+Changes to squid-3.2.0.7 (19 Apr 2011):
+
+ - Regression fix: NTLM and Negotiate auth assertion "RefCountCount() == 2"
+ - Regression fix: icons/ FHS compliance
+ - Regression fix: Startup aborts with URL error when --disable-htcp
+ - Bug 3192: comm.cc:216: "fd_table[fd].halfClosedReader != NULL"
+ - Add negotiate_wrapper_auth version 1.0.1
+ - Fixed %dt logging in the presence of REQMOD
+ - Fixed chunked request forwarding in ICAP REQMOD presence
+ - ... all bug fixes and updates from 3.1.12.1
+ - ... many code polishings and display cleanups
+
Changes to squid-3.2.0.6 (04 Apr 2011):
- Regression fix: upgrade existing icons
- ... and a great many testing improvements
- ... and many documentation updates
+Changes to squid-3.1.12.1 (19 Apr 2011):
+
+ - Port from 3.2: Dynamic SSL Certificate generation
+ - Bug 3194: selinux may prevent ntlm_smb_lm_auth from using /tmp
+ - Bug 3185: 3.1.11 fails to compile on OpenBSD 4.8 and 4.9
+ - Bug 3183: Invalid URL accepted with url host part of only '@'
+ - Display ERROR in cache.log for invalid configured paths
+ - Cache Manager: send User-Agent header from cachemgr.cgi
+ - ... and many portability compile fixes for non-GCC systems.
+
Changes to squid-3.1.12 (04 Apr 2011):
- Regression fix: Use bigger buffer for server reads.
<!doctype linuxdoc system>
<article>
-<title>Squid 3.1.12 release notes</title>
+<title>Squid 3.1.12.1 release notes</title>
<author>Squid Developers</author>
<abstract>
<sect>Notice
<p>
-The Squid Team are pleased to announce the release of Squid-3.1.12
+The Squid Team are pleased to announce the release of Squid-3.1.12.1
This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.1/"> or the <url url="http://www.squid-cache.org/Mirrors/http-mirrors.html" name="mirrors">.
<item>eCAP Adaptation Module support
<item>ICAP Bypass and Retry enhancements
<item>ICY streaming protocol support
+ <item>Dynamioc SSL Certificate Generatio (3.1.12.1 and later)
</itemize>
Most user-facing changes are reflected in squid.conf (see below).
configuration. Use of interception for port 443 is not officially supported, despite
being known to work under certain limited networking circumstances.
+<sect1> Dynamic SSL Certificate Generation
+<p> SslBump users know how many certificate warnings a single complex site
+(using dedicated image, style, and/or advertisement servers for embedded content)
+can generate. The warnings are legitimate and are caused by Squid-provided site
+certificate. Two things may be wrong with that certificate:
+<itemize>
+ <item> Squid certificate is not signed by a trusted authority.
+ <item> Squid certificate name does not match the site domain name.
+</itemize>
+Squid can do nothing about (A), but in most targeted environments, users will
+trust the "man in the middle" authority and install the corresponding root
+certificate.
+
+<p>To avoid mismatch (B), the DynamicSslCert feature concentrates on generating
+site certificates that match the requested site domain name. Please note that
+the browser site name check does not really add much security in an SslBump
+environment where the user already trusts the "man in the middle". The check
+only adds warnings and creates page rendering problems in browsers that try to
+reduce the number of warnings by blocking some embedded content.
<sect1>eCAP Adaptation Module support
# ssl_bump allow all
</verb>
+ <tag>sslcrtd_program</tag>
+ <p>Specify the location and options of the executable for ssl_crtd process.
+
+ <tag>sslcrtd_children</tag>
+ <p> Configures the number of sslcrtd processes to spawn
+
<tag>sslproxy_cert_error</tag>
<p>New Access Control to selectively bypass server certificate validation errors.
DEFAULT: None bypassed.
original or indirect client when a request has been forwarded through other
proxies.
+ <tag>--enable-ssl-crtd</tag>
+ <p>Prevent Squid from direct generation of SSL private key and
+ certificate request and instead enables the <em>ssl_crtd,/em> processes.
+
<tag>--enable-zph-qos</tag>
<p>Build with support for ZPH Quality of Service controls
<!doctype linuxdoc system>
<article>
-<title>Squid 3.2.0.6 release notes</title>
+<title>Squid 3.2.0.7 release notes</title>
<author>Squid Developers</author>
<abstract>
<sect>Notice
<p>
-The Squid Team are pleased to announce the release of Squid-3.2.0.6 for testing.
+The Squid Team are pleased to announce the release of Squid-3.2.0.7 for testing.
This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.2/"> or the <url url="http://www.squid-cache.org/Mirrors/http-mirrors.html" name="mirrors">.
<item>Surrogate/1.0 protocol extensions to HTTP
<item>Logging Infrastructure Updated
<item>Client Bandwidth Limits
- <item>Dynamic SSL Certificate Generation
<item>Better eCAP support
</itemize>
<p><itemize>
<item>squid_kerb_auth - negotiate_kerberos_auth - Authenticate with Kerberos servers.
<item>mswin_sspi - negotiate_sspi_auth - Authenticate with a Windows Domain Controller using SSPI.
+ <item>negotiate_wrapper - negotiate_wrapper_auth - Split Negotiate traffic between Kerberos and NTLM helpers.
</itemize>
<sect2>NTLM Authentication protocol helpers
response data from Squid. This delay may need to be lowered in
high-bandwidth environments.
-<sect1> Dynamic SSL Certificate Generation
-<p> SslBump users know how many certificate warnings a single complex site
-(using dedicated image, style, and/or advertisement servers for embedded content)
-can generate. The warnings are legitimate and are caused by Squid-provided site
-certificate. Two things may be wrong with that certificate:
-<itemize>
- <item> Squid certificate is not signed by a trusted authority.
- <item> Squid certificate name does not match the site domain name.
-</itemize>
-Squid can do nothing about (A), but in most targeted environments, users will
-trust the "man in the middle" authority and install the corresponding root
-certificate.
-
-<p>To avoid mismatch (B), the DynamicSslCert feature concentrates on generating
-site certificates that match the requested site domain name. Please note that
-the browser site name check does not really add much security in an SslBump
-environment where the user already trusts the "man in the middle". The check
-only adds warnings and creates page rendering problems in browsers that try to
-reduce the number of warnings by blocking some embedded content.
-
<sect>Changes to squid.conf since Squid-3.1
<p>
There have been changes to Squid's configuration file since Squid-3.1.
<tag>write_timeout</tag>
<p>New setting to limit time spent waiting for data writes to be confirmed.
-
- <tag>sslcrtd_program</tag>
- <p>Specify the location and options of the executable for ssl_crtd process.
-
- <tag>sslcrtd_children</tag>
- <p> Configures the number of sslcrtd processes to spawn
</descrip>
<sect1>Changes to existing tags<label id="modifiedtags">
<tag>--without-netfiler-conntrack</tag>
<p>Disables the libnetfilter_conntrack library being used for the new qos_flows option <em>mark</em>.
default is to auto-detect the library and use where available.
-
- <tag>--enable-ssl-crtd</tag>
- <p> Prevent Squid from directly generation of SSL private key and
- certificate request and instead enables the ssl_crtd processes.
</descrip>
<sect1>Changes to existing options<label id="modifiedoptions">
projects / thirdparty / squid.git / commitdiff
