+Changes to squid-4.0.4 (06 Jan 2016):
+
+ - Support use of Kerberos credentials cache instead of keytab
+ - Support logging of TLS Cryptography Parameters
+ - Support substring matching in Note ACL
+ - ... and some code cleanup and polishing
+ - ... and all fixes from squid 3.5.13
+
Changes to squid-4.0.3 (28 Nov 2015):
- Bug 4372: missing template files
- ext_ldap_group_acl: Allow unlimited LDAP search filter
- ext_unix_group_acl: Support -r parameter to strip @REALM from usernames
- ... and much code cleanup and polishing
- - ... and all fixes from squid 3.5.11
+ - ... and all fixes from squid 3.5.12
Changes to squid-4.0.2 (01 Nov 2015):
- Replace sslproxy_* directives with tls_outgoing_options
- Replace GNU atomics and related hacks with C++11 std::atomic
- Replace external_acl_type format %macros with logformat codes
- - Support Ephemeral Elliptic Curve Diffie-Hellman (EECDH) key exchange
- Support Secure ICAP services
- Support rotate=N option on access_log
- Support bypass for non-HTTP intercepted traffic (on_unsupported_protocol)
- ... and many documentation changes
- ... and much code cleanup and polishing
+Changes to squid-3.5.13 (06 Jan 2016):
+
+ - Bug 4397: DragonFly BSD, POSIX shared memory is implemented as filepath
+ - Bug 4387: Kerberos build errors on Solaris
+ - TLS: Support Ephemeral Elliptic Curve Diffie-Hellman (EECDH) key exchange
+ - TLS: Complete certificate chains using external intermediate certificates
+ - Avoid memory leaks when an X.509 certificate validator is used with SslBump
+ - Fix connection retry and fallback after failed server TLS connections
+ - Fix GnuTLS detection via pkg-config
+ - Fix startup crash with a misconfigured (too-small) shared memory cache
+ - ... and some documentation updates
+
Changes to squid-3.5.12 (28 Nov 2015):
- Bug 4374: refresh_pattern config parser (%)
their resources or funding various Squid development activities:
@Squid-4:
+Augur TBBS Pty Limited
+
+ Augur TBBS has funded development work towards HTTP/2 support in
+ Squid-4.
+
LaunchPad - http://launchpad.net/
Provide Bazaar mirroring services and host the Squid-3+ developer
<!doctype linuxdoc system>
<article>
-<title>Squid 3.5.12 release notes</title>
+<title>Squid 3.5.13 release notes</title>
<author>Squid Developers</author>
<abstract>
<sect>Notice
<p>
-The Squid Team are pleased to announce the release of Squid-3.5.12.
+The Squid Team are pleased to announce the release of Squid-3.5.13.
This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.5/"> or the
<url url="http://www.squid-cache.org/Download/http-mirrors.html" name="mirrors">.
<item>Native FTP Relay
<item>Receive PROXY protocol, Versions 1 & 2
<item>Basic authentication MSNT helper changes
+ <item>Elliptic Curve Diffie-Hellman (ECDH) (since 3.5.13)
</itemize>
Most user-facing changes are reflected in squid.conf (see below).
the protocol being relayed on the connection.
<p>Squid currently supports receiving HTTP traffic from a client proxy using this protocol.
- An http_port which has been configured to receive this protocol may only be used to
- receive traffic from client software sending in this protocol.
+ An <em>http_port</em> which has been configured to receive this protocol may only be used
+ to receive traffic from client software sending in this protocol.
HTTP traffic without the PROXY header is not accepted on such a port.
<p>The <em>accel</em> and <em>intercept</em> options are still used to identify the HTTP
is also deprecated. It will be removed in the Squid-3.6 series.
+<sect1>Elliptic Curve Diffie-Hellman (ECDH)
+<p>All listening port which supported Diffie-Hellman key exchange are now updated
+ to support Elliptic Curve configuration which allows for forward secrecy with
+ better performance than traditional ephemeral Diffie-Hellman.
+
+<p>The http(s)_port <em>dhparams=</em> option is replaced with <em>tls-dh=</em> that
+ takes an optional curve name as well as filename for curve parameters. The new
+ option configured without a curve name uses the traditional ephemeral DH.
+
+<p>A new <em>options=SINGLE_ECDH_USE</em> parameter is added to enable ephemeral
+ key exchanges for Elliptic Curve DH.
+
+
<sect>Changes to squid.conf since Squid-3.4
<p>
<p>Ported from Squid-2 with no configuration or visible behaviour changes.
Collapsing of requests is performed across SMP workers.
+ <tag>sslproxy_foreign_intermediate_certs</tag>
+ <p>New directive to load intermediate TLS certificates for
+ filling incomplete server certificate chains. Added in 3.5.13.
+
<tag>ftp_client_idle_timeout</tag>
<p>New directive controlling how long to wait for an FTP request on a
client connection to Squid <em>ftp_port</em>.
<p>New types <em>ssl::server_name</em> and <em>ssl::server_name_regex</em>
to match server name from various sources (CONNECT authority name,
TLS SNI domain, or X.509 certificate Subject Name).
+ <p>Extended <em>user_cert</em> and <em>ca_cert</em> types to accept
+ numeric OID for certificate attributes.
<tag>auth_param</tag>
<p>New parameter <em>key_extras</em> to send additional parameters to
Currently supported values are: HTTP, HTTP/1.1, HTTPS, HTTPS/1.1
<p>New option <em>require-proxy-header</em> to mark ports receiving PROXY
protocol version 1 or 2 traffic.
+ <p>New <em>options=NO_TICKET</em> parameter to disable TLS tickets
+ extension.
+ <p>New <em>options=SINGLE_ECDH_USE</em> parameter to enable ephemeral
+ ECDH key exchange. Added in 3.5.13.
+ <p>Deprecated <em>dhparams=</em> option. Use <em>tls-dh=</em> instead.
+ The new option allows to optionally specify an elliptic curve for
+ ephemeral ECDH by adding <em>curve-name:</em> in front of the
+ parameter file name. Added in 3.5.13.
<tag>https_port</tag>
<p><em>protocol=</em> option altered to accept protocol version details.
Currently supported values are: HTTP, HTTP/1.1, HTTPS, HTTPS/1.1
+ <p>New <em>options=NO_TICKET</em> parameter to disable TLS tickets
+ extension.
+ <p>New <em>options=SINGLE_ECDH_USE</em> parameter to enable ephemeral
+ ECDH key exchange. Added in 3.5.13.
+ <p>Deprecated <em>dhparams=</em> option. Use <em>tls-dh=</em> instead.
+ The new option allows to optionally specify an elliptic curve for
+ ephemeral ECDH by adding <em>curve-name:</em> in front of the
+ parameter file name. Added in 3.5.13.
<tag>logformat</tag>
<p>New format code <em>%credentials</em> to log the client credentials token.
<item>SSL support removal
<item>MSNT-multi-domain helper removal
<item>Secure ICAP
- <item>Elliptic Curve Diffie-Hellman (ECDH)
<item>Improved SMP support
</itemize>
proxy convention. The old 1344 default for plain ICAP ports has not changed.
-<sect1>Elliptic Curve Diffie-Hellman (ECDH)
-<p>All listening port which supported Diffie-Hellman key exchange are now updated
- to support Elliptic Curve configuration which allows for forward secrecy with
- better performance than traditional ephemeral Diffie-Hellman.
-
-<p>The http(s)_port <em>dhparams=</em> option is replaced with <em>tls-dh=</em> that
- takes an optional curve name as well as filename for curve parameters. The new
- option configured without a curve name uses the traditional ephemeral DH.
-
-<p>A new <em>options=SINGLE_ECDH_USE</em> parameter is added to enable ephemeral
- key exchanges for Elliptic Curve DH.
-
-
<sect1>Improved SMP support
<p>Use of C++11 atomic operations instead of GNU atomics allows a wider range of
operating systems and compilers to build Squid SMP and multi-process features.
<p>
<descrip>
<tag>tls_outgoing_options</tag>
- <p>New tag to define TLS security context options for outgoing
+ <p>New directive to define TLS security context options for outgoing
connections. For example to HTTPS servers.
<tag>url_rewrite_timeout</tag>
<sect1>Changes to existing tags<label id="modifiedtags">
<p>
<descrip>
+ <tag>acl</tag>
+ <p>New <em>-m</em> flag for <em>note</em> ACL to match substrings.
+
<tag>auth_param</tag>
<p>New parameter <em>queue-size=</em> to set the maximum number
of queued requests.
<p>All <em>option=</em> values for SSLv2 configuration or disabling
have been removed.
<p>Removed <em>version=</em> option. Use <em>tls-options=</em> instead.
- <p>New <em>options=SINGLE_ECDH_USE</em> parameter to enable ephemeral
- ECDH key exchange.
- <p>Deprecated <em>dhparams=</em> option. Use <em>tls-dh=</em> instead.
- The new option allows to optionally specify an elliptic curve for
- ephemeral ECDH by adding <em>curve-name:</em> in front of the
- parameter file name.
<p>Manual squid.conf update may be required on upgrade.
<p>Replaced <em>cafile=</em> with <em>tls-cafile=</em> which takes multiple entries.
<p>New option <em>tls-no-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em>
<p>All <em>options=</em> values for SSLv2
configuration or disabling have been removed.
<p>Removed <em>version=</em> option. Use <em>tls-options=</em> instead.
- <p>New <em>options=SINGLE_ECDH_USE</em> parameter to enable ephemeral
- ECDH key exchange.
- <p>Deprecated <em>dhparams=</em> option. Use <em>tls-dh=</em> instead.
- The new option allows to optionally specify an elliptic curve for
- ephemeral ECDH by adding <em>curve-name:</em> in front of the
- parameter file name.
<p>Manual squid.conf update may be required on upgrade.
<p>Replaced <em>cafile=</em> with <em>tls-cafile=</em> which takes multiple entries.
<p>New <em>tls-domain=</em> option to verify the server certificate domain.
<tag>logformat</tag>
- <p>New code <em>%ssl::<cert_errors</em> to display server certificate errors.
+ <p>New code <em>%ssl::<cert_errors</em> to display server
+ certificate errors.
+ <p>New code <em>%ssl::>negotiated_version</em> to display
+ negotiated TLS version of the client connection.
+ <p>New code <em>%ssl::<negotiated_version</em> to display
+ negotiated TLS version of the last server or peer connection.
+ <p>New code <em>%ssl::>received_hello_version</em> to display the
+ TLS version of the Hello message received from TLS client.
+ <p>New code <em>%ssl::<received_hello_version</em> to display the
+ TLS version of the Hello message received from TLS server.
+ <p>New code <em>%ssl::>received_supported_version</em> to display
+ the maximum TLS version supported by the TLS client.
+ <p>New code <em>%ssl::<received_supported_version</em> to display
+ the maximum TLS version supported by the TLS server.
+ <p>New code <em>%ssl::>negotiated_cipher</em> to display the
+ negotiated cipher of the client connection.
+ <p>New code <em>%ssl::<negotiated_cipher</em> to display the
+ negotiated cipher of the last server or peer connection.
<tag>pid_filename</tag>
<p>Default value now based on squid -n command line parameter.
intermediate certificates. These certificates are not treated
as trusted root certificates, and any self-signed certificate in
this file will be ignored.
-
- This directive may be repeated to load multiple files.
DOC_END
NAME: sslproxy_cert_sign_hash
+/*
+ * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
+ *
+ * Squid software is distributed under GPLv2+ license and includes
+ * contributions from numerous individuals and organizations.
+ * Please see the COPYING and CONTRIBUTORS files for details.
+ */
+
#include "squid.h"
#include "MemBuf.h"
#include "security/NegotiationHistory.h"
-#ifndef SQUID_SRC_SECURITY_NEGOTIATION_HISTORY_H
-#define SQUID_SRC_SECURITY_NEGOTIATION_HISTORY_H
+/*
+ * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
+ *
+ * Squid software is distributed under GPLv2+ license and includes
+ * contributions from numerous individuals and organizations.
+ * Please see the COPYING and CONTRIBUTORS files for details.
+ */
+
+#ifndef SQUID_SRC_SECURITY_NEGOTIATIONHISTORY_H
+#define SQUID_SRC_SECURITY_NEGOTIATIONHISTORY_H
#if USE_OPENSSL
#if HAVE_OPENSSL_SSL_H
#endif
namespace Security {
+
class NegotiationHistory
{
public:
} // namespace Security
-#endif /* SQUID_SRC_SECURITY_NEGOTIATION_HISTORY_H */
+#endif /* SQUID_SRC_SECURITY_NEGOTIATIONHISTORY_H */
projects / thirdparty / squid.git / commitdiff
