From: Amos Jeffries Date: Wed, 6 Jan 2016 14:18:40 +0000 (+1300) Subject: Prep for 4.0.4 and 3.5.13 X-Git-Tag: SQUID_4_0_4~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0461fde70842e5ca3d5d00b14d24769854beb9dc;p=thirdparty%2Fsquid.git Prep for 4.0.4 and 3.5.13 --- diff --git a/ChangeLog b/ChangeLog index a013ffd124..d8cc7bc9ec 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +Changes to squid-4.0.4 (06 Jan 2016): + + - Support use of Kerberos credentials cache instead of keytab + - Support logging of TLS Cryptography Parameters + - Support substring matching in Note ACL + - ... and some code cleanup and polishing + - ... and all fixes from squid 3.5.13 + Changes to squid-4.0.3 (28 Nov 2015): - Bug 4372: missing template files @@ -8,7 +16,7 @@ Changes to squid-4.0.3 (28 Nov 2015): - ext_ldap_group_acl: Allow unlimited LDAP search filter - ext_unix_group_acl: Support -r parameter to strip @REALM from usernames - ... and much code cleanup and polishing - - ... and all fixes from squid 3.5.11 + - ... and all fixes from squid 3.5.12 Changes to squid-4.0.2 (01 Nov 2015): @@ -47,7 +55,6 @@ Changes to squid-4.0.1 (14 Oct 2015): - Replace sslproxy_* directives with tls_outgoing_options - Replace GNU atomics and related hacks with C++11 std::atomic - Replace external_acl_type format %macros with logformat codes - - Support Ephemeral Elliptic Curve Diffie-Hellman (EECDH) key exchange - Support Secure ICAP services - Support rotate=N option on access_log - Support bypass for non-HTTP intercepted traffic (on_unsupported_protocol) @@ -72,6 +79,18 @@ Changes to squid-4.0.1 (14 Oct 2015): - ... and many documentation changes - ... and much code cleanup and polishing +Changes to squid-3.5.13 (06 Jan 2016): + + - Bug 4397: DragonFly BSD, POSIX shared memory is implemented as filepath + - Bug 4387: Kerberos build errors on Solaris + - TLS: Support Ephemeral Elliptic Curve Diffie-Hellman (EECDH) key exchange + - TLS: Complete certificate chains using external intermediate certificates + - Avoid memory leaks when an X.509 certificate validator is used with SslBump + - Fix connection retry and fallback after failed server TLS connections + - Fix GnuTLS detection via pkg-config + - Fix startup crash with a misconfigured (too-small) shared memory cache + - ... and some documentation updates + Changes to squid-3.5.12 (28 Nov 2015): - Bug 4374: refresh_pattern config parser (%) diff --git a/SPONSORS.list b/SPONSORS.list index 75bd6dff91..7d972aa0b6 100644 --- a/SPONSORS.list +++ b/SPONSORS.list @@ -2,6 +2,11 @@ The following organizations have supported the Squid Project by providing their resources or funding various Squid development activities: @Squid-4: +Augur TBBS Pty Limited + + Augur TBBS has funded development work towards HTTP/2 support in + Squid-4. + LaunchPad - http://launchpad.net/ Provide Bazaar mirroring services and host the Squid-3+ developer diff --git a/doc/release-notes/release-3.5.sgml b/doc/release-notes/release-3.5.sgml index 4e47e7a69a..44522a6219 100644 --- a/doc/release-notes/release-3.5.sgml +++ b/doc/release-notes/release-3.5.sgml @@ -1,6 +1,6 @@
-Squid 3.5.12 release notes +Squid 3.5.13 release notes Squid Developers @@ -13,7 +13,7 @@ for Applied Network Research and members of the Web Caching community. Notice

-The Squid Team are pleased to announce the release of Squid-3.5.12. +The Squid Team are pleased to announce the release of Squid-3.5.13. This new release is available for download from or the . @@ -65,6 +65,7 @@ The 3.5 change history can be SSL support removal MSNT-multi-domain helper removal Secure ICAP - Elliptic Curve Diffie-Hellman (ECDH) Improved SMP support @@ -111,19 +110,6 @@ Most user-facing changes are reflected in squid.conf (see below). proxy convention. The old 1344 default for plain ICAP ports has not changed. -Elliptic Curve Diffie-Hellman (ECDH) -

All listening port which supported Diffie-Hellman key exchange are now updated - to support Elliptic Curve configuration which allows for forward secrecy with - better performance than traditional ephemeral Diffie-Hellman. - -

The http(s)_port dhparams= option is replaced with tls-dh= that - takes an optional curve name as well as filename for curve parameters. The new - option configured without a curve name uses the traditional ephemeral DH. - -

A new options=SINGLE_ECDH_USE parameter is added to enable ephemeral - key exchanges for Elliptic Curve DH. - - Improved SMP support

Use of C++11 atomic operations instead of GNU atomics allows a wider range of operating systems and compilers to build Squid SMP and multi-process features. @@ -151,7 +137,7 @@ This section gives a thorough account of those changes in three categories:

tls_outgoing_options -

New tag to define TLS security context options for outgoing +

New directive to define TLS security context options for outgoing connections. For example to HTTPS servers. url_rewrite_timeout @@ -164,6 +150,9 @@ This section gives a thorough account of those changes in three categories: Changes to existing tags

+ acl +

New -m flag for note ACL to match substrings. + auth_param

New parameter queue-size= to set the maximum number of queued requests. @@ -192,12 +181,6 @@ This section gives a thorough account of those changes in three categories:

All option= values for SSLv2 configuration or disabling have been removed.

Removed version= option. Use tls-options= instead. -

New options=SINGLE_ECDH_USE parameter to enable ephemeral - ECDH key exchange. -

Deprecated dhparams= option. Use tls-dh= instead. - The new option allows to optionally specify an elliptic curve for - ephemeral ECDH by adding curve-name: in front of the - parameter file name.

Manual squid.conf update may be required on upgrade.

Replaced cafile= with tls-cafile= which takes multiple entries.

New option tls-no-default-ca replaces sslflags=NO_DEFAULT_CA @@ -209,12 +192,6 @@ This section gives a thorough account of those changes in three categories:

All options= values for SSLv2 configuration or disabling have been removed.

Removed version= option. Use tls-options= instead. -

New options=SINGLE_ECDH_USE parameter to enable ephemeral - ECDH key exchange. -

Deprecated dhparams= option. Use tls-dh= instead. - The new option allows to optionally specify an elliptic curve for - ephemeral ECDH by adding curve-name: in front of the - parameter file name.

Manual squid.conf update may be required on upgrade.

Replaced cafile= with tls-cafile= which takes multiple entries. @@ -236,7 +213,24 @@ This section gives a thorough account of those changes in three categories:

New tls-domain= option to verify the server certificate domain. logformat -

New code %ssl::<cert_errors to display server certificate errors. +

New code %ssl::<cert_errors to display server + certificate errors. +

New code %ssl::>negotiated_version to display + negotiated TLS version of the client connection. +

New code %ssl::<negotiated_version to display + negotiated TLS version of the last server or peer connection. +

New code %ssl::>received_hello_version to display the + TLS version of the Hello message received from TLS client. +

New code %ssl::<received_hello_version to display the + TLS version of the Hello message received from TLS server. +

New code %ssl::>received_supported_version to display + the maximum TLS version supported by the TLS client. +

New code %ssl::<received_supported_version to display + the maximum TLS version supported by the TLS server. +

New code %ssl::>negotiated_cipher to display the + negotiated cipher of the client connection. +

New code %ssl::<negotiated_cipher to display the + negotiated cipher of the last server or peer connection. pid_filename

Default value now based on squid -n command line parameter. diff --git a/src/cf.data.pre b/src/cf.data.pre index 98f9f028c7..78df090c5f 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -2596,8 +2596,6 @@ DOC_START intermediate certificates. These certificates are not treated as trusted root certificates, and any self-signed certificate in this file will be ignored. - - This directive may be repeated to load multiple files. DOC_END NAME: sslproxy_cert_sign_hash diff --git a/src/security/NegotiationHistory.cc b/src/security/NegotiationHistory.cc index 1e998be0cf..3ee071bf4a 100644 --- a/src/security/NegotiationHistory.cc +++ b/src/security/NegotiationHistory.cc @@ -1,3 +1,11 @@ +/* + * Copyright (C) 1996-2016 The Squid Software Foundation and contributors + * + * Squid software is distributed under GPLv2+ license and includes + * contributions from numerous individuals and organizations. + * Please see the COPYING and CONTRIBUTORS files for details. + */ + #include "squid.h" #include "MemBuf.h" #include "security/NegotiationHistory.h" diff --git a/src/security/NegotiationHistory.h b/src/security/NegotiationHistory.h index 38ef219dc0..9a7dfd78e1 100644 --- a/src/security/NegotiationHistory.h +++ b/src/security/NegotiationHistory.h @@ -1,5 +1,13 @@ -#ifndef SQUID_SRC_SECURITY_NEGOTIATION_HISTORY_H -#define SQUID_SRC_SECURITY_NEGOTIATION_HISTORY_H +/* + * Copyright (C) 1996-2016 The Squid Software Foundation and contributors + * + * Squid software is distributed under GPLv2+ license and includes + * contributions from numerous individuals and organizations. + * Please see the COPYING and CONTRIBUTORS files for details. + */ + +#ifndef SQUID_SRC_SECURITY_NEGOTIATIONHISTORY_H +#define SQUID_SRC_SECURITY_NEGOTIATIONHISTORY_H #if USE_OPENSSL #if HAVE_OPENSSL_SSL_H @@ -8,6 +16,7 @@ #endif namespace Security { + class NegotiationHistory { public: @@ -36,5 +45,5 @@ private: } // namespace Security -#endif /* SQUID_SRC_SECURITY_NEGOTIATION_HISTORY_H */ +#endif /* SQUID_SRC_SECURITY_NEGOTIATIONHISTORY_H */