From: Amos Jeffries Date: Tue, 18 Aug 2015 15:13:58 +0000 (+1200) Subject: Docs: Release Notes update for 4.0 X-Git-Tag: SQUID_4_0_1~127 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4dd2c9d6bd418f800f5ec2fc13ef1245d0fd59f0;p=thirdparty%2Fsquid.git Docs: Release Notes update for 4.0 * Document C++11 requirement for compilers. * Document ICAPS support * Document Elliptic Curve Diffi-Hellman updates * Document SMP updates affecting feature availability Also, some squid.conf.documented updates for new features: * Update icap_service TLS options to replace "ssl" prefix with "tls-" on newly added options. * Remove icap_service 'sslcapath=' option from public display. It is still supported, but not very portable outside OpenSSL so do not encourage use at this time. --- diff --git a/doc/release-notes/release-4.sgml b/doc/release-notes/release-4.sgml index 0a1b582d8a..148b9d8061 100644 --- a/doc/release-notes/release-4.sgml +++ b/doc/release-notes/release-4.sgml @@ -12,8 +12,7 @@ for Applied Network Research and members of the Web Caching community. Notice -

-The Squid Team are pleased to announce the release of Squid-4.0.0 for testing. +

The Squid Team are pleased to announce the release of Squid-4.0.0 for testing. This new release is available for download from or the . @@ -24,10 +23,14 @@ This new release is available for download from . +

This release addsa dependency on C++11 support in any cmpiler used to build Squid. + As a result older C++03 -only and most C++0x compilers will no longer build successfully. + GCC 4.9+, Clang 3.5+ and ICC 12.0+ are known to have working C++11 support and are usable. + GCC-4.8 will also build for now despite lack of full C++11 support, but some future features may not be available. + Changes since earlier releases of Squid-4

The Squid-4 change history can be . @@ -42,6 +45,9 @@ The Squid-4 change history can be and

SSLv2 is not fit for purpose. Squid no longer supports being configured with -any settings regarding this protocol. That includes settings manually disabling -its use since it is now forced to disable by default. Also settings enabling -various client/server workarounds specific to SSLv2 are removed. + any settings regarding this protocol. That includes settings manually disabling + its use since it is now forced to disable by default. Also settings enabling + various client/server workarounds specific to SSLv2 are removed.

SSLv3 is not fit for purpose. Squid still accepts configuration, but use -is deprecated and will be removed entirely in a future version. -Squid default behavour is to follow the TLS built in negotiation mechanism -which prefers the latest TLS version. + is deprecated and will be removed entirely in a future version. + Squid default behavour is to follow the TLS built in negotiation mechanism + which prefers the latest TLS version. But also to accept downgrades to SSLv3. + Use tls-options=NO_SSLv3 to disable SSLv3 support completely. +

A new option tls-min-version=1.N is added in place of sslversion= + to configure the minimum version the TLS negotiation will allow to be used + when an old TLS version is requested by the remote endpoint. -MSNT-multi-domain helper removal +MSNT-multi-domain helper removal

The basic_msnt_multi_domain_auth helper has been removed. The basic_smb_lm_auth helper performs the same actions without extra Perl and Samba dependencies. +Secure ICAP +

ICAP services can now be used over TLS connections. + +

To mark an ICAP service as secure, use an icaps:// service URI scheme when + listing your service via an icap_service directive. The industry is using a + Secure ICAP term, and Squid follows that convention, but icaps seems more + appropriate for a scheme name. + +

Squid uses port 11344 for Secure ICAP by default, following another popular + proxy convention. The old 1344 default for plain ICAP ports has not changed. + + +Elliptic Curve Diffie-Hellman (ECDH) +

All listening port which supported Diffie-Hellman key exchange are now updated + to support Elliptic Curve configuration which allows for forward secrecy with + better performance than traditional ephemeral Diffie-Hellman. + +

The http(s)_port dhparams= option is replaced with tls-dh= that + takes an optional curve name as well as filename for curve parameters. The new + option configured without a curve name uses the traditional ephemeral DH. + +

A new options=SINGLE_ECDH_USE parameter is added to enable ephemeral + key exchanges for Elliptic Curve DH. + + +Improved SMP support +

Use of C++11 atomic operations instead of GNU atomics allows a wider range of + operating systems and compilers to build Squid SMP and multi-process features. + However this does require a C++11 or C++0x compiler with a recent version of + the C++ standard library. + +

IpcIo and Mmapped disk I/O modules are now auto-detected properly which + enables Rock storage on more systems by default than previously. + + Changes to squid.conf since Squid-3.5

There have been changes to Squid's configuration file since Squid-3.5. @@ -138,6 +184,12 @@ This section gives a thorough account of those changes in three categories:

All option= values for SSLv2 configuration or disabling have been removed.

Removed version= option. Use tls-options= instead. +

New options=SINGLE_ECDH_USE parameter to enable ephemeral + ECDH key exchange. +

Deprecated dhparams= option. Use tls-dh= instead. + The new option allows to optionally specify an elliptic curve for + ephemeral ECDH by adding curve-name: in front of the + parameter file name.

Manual squid.conf update may be required on upgrade. https_port @@ -153,6 +205,23 @@ This section gives a thorough account of those changes in three categories: parameter file name.

Manual squid.conf update may be required on upgrade. + icap_service +

New scheme icaps:// to enable TLS/SSL connections to Secure ICAP + servers on port 11344. +

New tls-cert= option to set TLS client certificate to use. +

New tls-key= option to set TLS private key matching the client + certificate used. +

New tls-min-version=1.N option to set minimum TLS version allowed + on server connections. +

New tls-options= option to set OpenSSL library parameters. +

New tls-flags= option to set flags modifying Squid TLS operations. +

New tls-cipher= option to set a list of ciphers permitted. +

New tls-cafile= option to set a file with additional CA + certificate(s) to verify the server certificate. +

New tls-crlfile= option to set a file with a CRL to verify the + server certificate. +

New tls-domain= option to verify the server certificate domain. + refresh_pattern

Removed ignore-auth. Its commonly desired behaviour is performed by default with correct HTTP/1.1 revalidation. @@ -241,6 +310,11 @@ This section gives an account of those changes in three categories: --enable-auth-basic

The MSNT-multi-domain helper has been removed. + --enable-diskio +

Auto-detection of SMP related modules has been fixed to + actually auto-detect them without configuring the module + list manually. +

diff --git a/src/cf.data.pre b/src/cf.data.pre index a35f5ef76d..31ac358740 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -8480,21 +8480,21 @@ DOC_START Use the given number as the Max-Connections limit, regardless of the Max-Connections value given by the service, if any. - ==== SSL / ICAPS / TLS OPTIONS ==== + ==== ICAPS / TLS OPTIONS ==== These options are used for Secure ICAP (icaps://....) services only. - sslcert=/path/to/ssl/certificate + tls-cert=/path/to/ssl/certificate A client SSL certificate to use when connecting to this icap server. - sslkey=/path/to/ssl/key - The private SSL key corresponding to sslcert above. - If 'sslkey' is not specified 'sslcert' is assumed to - reference a combined file containing both the + tls-key=/path/to/ssl/key + The private TLS/SSL key corresponding to sslcert above. + If 'tls-key' is not specified 'tls-cert' is assumed to + reference a combined PEM format file containing both the certificate and the key. - sslcipher=... The list of valid SSL ciphers to use when connecting + tls-cipher=... The list of valid TLS/SSL ciphers to use when connecting to this icap server. tls-min-version=1.N @@ -8502,45 +8502,52 @@ DOC_START SSLv3 use the ssloptions= parameter. Supported Values: 1.0 (default), 1.1, 1.2 - ssloptions=... Specify various SSL implementation options: + tls-options=... Specify various OpenSSL library options: NO_SSLv3 Disallow the use of SSLv3 + NO_TLSv1 Disallow the use of TLSv1.0 NO_TLSv1_1 Disallow the use of TLSv1.1 NO_TLSv1_2 Disallow the use of TLSv1.2 + SINGLE_DH_USE Always create a new key when using temporary/ephemeral DH key exchanges + ALL Enable various bug workarounds - suggested as "harmless" by OpenSSL - Be warned that this reduces SSL/TLS - strength to some attacks. + suggested as "harmless" by OpenSSL + Be warned that this reduces SSL/TLS + strength to some attacks. See the OpenSSL SSL_CTX_set_options documentation for a - more complete list. + more complete list. Options relevant only to SSLv2 are + not supported. - sslcafile=... A file containing additional CA certificates to use - when verifying the icap server certificate. + tls-cafile=... A PEM file containing additional CA certificates to use + when verifying the icap server certificate. Used + to specify intermediate CA certificate(s) if not sent + by the server. Or the full CA chain for the server + when using the NO_DEFAULT_CA flag. - sslcapath=... A directory containing additional CA certificates to + tls-capath=... A directory containing additional CA certificates to use when verifying the icap server certificate. - sslcrlfile=... A certificate revocation list file to use when + tls-crlfile=... A certificate revocation list file to use when verifying the icap server certificate. - sslflags=... Specify various flags modifying the SSL implementation: + tls-flags=... Specify various flags modifying the Squid TLS implementation: DONT_VERIFY_PEER Accept certificates even if they fail to verify. NO_DEFAULT_CA - Don't use the default CA list built in - to OpenSSL. + Don't use the default CA list built into + OpenSSL. DONT_VERIFY_DOMAIN Don't verify the icap server certificate matches the server name - ssldomain= The icap server name as advertised in it's certificate. + tls-domain= The icap server name as advertised in it's certificate. Used for verifying the correctness of the received icap server certificate. If not specified the icap server hostname extracted from ICAP URI will be used.