From: Amos Jeffries <squid3@treenet.co.nz>
Date: Mon, 18 Apr 2011 14:36:32 +0000 (+1200)
Subject: Prep for 3.1.12.1
X-Git-Tag: SQUID_3_1_12_1~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4eb155defe591d8de9ff61e2d0374707ad4926d4;p=thirdparty%2Fsquid.git

Prep for 3.1.12.1
---

diff --git a/ChangeLog b/ChangeLog
index 13035ca791..f18a533997 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+Changes to squid-3.1.12.1 (19 Apr 2011):
+
+	- Port from 3.2: Dynamic SSL Certificate generation
+	- Bug 3194: selinux may prevent ntlm_smb_lm_auth from using /tmp
+	- Bug 3185: 3.1.11 fails to compile on OpenBSD 4.8 and 4.9
+	- Bug 3183: Invalid URL accepted with url host part of only '@'
+	- Display ERROR in cache.log for invalid configured paths
+	- Cache Manager: send User-Agent header from cachemgr.cgi
+	- ... and many portability compile fixes for non-GCC systems.
+
 Changes to squid-3.1.12 (04 Apr 2011):
 
 	- Regression fix: Use bigger buffer for server reads.
diff --git a/doc/release-notes/release-3.1.html b/doc/release-notes/release-3.1.html
index 477e19d32f..5bc5c2862f 100644
--- a/doc/release-notes/release-3.1.html
+++ b/doc/release-notes/release-3.1.html
@@ -2,10 +2,10 @@
 <HTML>
 <HEAD>
  <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.66">
- <TITLE>Squid 3.1.12 release notes</TITLE>
+ <TITLE>Squid 3.1.12.1 release notes</TITLE>
 </HEAD>
 <BODY>
-<H1>Squid 3.1.12 release notes</H1>
+<H1>Squid 3.1.12.1 release notes</H1>
 
 <H2>Squid Developers</H2>
 <HR>
@@ -31,9 +31,10 @@ for Applied Network Research and members of the Web Caching community.</EM>
 <LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Connection Pinning (for NTLM Auth Passthrough)</A>
 <LI><A NAME="toc2.6">2.6</A> <A HREF="#ss2.6">Quality of Service (QoS) Flow support</A>
 <LI><A NAME="toc2.7">2.7</A> <A HREF="#ss2.7">SSL Bump (for HTTPS Filtering and Adaptation)</A>
-<LI><A NAME="toc2.8">2.8</A> <A HREF="#ss2.8">eCAP Adaptation Module support</A>
-<LI><A NAME="toc2.9">2.9</A> <A HREF="#ss2.9">ICAP Bypass and Retry enhancements</A>
-<LI><A NAME="toc2.10">2.10</A> <A HREF="#ss2.10">ICY streaming protocol support</A>
+<LI><A NAME="toc2.8">2.8</A> <A HREF="#ss2.8">Dynamic SSL Certificate Generation</A>
+<LI><A NAME="toc2.9">2.9</A> <A HREF="#ss2.9">eCAP Adaptation Module support</A>
+<LI><A NAME="toc2.10">2.10</A> <A HREF="#ss2.10">ICAP Bypass and Retry enhancements</A>
+<LI><A NAME="toc2.11">2.11</A> <A HREF="#ss2.11">ICY streaming protocol support</A>
 </UL>
 <P>
 <H2><A NAME="toc3">3.</A> <A HREF="#s3">Changes to squid.conf since Squid-3.0</A></H2>
@@ -70,7 +71,7 @@ for Applied Network Research and members of the Web Caching community.</EM>
 <HR>
 <H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
 
-<P>The Squid Team are pleased to announce the release of Squid-3.1.12</P>
+<P>The Squid Team are pleased to announce the release of Squid-3.1.12.1</P>
 <P>This new release is available for download from 
 <A HREF="http://www.squid-cache.org/Versions/v3/3.1/">http://www.squid-cache.org/Versions/v3/3.1/</A> or the 
 <A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P>
@@ -124,6 +125,7 @@ While this release is not fully bug-free we believe it is ready for use in produ
 <LI>eCAP Adaptation Module support</LI>
 <LI>ICAP Bypass and Retry enhancements</LI>
 <LI>ICY streaming protocol support</LI>
+<LI>Dynamic SSL Certificate Generation (3.1.12.1 and later)</LI>
 </UL>
 </P>
 <P>Most user-facing changes are reflected in squid.conf (see below).</P>
@@ -371,8 +373,30 @@ configured to explicitly use the proxy in their browser settings or via WPAD/PAC
 configuration. Use of interception for port 443 is not officially supported, despite
 being known to work under certain limited networking circumstances.</P>
 
+<H2><A NAME="ss2.8">2.8</A> <A HREF="#toc2.8">Dynamic SSL Certificate Generation</A>
+</H2>
+
+<P> SslBump users know how many certificate warnings a single complex site
+(using dedicated image, style, and/or advertisement servers for embedded content)
+can generate. The warnings are legitimate and are caused by Squid-provided site
+certificate. Two things may be wrong with that certificate:
+<UL>
+<LI> Squid certificate is not signed by a trusted authority.</LI>
+<LI> Squid certificate name does not match the site domain name.</LI>
+</UL>
+
+Squid can do nothing about (A), but in most targeted environments, users will
+trust the "man in the middle" authority and install the corresponding root
+certificate.</P>
 
-<H2><A NAME="ss2.8">2.8</A> <A HREF="#toc2.8">eCAP Adaptation Module support</A>
+<P>To avoid mismatch (B), the DynamicSslCert feature concentrates on generating  
+site certificates that match the requested site domain name. Please note that
+the browser site name check does not really add much security in an SslBump
+environment where the user already trusts the "man in the middle". The check
+only adds warnings and creates page rendering problems in browsers that try to
+reduce the number of warnings by blocking some embedded content.</P>
+
+<H2><A NAME="ss2.9">2.9</A> <A HREF="#toc2.9">eCAP Adaptation Module support</A>
 </H2>
 
 <P>Details in 
@@ -384,7 +408,7 @@ a c-icap server wrapper. This enables faster processing.</P>
 <P>Currently known and available eCAP modules are listed in the wiki feature page on eCAP.</P>
 
 
-<H2><A NAME="ss2.9">2.9</A> <A HREF="#toc2.9">ICAP Bypass and Retry enhancements</A>
+<H2><A NAME="ss2.10">2.10</A> <A HREF="#toc2.10">ICAP Bypass and Retry enhancements</A>
 </H2>
 
 <P>Details in 
@@ -446,7 +470,7 @@ should be large enough to not require an explicit configuration in most
 environments yet may be small enough to limit side-effects of loops.</P>
 
 
-<H2><A NAME="ss2.10">2.10</A> <A HREF="#toc2.10">ICY streaming protocol support</A>
+<H2><A NAME="ss2.11">2.11</A> <A HREF="#toc2.11">ICY streaming protocol support</A>
 </H2>
 
 <P>Squid-3.1 adds native support for streaming protocol ICY.
@@ -1047,6 +1071,12 @@ NOCOMMENT_START
 </PRE>
 </P>
 
+<DT><B>sslcrtd_program</B><DD>
+<P>Specify the location and options of the executable for ssl_crtd process.</P>
+
+<DT><B>sslcrtd_children</B><DD>
+<P> Configures the number of sslcrtd processes to spawn</P>
+
 <DT><B>sslproxy_cert_error</B><DD>
 <P>New Access Control to selectively bypass server certificate validation errors.
 DEFAULT: None bypassed.
@@ -1575,6 +1605,10 @@ Cannot be used with --disable-loadable-modules.</P>
 original or indirect client when a request has been forwarded through other
 proxies.</P>
 
+<DT><B>--enable-ssl-crtd</B><DD>
+<P>Prevent Squid from direct generation of SSL private key and
+certificate request and instead enables the <EM>ssl_crtd</EM> processes.</P>
+
 <DT><B>--enable-zph-qos</B><DD>
 <P>Build with support for ZPH Quality of Service controls</P>
 
diff --git a/doc/release-notes/release-3.1.sgml b/doc/release-notes/release-3.1.sgml
index 8439638b94..c8719ed817 100644
--- a/doc/release-notes/release-3.1.sgml
+++ b/doc/release-notes/release-3.1.sgml
@@ -1,6 +1,6 @@
 <!doctype linuxdoc system>
 <article>
-<title>Squid 3.1.12 release notes</title>
+<title>Squid 3.1.12.1 release notes</title>
 <author>Squid Developers</author>
 
 <abstract>
@@ -13,7 +13,7 @@ for Applied Network Research and members of the Web Caching community.
 
 <sect>Notice
 <p>
-The Squid Team are pleased to announce the release of Squid-3.1.12
+The Squid Team are pleased to announce the release of Squid-3.1.12.1
 
 This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.1/"> or the <url url="http://www.squid-cache.org/Mirrors/http-mirrors.html" name="mirrors">.
 
@@ -62,6 +62,7 @@ The most important of these new features are:
 	<item>eCAP Adaptation Module support
 	<item>ICAP Bypass and Retry enhancements
 	<item>ICY streaming protocol support
+	<item>Dynamic SSL Certificate Generation (3.1.12.1 and later)
 </itemize>
 
 Most user-facing changes are reflected in squid.conf (see below).
@@ -287,6 +288,25 @@ Microsoft NTLM Authentication instead of HTTP standard authentication through a
   configuration. Use of interception for port 443 is not officially supported, despite
   being known to work under certain limited networking circumstances.
 
+<sect1> Dynamic SSL Certificate Generation
+<p> SslBump users know how many certificate warnings a single complex site
+(using dedicated image, style, and/or advertisement servers for embedded content)
+can generate. The warnings are legitimate and are caused by Squid-provided site
+certificate. Two things may be wrong with that certificate:
+<itemize>
+   <item> Squid certificate is not signed by a trusted authority.
+   <item> Squid certificate name does not match the site domain name.
+</itemize>
+Squid can do nothing about (A), but in most targeted environments, users will
+trust the "man in the middle" authority and install the corresponding root
+certificate.
+  
+<p>To avoid mismatch (B), the DynamicSslCert feature concentrates on generating  
+site certificates that match the requested site domain name. Please note that
+the browser site name check does not really add much security in an SslBump
+environment where the user already trusts the "man in the middle". The check
+only adds warnings and creates page rendering problems in browsers that try to
+reduce the number of warnings by blocking some embedded content.
 
 <sect1>eCAP Adaptation Module support
 
@@ -894,6 +914,12 @@ NOCOMMENT_START
 # ssl_bump allow all
 	</verb>
 
+	<tag>sslcrtd_program</tag>
+	<p>Specify the location and options of the executable for ssl_crtd process.
+
+	<tag>sslcrtd_children</tag>
+	<p> Configures the number of sslcrtd processes to spawn
+
 	<tag>sslproxy_cert_error</tag>
 	<p>New Access Control to selectively bypass server certificate validation errors.
 	   DEFAULT: None bypassed.
@@ -1379,6 +1405,10 @@ This section gives an account of those changes in three categories:
 	   original or indirect client when a request has been forwarded through other
 	   proxies.
 
+	<tag>--enable-ssl-crtd</tag>
+	<p>Prevent Squid from direct generation of SSL private key and
+	certificate request and instead enables the <em>ssl_crtd</em> processes.
+
 	<tag>--enable-zph-qos</tag>
 	<p>Build with support for ZPH Quality of Service controls
 
diff --git a/src/cf.data.pre b/src/cf.data.pre
index ace7a45fa2..d329774863 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -3743,10 +3743,10 @@ IFDEF: FOLLOW_X_FORWARDED_FOR&&ICAP_CLIENT
 DEFAULT: on
 LOC: Adaptation::Icap::TheConfig.icap_uses_indirect_client
 DOC_START
-   Controls whether the indirect client address
-   (see follow_x_forwarded_for) instead of the
-   direct client address is passed to an ICAP
-   server as "X-Client-IP".
+	Controls whether the indirect client IP address (instead of the direct
+	client IP address) is passed to adaptation services.
+
+	See also: follow_x_forwarded_for adaptation_send_client_ip
 DOC_END
 
 NAME: via
@@ -4523,7 +4523,7 @@ delay_parameters pool aggregate network individual user
 
 	For a class 5 delay pool:
 
-delay_parameters pool tag
+delay_parameters pool tagrate
 
 	The variables here are:
 
@@ -4531,19 +4531,19 @@ delay_parameters pool tag
 				number specified in delay_pools as used in
 				delay_class lines.
 
-		aggregate	the "delay parameters" for the aggregate bucket
+		aggregate	the speed limit parameters for the aggregate bucket
 				(class 1, 2, 3).
 
-		individual	the "delay parameters" for the individual
+		individual	the speed limit parameters for the individual
 				buckets (class 2, 3).
 
-		network		the "delay parameters" for the network buckets
+		network		the speed limit parameters for the network buckets
 				(class 3).
 
-		user		the delay parameters for the user buckets
+		user		the speed limit parameters for the user buckets
 				(class 4).
 
-		tag		the delay parameters for the tag buckets
+		tagrate		the speed limit parameters for the tag buckets
 				(class 5).
 
 	A pair of delay parameters is written restore/maximum, where restore is
@@ -5852,7 +5852,11 @@ COMMENT: on|off
 LOC: Adaptation::Icap::TheConfig.send_client_ip
 DEFAULT: off
 DOC_START
-	This adds the header "X-Client-IP" to ICAP requests.
+	If enabled, Squid shares HTTP client IP information with adaptation
+	services. For ICAP, Squid adds the X-Client-IP header to ICAP requests.
+	For eCAP, Squid sets the libecap::metaClientIp transaction option.
+
+	See also: adaptation_uses_indirect_client
 DOC_END
 
 NAME: icap_send_client_username