[squid-users] [squid-announce] Squid 3.5.8 is available

Amos Jeffries squid3 at treenet.co.nz
Sat Sep 5 11:09:20 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.8 release!


This release is a bug fix release resolving several issues found in the
the prior Squid releases.


The major changes to be aware of:


* Bug 3553: cache_swap_high ignored and maxCapacity used instead

This bug shows up worst during peak traffic or on high performance
caches. A small change in the input parameters in earlier versions
ment that its 'high aggression' level was not beginning at the
configured high-water mark. Also the cache eviction algorithm designed
some twenty years ago was not aggressive enough to keep up with the
traffic inflow on high performance caches.

See the cache_swap_low and cache_swap_high directive documentation for
details on how to configure the eviction aggressiveness.

NOTE:
  Since the release was made new diagnostics added at level 1 have
been found too verbose on caches which are undergoing a swap.state
rebuild ("DIRTY" cache scan). If the cache is large that may take a
very long time and produce a lot of warnings. This will be resolved in
the next release and snapshots.

The workaround for now is to configure debug_options with 47,0 which
will return Squid to its previous cache.log behaviour.



* Bug 3696: crash when client delay pools are activated

As the title indicates use of client_delay_pools in squid.conf was
crashing Squid immediately. Client delay pools now appears to be
working as intended. Apologies for the time this took to resolve.



* TLS: ignore of impossible SSL bumping actions

The implemented behaviour of ssl_bump access controls in
peek-and-splice was not following the documented behaviour. As a
result explicit step2 and step3 configuration workarounds were needed
to prevent some failures.

The ssl_bump actions are now occuring strictly within the bumping
stages as documented in the wiki peek-and-splice description. All
existing configurations should continue to work. However those
containing extra ACL tests for the broken edge cases may want to
re-evaluate their rules and simplify.

Reminder that the 3.5 series bumping actions are:
  peek, splice, stare, bump, terminate.

All other bumping actions are deprecated and should no longer be used.
Any installation mixing the old and new actions needs to be fixed to
using only the new actions.

Reminder also that SSL-bumping is an ongoing work in progress and thus
still considered an experimental feature. Stability is improving fast,
but not yet guaranteed.



* TLS: Support splice for sessions that start with an SSLv2 Hello

Clients using the outdated OpenSSL 0.9.8 versions can start SSLv3 or
TLSv1.0 connections using an SSLv2 syntax Hello handshake. Previously
these were rejected as unknown protocol.

This has no connection with SSLv2 deprecation itself. While SSLv2 and
SSLv3 are mandatory to reject, these handshakes are still permitted
when they lead to using TLSv1.

The SSLv2 syntax does however prevent use of highly desirable TLS
security extensions, such as SNI. We highly recommend encouraging
these clients to upgrade their security libraries.



 All users of Squid are urged to upgrade to this release as soon as
possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJV6s1fAAoJEGvSOzfXE+nLRD8QAKZhPbp6RIATf3qqENbEHGrr
zhGDWVyfKRgGIfepty8hr7WShGjEFCeBQXkx6bzvPo9QJOsbbqXC3l5xp86IHiCB
rNfpqZIEc0XdLpRB8HA0WJTjnWe5wrkQ4BArfE7RQ+ioBgShkuy8ti9bM5GZ/g0M
nOy2jqjmi9mwgo6ZKHHKRG/N3MPnY17pmndEPlT30T0+KS0a49Nz/lY1dXlkOL5t
YxkDDRzdp2foYv2jamvfFBQKeU3q48w5cDkgXDO9diFzax1qr2NHwkY4BBpZoOTc
uGSZKAj7lssRuM96CZqjGvq3c/v8yaE9EOo1ib91TyNdN4lk4SNqx1fokQ8U/V2z
JbOU10I1ej0sXCNssR3oUcEtAKoi0FrZEnhd8GjXTLCatwiskPCRL5cJsiOBw8yg
K1rppB9TTPRPJ7tIiq/Ua6xYPDQViGC4rdL5r4nctus1toY7kVbzou7LU/m1txqG
oZNTqsZWjuZlSXcOLM6roYM50n98LUApzvIEtw0mjUBxuHhp2I/Kr5jahjYNtZlS
dCD5qwyLUAhW9MIG38186r1coY+NCVL8S51ImjLat76VpTinYQGVRP1WNRc5P8Cp
waWIZpXdldgc9c+UHmYV60eZPpEOqI85Nxn+6O5zV7eox2/rNHbcZJ3ogn3cVCnI
mKhRzQNvoQ2O2VtwHypy
=gbna
-----END PGP SIGNATURE-----
_______________________________________________
squid-announce mailing list
squid-announce at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce


More information about the squid-users mailing list