[squid-announce] Squid 5.5 is available
Amos Jeffries
squid3 at treenet.co.nz
Thu Apr 14 11:21:54 UTC 2022
The Squid HTTP Proxy team is very pleased to announce the
availability of the Squid-5.5 release!
This release is a bug fix release resolving several issues
found in the prior Squid-5 releases and confirming stability
of major functionality changes added in 5.4.1 beta release.
The major changes to be aware of:
* Bug 5177: clientca certificates sent to https_port clients
A bug in the OpenSSL library has been causing CA certificates
in the Squid tls-clientca= (and previously clientca=) option
be added to the chain of intermediate CA's sent with TLS
server certificate.
This release makes use of an OpenSSL context mode which has
been made available with libssl 1.x to resolve that problem.
Your proxy configuration can be quickly checked for relevance
with the following command:
squid -k parse 2>&1 | grep clientca
Admin using (tls-)clientca= option should ensure that file
only contains CA to validate the TLS certificates presented
by clients.
To be sent in the TLS handshake Intermediate CA certificates
relevant to the TLS server certificate should be listed in
the file(s) loaded by tls-cert=, tls-cafile= or tls-capath=
options.
* Bug 5090: Must(!request->pinnedConnection()) violation
This bug is most often seen when ICAP RESPMOD is used, but is
not related to ICAP at all. Visible bug symptoms, if any, may
include:
FATAL: check failed: !request->pinnedConnection()
exception location: FwdState.cc(1124) connectStart
FATAL: check failed: transportWait
exception location: FwdState.cc(675) noteDestinationsEnd
The bug was actually incorrect handling of servers or peers
whose selection takes unusually long times.
* Kid restart leads to persistent queue overflows, delays/timeouts
This bug appears in cache.log as any of the following messages:
WARNING: communication with ... may be too slow or disrupted...
WARNING: abandoning ... I/Os
ERROR: worker I/O push queue for ... overflow...
ERROR: Collapsed forwarding queue overflow...
When one of the SMP worker processes ('kid') crashes or otherwise
exits without cleaning up the SMP memory it was using, the worker
process started to replace it has to automatically recover from
memory corruption. Previous Squid releases did not recover well
from at least the above listed types of corruption.
This release greatly strengthens the recovery process making
Squid much more robust after a worker crash.
* Bug 5192: esi_parser default is incorrect
This bug appears when Squid is built with both libexpat and
libxml2 available. Updates in Squid-4 unintentionally altered
the default selected to libexpat. This release returns the
default to libxml2 as documented in squid.conf.
All users of Squid-5 are encouraged to upgrade as soon as
possible.
Users of Squid-4 holding back due to earlier release issues
are encouraged to test this version for upgrade.
See the ChangeLog for the full list of changes in this and
earlier releases.
Please refer to the release notes at
http://www.squid-cache.org/Versions/v5/RELEASENOTES.html
when you are ready to make the switch to Squid-5
This new release can be downloaded from our HTTP or FTP servers
http://www.squid-cache.org/Versions/v5/
ftp://ftp.squid-cache.org/pub/squid/
ftp://ftp.squid-cache.org/pub/archive/5/
or the mirrors. For a list of mirror sites see
http://www.squid-cache.org/Download/http-mirrors.html
http://www.squid-cache.org/Download/mirrors.html
If you encounter any issues with this release please file a bug
report.
https://bugs.squid-cache.org/
Amos Jeffries
More information about the squid-announce
mailing list