The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-4.0.18 release! This release is a bug fix release resolving several issues found in the prior Squid releases. The major changes to be aware of: * OpenSSL v1.1 support Many compile issues when building with OpenSSL v1.1.* have been resolved. The way this was fixed has uncovered a bug in the LibreSSL library - so LibreSSL will no longer build with Squid-4. * squidclient TLS debugging The squidclient tool when built with GnuTLS has HTTPS support. This version extends the -v debugging mechanism to also produce debug information from the GnuTLS library about TLS operations. There are also some major behaviour changes shared with Squid-3.5 which are included in this release: * Mitigate DoS attacks that use client-initiated SSL/TLS renegotiation. Recent alterations to the SSL-Bump feature logic were found to be breaking the measure put in place to disable TLS renegotiation. Since some TLSv1.2+ mechanisms actively require it and the upcoming OpenSSL v1.1+ make it quite hard to disable, we have decided to mitigate the vulnerability by implementing a rate limit on renegotiation instead of an outright disable. * SSLv2 records force SslBump bumping despite a matching step2 peek rule. This bug shows up as SSLv2 connections being bumped to deliver an error when they should have been spliced as configured. Squid will now splice all connections it has been configured to regardless of whether the obsolete SSLv2 syntax is being used. When bumping or receiving the connection itself Squid will still reject SSLv2. Only spliced traffic is affected by this. * Update External ACL helpers error handling and caching The Squid helper protocol has undergone several important changes but the external ACL logic and bundled helpers have not kept up. The ACL logics handling helper replies also had some bugs in the event of helper failures. This release fixes those various bugs and updates all the bundled helpers to make use of the BH (BrokenHelper) status to signal internal errors differently to ACL denial. All users of Squid-4.x are urged to upgrade to this release as soon as possible. All users of Squid-3 are encouraged to test this release out and plan for upgrades where possible. See the ChangeLog for the full list of changes in this and earlier releases. Please refer to the release notes at http://www.squid-cache.org/Versions/v4/RELEASENOTES.html when you are ready to make the switch to Squid-4 This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v4/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/4/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries _______________________________________________ squid-announce mailing list squid-announce@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-announce
