Go to file
Dominique Leuenberger a8a96222c4 Accepting request 715745 from server:proxy
- Update to squid 4.8:
  + Ignore ECONNABORTED in accept(2)
  + RFC 7230 forbids generation of userinfo subcomponent of https URL
  + cachemgr.cgi: unallocated memory access resulting in a potential
    denial of service. (bsc#1141442, CVE-2019-12854)
  + terminating c-strings beyond BASE64_DECODE_LENGTH
  + Replace uudecode with libnettle base64 decoder fixing a denial
    of service vulnerability (bsc#1141329, CVE-2019-12529)
  + fix to_localhost does not include ::
  + Fix GCC-9 build issues
  + Fix Digest auth parameter parsing preventing a potential
    denial of service (bsc#1141332, CVE-2019-12525)
  + Update HttpHeader::getAuth to SBuf which prevents a potential
    heap overflowing allowing a possible remote code execution
    attack when processing HTTP Authentication credentials
    (bsc#1141330, CVE-2019-12527)
  + Add the NO_TLSv1_3 option to available tls-options values
  + Fix handling of tiny invalid responses
  + Fix Memory leak when http_reply_access uses external_acl
  + Fix Multiple XSS issues in cachemgr.cgi
    (bsc#1140738, CVE-2019-13345)
- use unbundled version of libnettle
- disable LTO as a workaround to tests failing

OBS-URL: https://build.opensuse.org/request/show/715745
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/squid?expand=0&rev=72
2019-07-18 13:20:23 +00:00
.gitattributes unlink from Factory 2012-10-22 19:07:11 +00:00
.gitignore unlink from Factory 2012-10-22 19:07:11 +00:00
cache_dir.sed Accepting request 482004 from server:proxy:Test 2017-03-22 15:16:54 +00:00
initialize_cache_if_needed.sh Accepting request 578251 from home:adamm:branches:server:proxy 2018-02-20 07:30:53 +00:00
missing_installs.patch Accepting request 562903 from home:adamm:branches:server:proxy 2018-01-09 16:52:12 +00:00
pam.squid unlink from Factory 2012-10-22 19:07:11 +00:00
README.kerberos unlink from Factory 2012-10-22 19:07:11 +00:00
squid-4.8.tar.xz - Update to squid 4.8: 2019-07-15 15:22:32 +00:00
squid-4.8.tar.xz.asc - Update to squid 4.8: 2019-07-15 15:22:32 +00:00
squid.changes - use unbundled version of libnettle 2019-07-16 15:33:12 +00:00
squid.keyring Accepting request 562903 from home:adamm:branches:server:proxy 2018-01-09 16:52:12 +00:00
squid.logrotate Accepting request 310389 from server:proxy:Test 2015-06-04 22:51:06 +00:00
squid.permissions Accepting request 286695 from server:proxy:Test 2015-02-18 23:15:24 +00:00
squid.service Accepting request 578251 from home:adamm:branches:server:proxy 2018-02-20 07:30:53 +00:00
squid.spec - use unbundled version of libnettle 2019-07-16 15:33:12 +00:00
tmpfilesdir.squid.conf Accepting request 643973 from home:adamm:branches:server:proxy 2018-10-23 13:55:38 +00:00
unsquid.pl unlink from Factory 2012-10-22 19:07:11 +00:00

This is the README.kerberos file
to have squid negotiate/authenticate via kerberos

any addons are very welcome 
comments could be posted to <chris(at)computersalat.de>


1) you need to add a "USER" inside your "Domain-Computers" Container
   called "squid".  Yes a "USER" and not a Computer.
   You may use another name, but why ?

2) After having successfully created the user, you need to create a 
   keytab file on your WIN box.

Example: !! This is all in one line !!

  ktpass -princ HTTP/squid@DOMAIN.REALM -pType KRB5_NT_PRINCIPAL \
  -mapuser squid -pass * -out HTTP.keytab

3) copy over HTTP.keytab to /etc/squid/ on your linux box

4) you have to tell your browsers to negotiate via kerberos

  Have a look at:

  a) Internet Explorer does not support Kerberos authentication with proxy servers
     http://support.microsoft.com/?scid=kb%3Ben-us%3B321728&x=19&y=14

	This limitation was removed in Windows Internet Explorer 7.

	If Integrated Windows Authentication is turned on in Internet Explorer
	for Windows 2000 and Windows XP, you can complete Kerberos authentication
	with Web servers either directly or through a proxy server. However,
	Internet Explorer cannot use Kerberos to authenticate with the proxy
	server itself.

  b) Unable to negotiate Kerberos authentication after upgrading to Internet Explorer 6
     http://support.microsoft.com/kb/299838/EN-US/

	To resolve this issue, enable Internet Explorer 6 to respond to
	a negotiate challenge and perform Kerberos authentication:

	1. In Internet Explorer, click Internet Options on the Tools menu.
	2. Click the Advanced tab, click to select the Enable
	   Integrated Windows Authentication (requires restart) check box
	   in the Security section, and then click OK.
	3. Restart Internet Explorer.

	Administrators can enable Integrated Windows Authentication by
	setting the EnableNegotiate DWORD value to 1 in the following registry key:

	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

	Note Internet Explorer 6, when used with Microsoft Windows 98,
	Microsoft Windows 98 Second Edition, Microsoft Windows Millennium Edition,
	and Microsoft Windows NT 4.0 does not respond to a negotiate challenge and
	default to NTLM (or Windows NT Challenge/Response) authentication even if
	the Enable Integrated Windows Authentication (requires restart) check
	box is selected because Kerberos authentication is not available on
	these operating systems.