diff --git a/squid-4.5-RELEASENOTES.html b/squid-4.5-RELEASENOTES.html deleted file mode 100644 index 7ae578d..0000000 --- a/squid-4.5-RELEASENOTES.html +++ /dev/null @@ -1,740 +0,0 @@ - - -
- --
-
-
-
-
-
The Squid Team are pleased to announce the release of Squid-4.5 for testing.
-This new release is available for download from -http://www.squid-cache.org/Versions/v4/ or the -mirrors.
- -We welcome feedback and bug reports. If you find a bug, please see -http://wiki.squid-cache.org/SquidFaq/BugReporting -for how to submit a report with a stack trace.
- -Although this release is deemed good enough for use in production, please note the existence of -open bugs against Squid-4.
- -This release adds a dependency on C++11 support in any compiler used to build Squid. -As a result older C++03 -only and most C++0x compilers will no longer build successfully. -GCC 4.9+ and Clang 3.5+ are known to have working C++11 support and are usable. -GCC-4.8 will also build for now despite lack of full C++11 support, but some future features may not be available.
- -This release does not support LibreSSL. -Due to a bug in the way LibreSSL uses the OpenSSL version macro some changes -necessary to support OpenSSL 1.1 prevent building with LibreSSL.
- - -The Squid-4 change history can be -viewed here.
- - -Squid 4 represents a new feature release above 3.5.
- -The most important of these new features are: -
Most user-facing changes are reflected in squid.conf (see below).
- - -The new queue-size=N option to helpers configuration, allows users -to configure the maximum number of queued requests to busy helpers.
- -helper-mux.pl we have been distributing for the past few years to -encourage use of concurrency is no longer compatible with Squid. If -used it will spawn up to 2^64 helpers and DoS the Squid server.
- -Helpers utilizing arrays to handle fixed amounts of concurrency -channels MUST be re-written to use queues and capable of handling a -64-bit int as index or they will be vulnerable to buffer overrun and -arbitrary memory accesses.
- -32-bit helpers need re-writing to handle the concurrency channel ID -as a 64-bit integer value. If not updated they will cause proxies to -return unexpected results or timeout once crossing the 32-bit wrap -boundary. Leading to undefined behaviour in the client HTTP traffic.
- - -Details in -RFC 6176 -and -RFC 7568
- -SSLv2 is not fit for purpose. Squid no longer supports being configured with -any settings regarding this protocol. That includes settings manually disabling -its use since it is now forced to disable by default. Also settings enabling -various client/server workarounds specific to SSLv2 are removed.
- -SSLv3 is not fit for purpose. Squid still accepts configuration, but use -is deprecated and will be removed entirely in a future version. -Squid default behavour is to follow the TLS built in negotiation mechanism -which prefers the latest TLS version. But also to accept downgrades to SSLv3. -Use tls-options=NO_SSLv3 to disable SSLv3 support completely.
- -A new option tls-min-version=1.N is added in place of sslversion= -to configure the minimum version the TLS negotiation will allow to be used -when an old TLS version is requested by the remote endpoint.
- -The system Trusted CAs are no longer used by default when verifying client -certificates. The cafile= option should be used instead to -explicitly load the specific CA which signed acceptible client certificates, -even if that CA is one of the system Trusted CAs. -The tls-default-ca option can be used to restore the old -behaviour if needed.
- - -The basic_msnt_multi_domain_auth helper has been removed. The -basic_smb_lm_auth helper performs the same actions without extra -Perl and Samba dependencies.
- -The cert_valid.pl testing helper has been renamed to -security_fake_certverify, reflecting the Squid helper naming schema -and that it does not actually perform any certificate checks.
- -The security_fake_certverify helper is also now built and installed -by default. It is written in Perl so does not require OpenSSL dependencies -for installation. But does use the Perl Crypt::OpenSSL::X509 module for execution. -Building the helper can be controlled using the --enable-security-cert-validators="fake" -option.
- -The ssl_crtd helper has been renamed to security_file_certgen -and is now built and installed by default whenever OpenSSL support is enabled. -Building the helper can be controlled using the --enable-security-cert-generators="file" -option.
- -NOTE: The --enable-ssl-crtd option is still required to enable the -sslcrtd_program helper interface within Squid that uses the helper.
- -The ntlm_smb_lm_auth helper is now built using --enable-auth-ntlm="SMB_LM". -Notice the upper case where it was previously a (wrongly) lower cased acronym.
- - -ICAP services can now be used over TLS connections.
- -To mark an ICAP service as secure, use an icaps:// service URI scheme when -listing your service via an icap_service directive. The industry is using a -Secure ICAP term, and Squid follows that convention, but icaps seems more -appropriate for a scheme name.
- -Squid uses port 11344 for Secure ICAP by default, following another popular -proxy convention. The old 1344 default for plain ICAP ports has not changed.
- - -Use of C++11 atomic operations instead of GNU atomics allows a wider range of -operating systems and compilers to build Squid SMP and multi-process features. -However this does require a C++11 compiler with a recent version of the C++ -standard library.
- -IpcIo and Mmapped disk I/O modules are now auto-detected properly which -enables Rock storage on more systems by default than previously.
- - -Squid is traditionally refered to as a daemon. But is actually a combination -of daemon and daemon manager processes. This has caused significant problems -integrating it with other third-party daemon managers.
- -The Squid process which places its PID into the squid.pid file has always -been the process to which control signals are sent. The manager process is -now taking on signal handling instead of the main daemon process. Enabling -integration with daemon managers such as Upstart or systemd which assume the -process they initiated is the daemon with a PID to control.
- -The squid binary now has a new --foreground command line option, -which (only) prevents daemonizing the master process. -Unlike the old -N option, ---foreground supports SMP workers and multi-process features. ---foreground is particularly useful for use with -z (disk -cache structures creation), as it allows the caller to wait until Squid has -finished.
- -The squid binary now accepts a --kid command line option which -informs the process which role it is to take on. This aids with debugging -SMP issues with specific process types and resolves some SMP forking issues.
- - -Squid can now be built to use GnuTLS in place of OpenSSL for the core -features of receiving TLS connections from clients and making TLS -connections to servers. The GnuTLS support is still very much experimental -and should be tested before use.
- -SSL-Bump and certificate generation features are not yet supported by -GnuTLS builds. Nor are many other less commonly used Squid TLS/SSL features.
- -squid.conf directives and configuration options which have undergone -name changes from 'ssl' to 'tls' prefix in Squid-4 have GnuTLS support, unless -explicitly stated otherwise.
- -Advanced configuration with specific selection of ciphers and similar settings -should still work, but needs the GnuTLS Priority Strings instead of -the OpenSSL options when using GnuTLS. -See -GnuTLS manual -for more details.
- - -The Squid custom ESI (Edge Side Includes) parser has been removed in favour -of better supported and maintained third-party libraries. At least one of libxml2 -or libexpat is now mandatory to build support for the ESI response processor.
- - -There have been changes to Squid's configuration file since Squid-3.5.
-This section gives a thorough account of those changes in three categories:
--
-
New directive to limit the size of a table used for sharing information -about collapsible entries among SMP workers.
- -New directive to control Squid behaviour on the client connection when -receiving an HTTP request with an Expect:100-continue header.
- -New directive to set a cool-down delay reviving a child process if -the process is encountering frequent deaths.
- -New directive to set the action performed when encountering strange -protocol requests at the beginning of an accepted TCP connection.
- -New directive to limit the lifetime of persistent connections.
- -New directive to add header fields to outgoing HTTP responses to -the client.
- -New directive controlling how long Squid waits for the first request -bytes to arrive after initial connection establishment by a client.
- -New directive to provide fine-grained control over persistent connection -reuse when forwarding HTTP requests that Squid cannot retry. It is useful -in environments where opening new connections is very expensive -and race conditions associated with persistent connections are very rare -and/or only cause minor problems.
- -New directive to ensure shared memory is all available immediately -on startup. Protects against SIGBUS errors, but delays startup.
- -New directive to define TLS security context options for outgoing -connections. For example to HTTPS servers.
- -Squid times active requests to redirector. This directive sets -the timeout value and the Squid reaction to a timed out -request.
- --
TCP accept(2) errors logged with URI error:accept-client-connection.
-Unused connections received in http_port or https_port -or transactions terminated before reading[parsing] request headers are -logged with URI error:transaction-end-before-headers.
-New option rotate= to control the number of log file rotations -to make when -k rotate command is received. Default is to -obey the logfile_rotate directive.
- -New -m flag for note ACL to match substrings.
-New client_connection_mark type for matching Netfilter -CONNMARK of the client TCP connection.
-New connections_encrypted type for matching transactions -where all HTTP messages were received over TLS transport connections, -including messages received from ICAP servers.
-New has type for matching whether or not Squid is able to provide -certain sets of transaction state. For example HTTP reply headers.
-New transaction_initiator type for detecting various -unusual transactions.
-New --consensus, --client-requested and ---server-provided flags for the ssl::server_name -type to control which server name to match against.
- -New parameter queue-size= to set the maximum number -of queued requests.
-New parameter on-persistent-overload= to set the action taken -when the helper queue is overloaded.
- -New option auth-no-keytab to let GSSAPI implementation determine -which Kerberos credentials to use, instead of specifying a keytab.
-Replaced option ssl with tls. Use of any -tls- prefixed options implies tls is enabled.
-New option tls-min-version=1.N to set minimum TLS version allowed.
-New option tls-default-ca replaces sslflags=NO_DEFAULT_CA
-New option tls-no-npn to disable sending TLS NPN extension.
-All ssloptions= values for SSLv2 configuration or disabling -have been removed.
-Removed sslversion= option. Use tls-options= instead.
-Manual squid.conf update may be required on upgrade.
-Replaced option sslcafile= with tls-cafile= -which takes multiple entries.
- -New format macro %O to expand the message= value supplied -by external ACL helpers.
- -New connection-encryption= option to determine ICAP service -effect on connections_encrypted ACL.
- -Removed custom parser option.
-Changed default to auto-detect available parsers instead of custom.
- -New parameter queue-size= to set the maximum number -of queued requests.
-New parameter on-persistent-overload= to set the action taken -when the helper queue is overloaded.
-Format field updated to accept any logformat %macro code.
-The optional acl-value fields in this helper input now expand -to a dash ('-') if the %DATA macro is not specified explicitly.
- -New option tls-min-version=1.N to set minimum TLS version allowed.
-New option tls-default-ca replaces sslflags=NO_DEFAULT_CA, -the default is also changed to OFF.
-New option tls-no-npn to disable sending TLS NPN extension.
-All option= values for SSLv2 configuration or disabling -have been removed.
-Removed version= option. Use tls-options= instead.
-Manual squid.conf update may be required on upgrade.
-Replaced cafile= with tls-cafile= which takes multiple entries.
-Changed default value of generate-host-certificates to ON.
- -New option tls-min-version=1.N to set minimum TLS version allowed.
-New option tls-default-ca replaces sslflags=NO_DEFAULT_CA, -the default is also changed to OFF.
-New option tls-no-npn to disable sending TLS NPN extension.
-All options= values for SSLv2 -configuration or disabling have been removed.
-Removed version= option. Use tls-options= instead.
-Manual squid.conf update may be required on upgrade.
-Replaced cafile= with tls-cafile= which takes multiple entries.
-Changed default value of generate-host-certificates to ON.
- -New scheme icaps:// to enable TLS/SSL connections to Secure ICAP -servers on port 11344.
-New connection-encryption= option to determine ICAP service -effect on connections_encrypted ACL.
-New tls-cert= option to set TLS client certificate to use.
-New tls-key= option to set TLS private key matching the client -certificate used.
-New tls-min-version=1.N option to set minimum TLS version allowed -on server connections.
-New tls-options= option to set OpenSSL library parameters.
-New tls-flags= option to set flags modifying Squid TLS operations.
-New tls-cipher= option to set a list of ciphers permitted.
-New tls-cafile= option to set a file with additional CA -certificate(s) to verify the server certificate.
-New tls-capath= option to set a directory with additional CA -certificate(s) to verify the server certificate.
-New tls-crlfile= option to set a file with a CRL to verify the -server certificate.
-New tls-default-ca option to use the system Trusted CAs to -verify the server certificate.
-New tls-domain= option to verify the server certificate domain.
- -Now only requires that helper binary exists when daemon: log module -is actually being used.
- -New quoting modifier to produce \-escaped output.
-New code %ssl::<cert_errors to display server X.509 -certificate errors.
-New code %ssl::<cert_issuer to display Issuer field of -the received server X.509 certificate.
-New code %ssl::<cert_subject to display Subject field of -the received server X.509 certificate.
-New code %ssl::>negotiated_version to display -negotiated TLS version of the client connection.
-New code %ssl::<negotiated_version to display -negotiated TLS version of the last server or peer connection.
-New code %ssl::>received_hello_version to display the -TLS version of the Hello message received from TLS client.
-New code %ssl::<received_hello_version to display the -TLS version of the Hello message received from TLS server.
-New code %ssl::>received_supported_version to display -the maximum TLS version supported by the TLS client.
-New code %ssl::<received_supported_version to display -the maximum TLS version supported by the TLS server.
-New code %ssl::>negotiated_cipher to display the -negotiated cipher of the client connection.
-New code %ssl::<negotiated_cipher to display the -negotiated cipher of the last server or peer connection.
-New code %>handshake to display initial octets -received on a client connection (Base64 encoded).
-Fixed %<Hs, %<pt and %<tt -codes for received CONNECT errors.
-Improved %<bs logging on forwarding retries.
-Improved %<Hs, %<pt, %<tt, -%<bs logging on SslBump errors.
- -Default value now based on squid -n command line parameter.
-This directive is no longer mandatory to edit for -multi-instance/tenant Squid installations.
- -Removed option ignore-auth. Its commonly desired behaviour -is performed by default with correct HTTP/1.1 revalidation.
-Removed option ignore-must-revalidate. Other more HTTP compliant -directives (cache, store_miss) can be used to prevent -objects from caching.
- -New parameter queue-size= to set the maximum number -of queued requests.
-New parameter on-persistent-overload= to set the action taken -when the helper queue is overloaded.
- -New parameter queue-size= to set the maximum number -of queued requests.
-New parameter on-persistent-overload= to set the action taken -when the helper queue is overloaded.
- -New parameter queue-size= to set the maximum number -of queued requests.
-New parameter on-persistent-overload= to set the action taken -when the helper queue is overloaded.
- -New parameter queue-size= to set the maximum number -of queued requests.
-New parameter on-persistent-overload= to set the action taken -when the helper queue is overloaded.
- --
Superceded by cache_peer_access. Use dstdomain ACL -in the access control list to restrict domains requested.
- -Removed. MSIE 3.x, 4.x, 5.0 and 5.01 are no longer popular browsers.
- -Replaced by tls_outgoing_options cafile=. -Which now takes multiple entries.
- -Replaced by tls_outgoing_options capath=.
- -Replaced by tls_outgoing_options cipher=.
- -Replaced by tls_outgoing_options cert=.
- -Replaced by tls_outgoing_options key=.
- -Replaced by tls_outgoing_options flags=.
- -Replaced by tls_outgoing_options options=.
-All values for SSLv2 configuration or disabling have been removed.
-Manual squid.conf update may be required on upgrade.
- -Replaced by tls_outgoing_options options=.
-All values for SSLv2 configuration or disabling have been removed.
-Manual squid.conf update may be required on upgrade.
- -There have been some changes to Squid's build configuration since Squid-3.5.
-This section gives an account of those changes in three categories:
--
- - - --
New option to control which TLS/SSL dynamic certificate generator -helpers are built and installed.
-Helper ssl_crtd has been renamed to security_file_certgen -and built with module name file. Requires --with-openssl.
- -New option to control which TLS/SSL certificate validation -helpers are built and installed.
-One fake helper that does not actually perform any -certificate checks is provided for testing and as an example -for writing custom helpers.
- -The cppunit testing framework is auto-detected and used when available. -This option can be used to disable it explicitly.
- --
The MSNT-multi-domain helper has been removed.
-The SMB LanMan helper SMB_LM is no longer built by default. -It needs to be explicitly listed to be built.
- -The SMB LanMan helper is now built using SMB_LM -(was lower case smb_lm).
-The SMB LanMan helper SMB_LM is no longer built by default. -It needs to be explicitly listed to be built.
- -Auto-detection of SMP related modules has been fixed to -actually auto-detect them without configuring the module -list manually.
- -Custom ESI parser has been removed. -Libxml2 or libexpat is now required to enable ESI processing.
- --
Replaced by --with-cppunit=PATH. -Please prefer the default auto-detection though.
- -Removed. Use --with-included-ltdl instead.
-Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-4
- -If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.
- --
Not yet ported from 2.6
- -monitorinterval= not yet ported from 2.6
-monitorsize= not yet ported from 2.6
-monitortimeout= not yet ported from 2.6
-monitorurl= not yet ported from 2.6
- -Not yet ported from 2.6
- -Not yet ported from 2.6
- -Not yet ported from 2.7
- -Not yet ported from 2.6
- -Not yet ported from 2.6
- -Not yet ported from 2.6
- -Not yet ported from 2.6
- -stale-while-revalidate= not yet ported from 2.7
-ignore-stale-while-revalidate= not yet ported from 2.7
-negative-ttl= not yet ported from 2.7
- -Not yet ported from 2.7
- -Not yet ported from 2.7
- -Copyright (C) 1996-2018 The Squid Software Foundation and contributors
-Squid software is distributed under GPLv2+ license and includes -contributions from numerous individuals and organizations. -Please see the COPYING and CONTRIBUTORS files for details.
- - -