[squid-announce] Squid 5.5 is available

Amos Jeffries squid3 at treenet.co.nz
Thu Apr 14 11:21:54 UTC 2022


The Squid HTTP Proxy team is very pleased to announce the
availability of the Squid-5.5 release!


This release is a bug fix release resolving several issues
found in the prior Squid-5 releases and confirming stability
of major functionality changes added in 5.4.1 beta release.


The major changes to be aware of:

  * Bug 5177: clientca certificates sent to https_port clients

A bug in the OpenSSL library has been causing CA certificates
in the Squid tls-clientca= (and previously clientca=) option
be added to the chain of intermediate CA's sent with TLS
server certificate.

This release makes use of an OpenSSL context mode which has
been made available with libssl 1.x to resolve that problem.

Your proxy configuration can be quickly checked for relevance
with the following command:

   squid -k parse 2>&1 | grep clientca

Admin using (tls-)clientca= option should ensure that file
only contains CA to validate the TLS certificates presented
by clients.

To be sent in the TLS handshake Intermediate CA certificates
relevant to the TLS server certificate should be listed in
the file(s) loaded by tls-cert=, tls-cafile= or tls-capath=
options.


  * Bug 5090: Must(!request->pinnedConnection()) violation

This bug is most often seen when ICAP RESPMOD is used, but is
not related to ICAP at all. Visible bug symptoms, if any, may
include:

   FATAL: check failed: !request->pinnedConnection()
   exception location: FwdState.cc(1124) connectStart

   FATAL: check failed: transportWait
   exception location: FwdState.cc(675) noteDestinationsEnd

The bug was actually incorrect handling of servers or peers
whose selection takes unusually long times.


  * Kid restart leads to persistent queue overflows, delays/timeouts

This bug appears in cache.log as any of the following messages:

   WARNING: communication with ... may be too slow or disrupted...
   WARNING: abandoning ... I/Os
   ERROR: worker I/O push queue for ... overflow...
   ERROR: Collapsed forwarding queue overflow...

When one of the SMP worker processes ('kid') crashes or otherwise
exits without cleaning up the SMP memory it was using, the worker
process started to replace it has to automatically recover from
memory corruption. Previous Squid releases did not recover well
from at least the above listed types of corruption.

This release greatly strengthens the recovery process making
Squid much more robust after a worker crash.


  * Bug 5192: esi_parser default is incorrect

This bug appears when Squid is built with both libexpat and
libxml2 available. Updates in Squid-4 unintentionally altered
the default selected to libexpat. This release returns the
default to libxml2 as documented in squid.conf.


   All users of Squid-5 are encouraged to upgrade as soon as
   possible.

   Users of Squid-4 holding back due to earlier release issues
   are encouraged to test this version for upgrade.


See the ChangeLog for the full list of changes in this and
earlier releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v5/RELEASENOTES.html
when you are ready to make the switch to Squid-5

This new release can be downloaded from our HTTP or FTP servers

   http://www.squid-cache.org/Versions/v5/
   ftp://ftp.squid-cache.org/pub/squid/
   ftp://ftp.squid-cache.org/pub/archive/5/

or the mirrors. For a list of mirror sites see

   http://www.squid-cache.org/Download/http-mirrors.html
   http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug
report.
   https://bugs.squid-cache.org/


Amos Jeffries


More information about the squid-announce mailing list