Martin Pluskal 2019-01-02 08:44:24 +00:00 committed by Git OBS Bridge
parent f3e0551c1d
commit b292dfd12d

View File

@ -1,740 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.73">
<TITLE>Squid 4.5 release notes</TITLE>
</HEAD>
<BODY>
<H1>Squid 4.5 release notes</H1>
<H2>Squid Developers</H2>
<HR>
<EM>This document contains the release notes for version 4 of Squid.
Squid is a WWW Cache application developed by the National Laboratory
for Applied Network Research and members of the Web Caching community.</EM>
<HR>
<P>
<H2><A NAME="toc1">1.</A> <A HREF="#s1">Notice</A></H2>
<UL>
<LI><A NAME="toc1.1">1.1</A> <A HREF="#ss1.1">Known issues</A>
<LI><A NAME="toc1.2">1.2</A> <A HREF="#ss1.2">Changes since earlier releases of Squid-4</A>
</UL>
<P>
<H2><A NAME="toc2">2.</A> <A HREF="#s2">Major new features since Squid-3.5</A></H2>
<UL>
<LI><A NAME="toc2.1">2.1</A> <A HREF="#ss2.1">Configurable helper queue size</A>
<LI><A NAME="toc2.2">2.2</A> <A HREF="#ss2.2">Helper concurrency channels changes</A>
<LI><A NAME="toc2.3">2.3</A> <A HREF="#ss2.3">SSL support removal</A>
<LI><A NAME="toc2.4">2.4</A> <A HREF="#ss2.4">Helper Binary Changes</A>
<LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Secure ICAP</A>
<LI><A NAME="toc2.6">2.6</A> <A HREF="#ss2.6">Improved SMP support</A>
<LI><A NAME="toc2.7">2.7</A> <A HREF="#ss2.7">Improved process management</A>
<LI><A NAME="toc2.8">2.8</A> <A HREF="#ss2.8">Initial GnuTLS support</A>
<LI><A NAME="toc2.9">2.9</A> <A HREF="#ss2.9">ESI Custom Parser removal</A>
</UL>
<P>
<H2><A NAME="toc3">3.</A> <A HREF="#s3">Changes to squid.conf since Squid-3.5</A></H2>
<UL>
<LI><A NAME="toc3.1">3.1</A> <A HREF="#ss3.1">New tags</A>
<LI><A NAME="toc3.2">3.2</A> <A HREF="#ss3.2">Changes to existing tags</A>
<LI><A NAME="toc3.3">3.3</A> <A HREF="#ss3.3">Removed tags</A>
</UL>
<P>
<H2><A NAME="toc4">4.</A> <A HREF="#s4">Changes to ./configure options since Squid-3.5</A></H2>
<UL>
<LI><A NAME="toc4.1">4.1</A> <A HREF="#ss4.1">New options</A>
<LI><A NAME="toc4.2">4.2</A> <A HREF="#ss4.2">Changes to existing options</A>
<LI><A NAME="toc4.3">4.3</A> <A HREF="#ss4.3">Removed options</A>
</UL>
<P>
<H2><A NAME="toc5">5.</A> <A HREF="#s5">Regressions since Squid-2.7</A></H2>
<UL>
<LI><A NAME="toc5.1">5.1</A> <A HREF="#ss5.1">Missing squid.conf options available in Squid-2.7</A>
</UL>
<P>
<H2><A NAME="toc6">6.</A> <A HREF="#s6">Copyright</A></H2>
<HR>
<H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
<P>The Squid Team are pleased to announce the release of Squid-4.5 for testing.</P>
<P>This new release is available for download from
<A HREF="http://www.squid-cache.org/Versions/v4/">http://www.squid-cache.org/Versions/v4/</A> or the
<A HREF="http://www.squid-cache.org/Download/http-mirrors.html">mirrors</A>.</P>
<P>We welcome feedback and bug reports. If you find a bug, please see
<A HREF="http://wiki.squid-cache.org/SquidFaq/BugReporting">http://wiki.squid-cache.org/SquidFaq/BugReporting</A>
for how to submit a report with a stack trace.</P>
<H2><A NAME="ss1.1">1.1</A> <A HREF="#toc1.1">Known issues</A>
</H2>
<P>Although this release is deemed good enough for use in production, please note the existence of
<A HREF="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&amp;product=Squid&amp;bug_status=UNCONFIRMED&amp;bug_status=NEW&amp;bug_status=ASSIGNED&amp;bug_status=REOPENED&amp;version=4">open bugs against Squid-4</A>.</P>
<P>This release adds a dependency on C++11 support in any compiler used to build Squid.
As a result older C++03 -only and most C++0x compilers will no longer build successfully.
GCC 4.9+ and Clang 3.5+ are known to have working C++11 support and are usable.
GCC-4.8 will also build for now despite lack of full C++11 support, but some future features may not be available.</P>
<P>This release does not support LibreSSL.
Due to a bug in the way LibreSSL uses the OpenSSL version macro some changes
necessary to support OpenSSL 1.1 prevent building with LibreSSL.</P>
<H2><A NAME="ss1.2">1.2</A> <A HREF="#toc1.2">Changes since earlier releases of Squid-4</A>
</H2>
<P>The Squid-4 change history can be
<A HREF="http://www.squid-cache.org/Versions/v4/changesets/">viewed here</A>.</P>
<H2><A NAME="s2">2.</A> <A HREF="#toc2">Major new features since Squid-3.5</A></H2>
<P>Squid 4 represents a new feature release above 3.5.</P>
<P>The most important of these new features are:
<UL>
<LI>Configurable helper queue size</LI>
<LI>Helper concurrency channels changes</LI>
<LI>SSL support removal</LI>
<LI>Helper Binary Changes</LI>
<LI>Secure ICAP</LI>
<LI>Improved SMP support</LI>
<LI>Improved process management</LI>
<LI>Initial GnuTLS support</LI>
<LI>ESI Custom Parser removal</LI>
</UL>
</P>
<P>Most user-facing changes are reflected in squid.conf (see below).</P>
<H2><A NAME="ss2.1">2.1</A> <A HREF="#toc2.1">Configurable helper queue size</A>
</H2>
<P>The new queue-size=N option to helpers configuration, allows users
to configure the maximum number of queued requests to busy helpers.</P>
<H2><A NAME="ss2.2">2.2</A> <A HREF="#toc2.2">Helper concurrency channels changes</A>
</H2>
<P>helper-mux.pl we have been distributing for the past few years to
encourage use of concurrency is no longer compatible with Squid. If
used it will spawn up to 2^64 helpers and DoS the Squid server.</P>
<P>Helpers utilizing arrays to handle fixed amounts of concurrency
channels MUST be re-written to use queues and capable of handling a
64-bit int as index or they will be vulnerable to buffer overrun and
arbitrary memory accesses.</P>
<P>32-bit helpers need re-writing to handle the concurrency channel ID
as a 64-bit integer value. If not updated they will cause proxies to
return unexpected results or timeout once crossing the 32-bit wrap
boundary. Leading to undefined behaviour in the client HTTP traffic.</P>
<H2><A NAME="ss2.3">2.3</A> <A HREF="#toc2.3">SSL support removal</A>
</H2>
<P>Details in
<A HREF="https://tools.ietf.org/html/rfc6176">RFC 6176</A>
and
<A HREF="https://tools.ietf.org/html/rfc7568">RFC 7568</A></P>
<P>SSLv2 is not fit for purpose. Squid no longer supports being configured with
any settings regarding this protocol. That includes settings manually disabling
its use since it is now forced to disable by default. Also settings enabling
various client/server workarounds specific to SSLv2 are removed.</P>
<P>SSLv3 is not fit for purpose. Squid still accepts configuration, but use
is deprecated and will be removed entirely in a future version.
Squid default behavour is to follow the TLS built in negotiation mechanism
which prefers the latest TLS version. But also to accept downgrades to SSLv3.
Use <EM>tls-options=NO_SSLv3</EM> to disable SSLv3 support completely.</P>
<P>A new option <EM>tls-min-version=1.N</EM> is added in place of <EM>sslversion=</EM>
to configure the minimum version the TLS negotiation will allow to be used
when an old TLS version is requested by the remote endpoint.</P>
<P>The system Trusted CAs are no longer used by default when verifying client
certificates. The <EM>cafile=</EM> option should be used instead to
explicitly load the specific CA which signed acceptible client certificates,
even if that CA is one of the system Trusted CAs.
The <EM>tls-default-ca</EM> option can be used to restore the old
behaviour if needed.</P>
<H2><A NAME="ss2.4">2.4</A> <A HREF="#toc2.4">Helper Binary Changes</A>
</H2>
<P>The <EM>basic_msnt_multi_domain_auth</EM> helper has been removed. The
<EM>basic_smb_lm_auth</EM> helper performs the same actions without extra
Perl and Samba dependencies.</P>
<P>The <EM>cert_valid.pl</EM> testing helper has been renamed to
<EM>security_fake_certverify</EM>, reflecting the Squid helper naming schema
and that it does not actually perform any certificate checks.</P>
<P>The <EM>security_fake_certverify</EM> helper is also now built and installed
by default. It is written in Perl so does not require OpenSSL dependencies
for installation. But does use the Perl Crypt::OpenSSL::X509 module for execution.
Building the helper can be controlled using the <EM>--enable-security-cert-validators="fake"</EM>
option.</P>
<P>The <EM>ssl_crtd</EM> helper has been renamed to <EM>security_file_certgen</EM>
and is now built and installed by default whenever OpenSSL support is enabled.
Building the helper can be controlled using the <EM>--enable-security-cert-generators="file"</EM>
option.</P>
<P>NOTE: The <EM>--enable-ssl-crtd</EM> option is still required to enable the
<EM>sslcrtd_program</EM> helper interface within Squid that uses the helper.</P>
<P>The <EM>ntlm_smb_lm_auth</EM> helper is now built using <EM>--enable-auth-ntlm="SMB_LM"</EM>.
Notice the upper case where it was previously a (wrongly) lower cased acronym.</P>
<H2><A NAME="ss2.5">2.5</A> <A HREF="#toc2.5">Secure ICAP</A>
</H2>
<P>ICAP services can now be used over TLS connections.</P>
<P>To mark an ICAP service as secure, use an <EM>icaps://</EM> service URI scheme when
listing your service via an icap_service directive. The industry is using a
<EM>Secure ICAP</EM> term, and Squid follows that convention, but <EM>icaps</EM> seems more
appropriate for a <EM>scheme</EM> name.</P>
<P>Squid uses <EM>port 11344</EM> for Secure ICAP by default, following another popular
proxy convention. The old 1344 default for plain ICAP ports has not changed.</P>
<H2><A NAME="ss2.6">2.6</A> <A HREF="#toc2.6">Improved SMP support</A>
</H2>
<P>Use of C++11 atomic operations instead of GNU atomics allows a wider range of
operating systems and compilers to build Squid SMP and multi-process features.
However this does require a C++11 compiler with a recent version of the C++
standard library.</P>
<P>IpcIo and Mmapped disk I/O modules are now auto-detected properly which
enables Rock storage on more systems by default than previously.</P>
<H2><A NAME="ss2.7">2.7</A> <A HREF="#toc2.7">Improved process management</A>
</H2>
<P>Squid is traditionally refered to as a daemon. But is actually a combination
of daemon and daemon manager processes. This has caused significant problems
integrating it with other third-party daemon managers.</P>
<P>The Squid process which places its PID into the squid.pid file has always
been the process to which control signals are sent. The manager process is
now taking on signal handling instead of the main daemon process. Enabling
integration with daemon managers such as Upstart or systemd which assume the
process they initiated is the daemon with a PID to control.</P>
<P>The squid binary now has a new <EM>--foreground</EM> command line option,
which (only) prevents daemonizing the master process.
Unlike the old <EM>-N</EM> option,
<EM>--foreground</EM> supports SMP workers and multi-process features.
<EM>--foreground</EM> is particularly useful for use with <EM>-z</EM> (disk
cache structures creation), as it allows the caller to wait until Squid has
finished.</P>
<P>The squid binary now accepts a <EM>--kid</EM> command line option which
informs the process which role it is to take on. This aids with debugging
SMP issues with specific process types and resolves some SMP forking issues.</P>
<H2><A NAME="ss2.8">2.8</A> <A HREF="#toc2.8">Initial GnuTLS support</A>
</H2>
<P>Squid can now be built to use GnuTLS in place of OpenSSL for the core
features of receiving TLS connections from clients and making TLS
connections to servers. The GnuTLS support is still very much experimental
and should be tested before use.</P>
<P>SSL-Bump and certificate generation features are not yet supported by
GnuTLS builds. Nor are many other less commonly used Squid TLS/SSL features.</P>
<P><EM>squid.conf</EM> directives and configuration options which have undergone
name changes from 'ssl' to 'tls' prefix in Squid-4 have GnuTLS support, unless
explicitly stated otherwise.</P>
<P>Advanced configuration with specific selection of ciphers and similar settings
should still work, but needs the GnuTLS <EM>Priority Strings</EM> instead of
the OpenSSL options when using GnuTLS.
See
<A HREF="https://www.gnutls.org/manual/gnutls.html#Priority-Strings">GnuTLS manual</A>
for more details.</P>
<H2><A NAME="ss2.9">2.9</A> <A HREF="#toc2.9">ESI Custom Parser removal</A>
</H2>
<P>The Squid custom ESI (Edge Side Includes) parser has been removed in favour
of better supported and maintained third-party libraries. At least one of libxml2
or libexpat is now mandatory to build support for the ESI response processor.</P>
<H2><A NAME="s3">3.</A> <A HREF="#toc3">Changes to squid.conf since Squid-3.5</A></H2>
<P>There have been changes to Squid's configuration file since Squid-3.5.</P>
<P>This section gives a thorough account of those changes in three categories:</P>
<P>
<UL>
<LI>
<A HREF="#newtags">New tags</A></LI>
<LI>
<A HREF="#modifiedtags">Changes to existing tags</A></LI>
<LI>
<A HREF="#removedtags">Removed tags</A></LI>
</UL>
</P>
<H2><A NAME="newtags"></A> <A NAME="ss3.1">3.1</A> <A HREF="#toc3.1">New tags</A>
</H2>
<P>
<DL>
<DT><B>collapsed_forwarding_shared_entries_limit</B><DD>
<P>New directive to limit the size of a table used for sharing information
about collapsible entries among SMP workers.</P>
<DT><B>force_request_body_continuation</B><DD>
<P>New directive to control Squid behaviour on the client connection when
receiving an HTTP request with an Expect:100-continue header.</P>
<DT><B>hopeless_kid_revival_delay</B><DD>
<P>New directive to set a cool-down delay reviving a child process if
the process is encountering frequent deaths.</P>
<DT><B>on_unsupported_protocol</B><DD>
<P>New directive to set the action performed when encountering strange
protocol requests at the beginning of an accepted TCP connection.</P>
<DT><B>pconn_lifetime</B><DD>
<P>New directive to limit the lifetime of persistent connections.</P>
<DT><B>reply_header_add</B><DD>
<P>New directive to add header fields to outgoing HTTP responses to
the client.</P>
<DT><B>request_start_timeout</B><DD>
<P>New directive controlling how long Squid waits for the first request
bytes to arrive after initial connection establishment by a client.</P>
<DT><B>server_pconn_for_nonretriable</B><DD>
<P>New directive to provide fine-grained control over persistent connection
reuse when forwarding HTTP requests that Squid cannot retry. It is useful
in environments where opening new connections is very expensive
and race conditions associated with persistent connections are very rare
and/or only cause minor problems.</P>
<DT><B>shared_memory_locking</B><DD>
<P>New directive to ensure shared memory is all available immediately
on startup. Protects against SIGBUS errors, but delays startup.</P>
<DT><B>tls_outgoing_options</B><DD>
<P>New directive to define TLS security context options for outgoing
connections. For example to HTTPS servers.</P>
<DT><B>url_rewrite_timeout</B><DD>
<P>Squid times active requests to redirector. This directive sets
the timeout value and the Squid reaction to a timed out
request.</P>
</DL>
</P>
<H2><A NAME="modifiedtags"></A> <A NAME="ss3.2">3.2</A> <A HREF="#toc3.2">Changes to existing tags</A>
</H2>
<P>
<DL>
<DT><B>access_log</B><DD>
<P>TCP accept(2) errors logged with URI <EM>error:accept-client-connection</EM>.</P>
<P>Unused connections received in <EM>http_port</EM> or <EM>https_port</EM>
or transactions terminated before reading[parsing] request headers are
logged with URI <EM>error:transaction-end-before-headers</EM>.</P>
<P>New option <EM>rotate=</EM> to control the number of log file rotations
to make when <EM>-k rotate</EM> command is received. Default is to
obey the <EM>logfile_rotate</EM> directive.</P>
<DT><B>acl</B><DD>
<P>New <EM>-m</EM> flag for <EM>note</EM> ACL to match substrings.</P>
<P>New <EM>client_connection_mark</EM> type for matching Netfilter
CONNMARK of the client TCP connection.</P>
<P>New <EM>connections_encrypted</EM> type for matching transactions
where all HTTP messages were received over TLS transport connections,
including messages received from ICAP servers.</P>
<P>New <EM>has</EM> type for matching whether or not Squid is able to provide
certain sets of transaction state. For example HTTP reply headers.</P>
<P>New <EM>transaction_initiator</EM> type for detecting various
unusual transactions.</P>
<P>New <EM>--consensus</EM>, <EM>--client-requested</EM> and
<EM>--server-provided</EM> flags for the <EM>ssl::server_name</EM>
type to control which server name to match against.</P>
<DT><B>auth_param</B><DD>
<P>New parameter <EM>queue-size=</EM> to set the maximum number
of queued requests.</P>
<P>New parameter <EM>on-persistent-overload=</EM> to set the action taken
when the helper queue is overloaded.</P>
<DT><B>cache_peer</B><DD>
<P>New option <EM>auth-no-keytab</EM> to let GSSAPI implementation determine
which Kerberos credentials to use, instead of specifying a keytab.</P>
<P>Replaced option <EM>ssl</EM> with <EM>tls</EM>. Use of any
<EM>tls-</EM> prefixed options implies <EM>tls</EM> is enabled.</P>
<P>New option <EM>tls-min-version=1.N</EM> to set minimum TLS version allowed.</P>
<P>New option <EM>tls-default-ca</EM> replaces <EM>sslflags=NO_DEFAULT_CA</EM></P>
<P>New option <EM>tls-no-npn</EM> to disable sending TLS NPN extension.</P>
<P>All <EM>ssloptions=</EM> values for SSLv2 configuration or disabling
have been removed.</P>
<P>Removed <EM>sslversion=</EM> option. Use <EM>tls-options=</EM> instead.</P>
<P>Manual squid.conf update may be required on upgrade.</P>
<P>Replaced option <EM>sslcafile=</EM> with <EM>tls-cafile=</EM>
which takes multiple entries.</P>
<DT><B>deny_info</B><DD>
<P>New format macro <EM>%O</EM> to expand the <EM>message=</EM> value supplied
by external ACL helpers.</P>
<DT><B>ecap_service</B><DD>
<P>New <EM>connection-encryption=</EM> option to determine ICAP service
effect on <EM>connections_encrypted</EM> ACL.</P>
<DT><B>esi_parser</B><DD>
<P>Removed <EM>custom</EM> parser option.</P>
<P>Changed default to auto-detect available parsers instead of <EM>custom</EM>.</P>
<DT><B>external_acl_type</B><DD>
<P>New parameter <EM>queue-size=</EM> to set the maximum number
of queued requests.</P>
<P>New parameter <EM>on-persistent-overload=</EM> to set the action taken
when the helper queue is overloaded.</P>
<P>Format field updated to accept any logformat %macro code.</P>
<P>The optional <EM>acl-value</EM> fields in this helper input now expand
to a dash ('-') if the %DATA macro is not specified explicitly.</P>
<DT><B>http_port</B><DD>
<P>New option <EM>tls-min-version=1.N</EM> to set minimum TLS version allowed.</P>
<P>New option <EM>tls-default-ca</EM> replaces <EM>sslflags=NO_DEFAULT_CA</EM>,
the default is also changed to OFF.</P>
<P>New option <EM>tls-no-npn</EM> to disable sending TLS NPN extension.</P>
<P>All <EM>option=</EM> values for SSLv2 configuration or disabling
have been removed.</P>
<P>Removed <EM>version=</EM> option. Use <EM>tls-options=</EM> instead.</P>
<P>Manual squid.conf update may be required on upgrade.</P>
<P>Replaced <EM>cafile=</EM> with <EM>tls-cafile=</EM> which takes multiple entries.</P>
<P>Changed default value of <EM>generate-host-certificates</EM> to ON.</P>
<DT><B>https_port</B><DD>
<P>New option <EM>tls-min-version=1.N</EM> to set minimum TLS version allowed.</P>
<P>New option <EM>tls-default-ca</EM> replaces <EM>sslflags=NO_DEFAULT_CA</EM>,
the default is also changed to OFF.</P>
<P>New option <EM>tls-no-npn</EM> to disable sending TLS NPN extension.</P>
<P>All <EM>options=</EM> values for SSLv2
configuration or disabling have been removed.</P>
<P>Removed <EM>version=</EM> option. Use <EM>tls-options=</EM> instead.</P>
<P>Manual squid.conf update may be required on upgrade.</P>
<P>Replaced <EM>cafile=</EM> with <EM>tls-cafile=</EM> which takes multiple entries.</P>
<P>Changed default value of <EM>generate-host-certificates</EM> to ON.</P>
<DT><B>icap_service</B><DD>
<P>New scheme <EM>icaps://</EM> to enable TLS/SSL connections to Secure ICAP
servers on port 11344.</P>
<P>New <EM>connection-encryption=</EM> option to determine ICAP service
effect on <EM>connections_encrypted</EM> ACL.</P>
<P>New <EM>tls-cert=</EM> option to set TLS client certificate to use.</P>
<P>New <EM>tls-key=</EM> option to set TLS private key matching the client
certificate used.</P>
<P>New <EM>tls-min-version=1.N</EM> option to set minimum TLS version allowed
on server connections.</P>
<P>New <EM>tls-options=</EM> option to set OpenSSL library parameters.</P>
<P>New <EM>tls-flags=</EM> option to set flags modifying Squid TLS operations.</P>
<P>New <EM>tls-cipher=</EM> option to set a list of ciphers permitted.</P>
<P>New <EM>tls-cafile=</EM> option to set a file with additional CA
certificate(s) to verify the server certificate.</P>
<P>New <EM>tls-capath=</EM> option to set a directory with additional CA
certificate(s) to verify the server certificate.</P>
<P>New <EM>tls-crlfile=</EM> option to set a file with a CRL to verify the
server certificate.</P>
<P>New <EM>tls-default-ca</EM> option to use the system Trusted CAs to
verify the server certificate.</P>
<P>New <EM>tls-domain=</EM> option to verify the server certificate domain.</P>
<DT><B>logfile_daemon</B><DD>
<P>Now only requires that helper binary exists when daemon: log module
is actually being used.</P>
<DT><B>logformat</B><DD>
<P>New quoting modifier to produce <EM>\-escaped</EM> output.</P>
<P>New code <EM>%ssl::&lt;cert_errors</EM> to display server X.509
certificate errors.</P>
<P>New code <EM>%ssl::&lt;cert_issuer</EM> to display Issuer field of
the received server X.509 certificate.</P>
<P>New code <EM>%ssl::&lt;cert_subject</EM> to display Subject field of
the received server X.509 certificate.</P>
<P>New code <EM>%ssl::&gt;negotiated_version</EM> to display
negotiated TLS version of the client connection.</P>
<P>New code <EM>%ssl::&lt;negotiated_version</EM> to display
negotiated TLS version of the last server or peer connection.</P>
<P>New code <EM>%ssl::&gt;received_hello_version</EM> to display the
TLS version of the Hello message received from TLS client.</P>
<P>New code <EM>%ssl::&lt;received_hello_version</EM> to display the
TLS version of the Hello message received from TLS server.</P>
<P>New code <EM>%ssl::&gt;received_supported_version</EM> to display
the maximum TLS version supported by the TLS client.</P>
<P>New code <EM>%ssl::&lt;received_supported_version</EM> to display
the maximum TLS version supported by the TLS server.</P>
<P>New code <EM>%ssl::&gt;negotiated_cipher</EM> to display the
negotiated cipher of the client connection.</P>
<P>New code <EM>%ssl::&lt;negotiated_cipher</EM> to display the
negotiated cipher of the last server or peer connection.</P>
<P>New code <EM>%&gt;handshake</EM> to display initial octets
received on a client connection (Base64 encoded).</P>
<P>Fixed <EM>%&lt;Hs</EM>, <EM>%&lt;pt</EM> and <EM>%&lt;tt</EM>
codes for received CONNECT errors.</P>
<P>Improved <EM>%&lt;bs</EM> logging on forwarding retries.</P>
<P>Improved <EM>%&lt;Hs</EM>, <EM>%&lt;pt</EM>, <EM>%&lt;tt</EM>,
<EM>%&lt;bs</EM> logging on SslBump errors.</P>
<DT><B>pid_filename</B><DD>
<P>Default value now based on squid -n command line parameter.</P>
<P>This directive is no longer mandatory to edit for
multi-instance/tenant Squid installations.</P>
<DT><B>refresh_pattern</B><DD>
<P>Removed option <EM>ignore-auth</EM>. Its commonly desired behaviour
is performed by default with correct HTTP/1.1 revalidation.</P>
<P>Removed option <EM>ignore-must-revalidate</EM>. Other more HTTP compliant
directives (<EM>cache</EM>, <EM>store_miss</EM>) can be used to prevent
objects from caching.</P>
<DT><B>sslcrtd_children</B><DD>
<P>New parameter <EM>queue-size=</EM> to set the maximum number
of queued requests.</P>
<P>New parameter <EM>on-persistent-overload=</EM> to set the action taken
when the helper queue is overloaded.</P>
<DT><B>sslcrtvalidator_children</B><DD>
<P>New parameter <EM>queue-size=</EM> to set the maximum number
of queued requests.</P>
<P>New parameter <EM>on-persistent-overload=</EM> to set the action taken
when the helper queue is overloaded.</P>
<DT><B>store_id_children</B><DD>
<P>New parameter <EM>queue-size=</EM> to set the maximum number
of queued requests.</P>
<P>New parameter <EM>on-persistent-overload=</EM> to set the action taken
when the helper queue is overloaded.</P>
<DT><B>url_rewrite_children</B><DD>
<P>New parameter <EM>queue-size=</EM> to set the maximum number
of queued requests.</P>
<P>New parameter <EM>on-persistent-overload=</EM> to set the action taken
when the helper queue is overloaded.</P>
</DL>
</P>
<H2><A NAME="removedtags"></A> <A NAME="ss3.3">3.3</A> <A HREF="#toc3.3">Removed tags</A>
</H2>
<P>
<DL>
<DT><B>cache_peer_domain</B><DD>
<P>Superceded by <EM>cache_peer_access</EM>. Use dstdomain ACL
in the access control list to restrict domains requested.</P>
<DT><B>ie_refresh</B><DD>
<P>Removed. MSIE 3.x, 4.x, 5.0 and 5.01 are no longer popular browsers.</P>
<DT><B>sslproxy_cafile</B><DD>
<P>Replaced by <EM>tls_outgoing_options cafile=</EM>.
Which now takes multiple entries.</P>
<DT><B>sslproxy_capath</B><DD>
<P>Replaced by <EM>tls_outgoing_options capath=</EM>.</P>
<DT><B>sslproxy_cipher</B><DD>
<P>Replaced by <EM>tls_outgoing_options cipher=</EM>.</P>
<DT><B>sslproxy_client_certificate</B><DD>
<P>Replaced by <EM>tls_outgoing_options cert=</EM>.</P>
<DT><B>sslproxy_client_key</B><DD>
<P>Replaced by <EM>tls_outgoing_options key=</EM>.</P>
<DT><B>sslproxy_flags</B><DD>
<P>Replaced by <EM>tls_outgoing_options flags=</EM>.</P>
<DT><B>sslproxy_options</B><DD>
<P>Replaced by <EM>tls_outgoing_options options=</EM>.</P>
<P>All values for SSLv2 configuration or disabling have been removed.</P>
<P>Manual squid.conf update may be required on upgrade.</P>
<DT><B>sslproxy_version</B><DD>
<P>Replaced by <EM>tls_outgoing_options options=</EM>.</P>
<P>All values for SSLv2 configuration or disabling have been removed.</P>
<P>Manual squid.conf update may be required on upgrade.</P>
</DL>
</P>
<H2><A NAME="s4">4.</A> <A HREF="#toc4">Changes to ./configure options since Squid-3.5</A></H2>
<P>There have been some changes to Squid's build configuration since Squid-3.5.</P>
<P>This section gives an account of those changes in three categories:</P>
<P>
<UL>
<LI>
<A HREF="#newoptions">New options</A></LI>
<LI>
<A HREF="#modifiedoptions">Changes to existing options</A></LI>
<LI>
<A HREF="#removedoptions">Removed options</A></LI>
</UL>
</P>
<H2><A NAME="newoptions"></A> <A NAME="ss4.1">4.1</A> <A HREF="#toc4.1">New options</A>
</H2>
<P>
<DL>
<DT><B>--enable-security-cert-generators</B><DD>
<P>New option to control which TLS/SSL dynamic certificate generator
helpers are built and installed.</P>
<P>Helper <EM>ssl_crtd</EM> has been renamed to <EM>security_file_certgen</EM>
and built with module name <EM>file</EM>. Requires <EM>--with-openssl</EM>.</P>
<DT><B>--enable-security-cert-validators</B><DD>
<P>New option to control which TLS/SSL certificate validation
helpers are built and installed.</P>
<P>One <EM>fake</EM> helper that does not actually perform any
certificate checks is provided for testing and as an example
for writing custom helpers.</P>
<DT><B>--without-cppunit</B><DD>
<P>The cppunit testing framework is auto-detected and used when available.
This option can be used to disable it explicitly.</P>
</DL>
</P>
<H2><A NAME="modifiedoptions"></A> <A NAME="ss4.2">4.2</A> <A HREF="#toc4.2">Changes to existing options</A>
</H2>
<P>
<DL>
<DT><B>--enable-auth-basic</B><DD>
<P>The <EM>MSNT-multi-domain</EM> helper has been removed.</P>
<P>The SMB LanMan helper <EM>SMB_LM</EM> is no longer built by default.
It needs to be explicitly listed to be built.</P>
<DT><B>--enable-auth-ntlm</B><DD>
<P>The SMB LanMan helper is now built using <EM>SMB_LM</EM>
(was lower case <EM>smb_lm</EM>).</P>
<P>The SMB LanMan helper <EM>SMB_LM</EM> is no longer built by default.
It needs to be explicitly listed to be built.</P>
<DT><B>--enable-diskio</B><DD>
<P>Auto-detection of SMP related modules has been fixed to
actually auto-detect them without configuring the module
list manually.</P>
<DT><B>--enable-esi</B><DD>
<P>Custom ESI parser has been removed.
Libxml2 or libexpat is now required to enable ESI processing.</P>
</DL>
</P>
<H2><A NAME="removedoptions"></A> <A NAME="ss4.3">4.3</A> <A HREF="#toc4.3">Removed options</A>
</H2>
<P>
<DL>
<DT><B>--with-cppunit-basedir</B><DD>
<P>Replaced by <EM>--with-cppunit=PATH</EM>.
Please prefer the default auto-detection though.</P>
<DT><B>XSTD_USE_LIBLTDL</B><DD>
<P>Removed. Use <EM>--with-included-ltdl</EM> instead.</P>
</DL>
</P>
<H2><A NAME="s5">5.</A> <A HREF="#toc5">Regressions since Squid-2.7</A></H2>
<P>Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-4</P>
<P>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.</P>
<H2><A NAME="ss5.1">5.1</A> <A HREF="#toc5.1">Missing squid.conf options available in Squid-2.7</A>
</H2>
<P>
<DL>
<DT><B>broken_vary_encoding</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>cache_peer</B><DD>
<P><EM>monitorinterval=</EM> not yet ported from 2.6</P>
<P><EM>monitorsize=</EM> not yet ported from 2.6</P>
<P><EM>monitortimeout=</EM> not yet ported from 2.6</P>
<P><EM>monitorurl=</EM> not yet ported from 2.6</P>
<DT><B>cache_vary</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>error_map</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>external_refresh_check</B><DD>
<P>Not yet ported from 2.7</P>
<DT><B>location_rewrite_access</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>location_rewrite_children</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>location_rewrite_concurrency</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>location_rewrite_program</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>refresh_pattern</B><DD>
<P><EM>stale-while-revalidate=</EM> not yet ported from 2.7</P>
<P><EM>ignore-stale-while-revalidate=</EM> not yet ported from 2.7</P>
<P><EM>negative-ttl=</EM> not yet ported from 2.7</P>
<DT><B>refresh_stale_hit</B><DD>
<P>Not yet ported from 2.7</P>
<DT><B>update_headers</B><DD>
<P>Not yet ported from 2.7</P>
</DL>
</P>
<H2><A NAME="s6">6.</A> <A HREF="#toc6">Copyright</A></H2>
<P>Copyright (C) 1996-2018 The Squid Software Foundation and contributors</P>
<P>Squid software is distributed under GPLv2+ license and includes
contributions from numerous individuals and organizations.
Please see the COPYING and CONTRIBUTORS files for details.</P>
</BODY>
</HTML>