 
output is updated to report which library is being loaded and used at 
run-time.

As such there are some potentially significant changes to the code being 
used by LibreSSL and other derivative libraries. These should build and 
work now, but are not specifically tested by the Squid team developing 
the TLS/SSL code. Community testing and feedback is very welcome.


* Bug 4321: ssl_bump terminate does not terminate at step1

This release adds support for terminating TLS connections before any TLS 
protocol has been received. Previous versions of Squid would require 
some of the handshake to be received before terminate would work. This 
also causes non-TLS connections to be able to properly terminate before 
step1 of the SSL-Bump process.


* Improved cache_peer handling

This release updates the DEAD peer probe behaviour and handling to 
reduce HTTP response times when a cache_peer previously marked DEAD is 
involved as a potential destination for the request. For example as a 
failover destination after an initial attempt to a LIVE peer failed, or 
as a probe to investigate peer recovery when ICP, HTCP, Digest, NetDB 
and ICMP are all disabled.

Also, as of this release a new DNS query no longer revives DEAD peers 
unconditionally. This prevents periodic timeouts on transactions when 
DNS TTL is short and a peer is unavailable for extended periods of time 
relative to that TTL.

These changes will impact all Squid installations depending on these 
passive DNS or HTTP revival methods as the sole ways for peers to be 
detected as usable once they go down. An active probe of at least one 
type mentioned above is now required to avoid an increase in user 
visible connection failures.


* Make PID file check/creation atomic and earlier

This release adds further improvements to the Squid startup process for 
better PID file related behaviour to set the file contents earlier and 
in an atomic manner. Fixing many race condition issues when SMP workers 
are involved or an init system such as systemd, upstart, and OpenRC with 
potentially parallel startup procedures is used.


* OpenSSL support better compliance with license requirements

The OpenSSL license requires that all binaries which are built to 
utilize the library API (that includes any library derived from OpenSSL) 
must publicly advertise that OpenSSL or derivative library in all 
documentation detailing features of that software.

This release of Squid will now include the required OpenSSL 
advertisement on builds -v output where features are displayed. This is
primarily intended as a way to easily identify which library is being 
used by Squid at run-time when multiple libraries are present on a system.

Please note even with this update Squid is still not directly compatible 
with the OpenSSL terms of distribution. Distributors of OpenSSL enabled 
Squid are required to ensure they meet both GPL and OpenSSL licensing 
requirements.



  All users of Squid-4.x are urged to upgrade to this release as
soon as possible.

  All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.


  See the ChangeLog for the full list of changes in this and earlier
  releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

  http://www.squid-cache.org/Versions/v4/
  ftp://ftp.squid-cache.org/pub/squid/
  ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

  http://www.squid-cache.org/Download/http-mirrors.html
  http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

More information about the squid-announce mailing list