The Squid Team are pleased to announce the release of Squid-4.0.1 for testing.
This new release is available for download from http://www.squid-cache.org/Versions/v4/ or the mirrors.
While this release is not deemed ready for production use, we believe it is ready for wider testing by the community.
We welcome feedback and bug reports. If you find a bug, please see http://wiki.squid-cache.org/SquidFaq/BugReporting for how to submit a report with a stack trace.
Although this release is deemed good enough for use in many setups, please note the existence of open bugs against Squid-4.
This release adds a dependency on C++11 support in any compiler used to build Squid. As a result older C++03 -only and most C++0x compilers will no longer build successfully. GCC 4.9+ and Clang 3.5+ are known to have working C++11 support and are usable. GCC-4.8 will also build for now despite lack of full C++11 support, but some future features may not be available.
The Squid-4 change history can be viewed here.
Squid 4 represents a new feature release above 3.5.
The most important of these new features are:
Most user-facing changes are reflected in squid.conf (see below).
The new queue-size=N option to helpers configuration, allows users to configure the maximum number of queued requests to busy helpers.
helper-mux.pl we have been distributing for the past few years to encourage use of concurrency is no longer compatible with Squid. If used it will spawn up to 2^64 helpers and DoS the Squid server.
Helpers utilizing arrays to handle fixed amounts of concurrency channels MUST be re-written to use queues and capable of handling a 64-bit int as index or they will be vulnerable to buffer overrun and arbitrary memory accesses.
32-bit helpers need re-writing to handle the concurrency channel ID as a 64-bit integer value. If not updated they will cause proxies to return unexpected results or timeout once crossing the 32-bit wrap boundary. Leading to undefined behaviour in the client HTTP traffic.
Details in RFC 6176 and RFC 7568
SSLv2 is not fit for purpose. Squid no longer supports being configured with any settings regarding this protocol. That includes settings manually disabling its use since it is now forced to disable by default. Also settings enabling various client/server workarounds specific to SSLv2 are removed.
SSLv3 is not fit for purpose. Squid still accepts configuration, but use is deprecated and will be removed entirely in a future version. Squid default behavour is to follow the TLS built in negotiation mechanism which prefers the latest TLS version. But also to accept downgrades to SSLv3. Use tls-options=NO_SSLv3 to disable SSLv3 support completely.
A new option tls-min-version=1.N is added in place of sslversion= to configure the minimum version the TLS negotiation will allow to be used when an old TLS version is requested by the remote endpoint.
The basic_msnt_multi_domain_auth helper has been removed. The basic_smb_lm_auth helper performs the same actions without extra Perl and Samba dependencies.
ICAP services can now be used over TLS connections.
To mark an ICAP service as secure, use an icaps:// service URI scheme when listing your service via an icap_service directive. The industry is using a Secure ICAP term, and Squid follows that convention, but icaps seems more appropriate for a scheme name.
Squid uses port 11344 for Secure ICAP by default, following another popular proxy convention. The old 1344 default for plain ICAP ports has not changed.
All listening port which supported Diffie-Hellman key exchange are now updated to support Elliptic Curve configuration which allows for forward secrecy with better performance than traditional ephemeral Diffie-Hellman.
The http(s)_port dhparams= option is replaced with tls-dh= that takes an optional curve name as well as filename for curve parameters. The new option configured without a curve name uses the traditional ephemeral DH.
A new options=SINGLE_ECDH_USE parameter is added to enable ephemeral key exchanges for Elliptic Curve DH.
Use of C++11 atomic operations instead of GNU atomics allows a wider range of operating systems and compilers to build Squid SMP and multi-process features. However this does require a C++11 or C++0x compiler with a recent version of the C++ standard library.
IpcIo and Mmapped disk I/O modules are now auto-detected properly which enables Rock storage on more systems by default than previously.
There have been changes to Squid's configuration file since Squid-3.5.
This section gives a thorough account of those changes in three categories:
New tag to define TLS security context options for outgoing connections. For example to HTTPS servers.
Squid times active requests to redirector. This option sets the timeout value and the Squid reaction to a timed out request.
New parameter queue-size= to set the maximum number of queued requests.
New option tls-min-version=1.N to set minimum TLS version allowed.
New option tls-no-default-ca replaces sslflags=NO_DEFAULT_CA
All ssloptions= values for SSLv2 configuration or disabling have been removed.
Removed sslversion= option. Use tls-options= instead.
Manual squid.conf update may be required on upgrade.
Replaced sslcafile= with tls-cafile= which takes multiple entries.
New parameter queue-size= to set the maximum number of queued requests.
Format field updated to accept any logformat %macro code.
New option tls-min-version=1.N to set minimum TLS version allowed.
New option tls-no-default-ca replaces sslflags=NO_DEFAULT_CA
All option= values for SSLv2 configuration or disabling have been removed.
Removed version= option. Use tls-options= instead.
New options=SINGLE_ECDH_USE parameter to enable ephemeral ECDH key exchange.
Deprecated dhparams= option. Use tls-dh= instead. The new option allows to optionally specify an elliptic curve for ephemeral ECDH by adding curve-name: in front of the parameter file name.
Manual squid.conf update may be required on upgrade.
Replaced cafile= with tls-cafile= which takes multiple entries.
New option tls-no-default-ca replaces sslflags=NO_DEFAULT_CA
New option tls-min-version=1.N to set minimum TLS version allowed.
New option tls-no-default-ca replaces sslflags=NO_DEFAULT_CA
All options= values for SSLv2 configuration or disabling have been removed.
Removed version= option. Use tls-options= instead.
New options=SINGLE_ECDH_USE parameter to enable ephemeral ECDH key exchange.
Deprecated dhparams= option. Use tls-dh= instead. The new option allows to optionally specify an elliptic curve for ephemeral ECDH by adding curve-name: in front of the parameter file name.
Manual squid.conf update may be required on upgrade.
Replaced cafile= with tls-cafile= which takes multiple entries.
New scheme icaps:// to enable TLS/SSL connections to Secure ICAP servers on port 11344.
New tls-cert= option to set TLS client certificate to use.
New tls-key= option to set TLS private key matching the client certificate used.
New tls-min-version=1.N option to set minimum TLS version allowed on server connections.
New tls-options= option to set OpenSSL library parameters.
New tls-flags= option to set flags modifying Squid TLS operations.
New tls-cipher= option to set a list of ciphers permitted.
New tls-cafile= option to set a file with additional CA certificate(s) to verify the server certificate.
New tls-crlfile= option to set a file with a CRL to verify the server certificate.
New tls-domain= option to verify the server certificate domain.
New code %ssl::<cert_errors to display server certificate errors.
Default value now based on squid -n command line parameter.
Removed option ignore-auth. Its commonly desired behaviour is performed by default with correct HTTP/1.1 revalidation.
Removed ignore-must-revalidate. Other more HTTP compliant directives (cache, store_miss) can be used to prevent objects from caching.
New parameter queue-size= to set the maximum number of queued requests.
New parameter queue-size= to set the maximum number of queued requests.
New parameter queue-size= to set the maximum number of queued requests.
Superceded by cache_peer_access. Use dstdomain ACL in the access control list to restrict domains requested.
Replaced by tls_outgoing_options cafile=. Which now takes multiple entries.
Replaced by tls_outgoing_options capath=.
Replaced by tls_outgoing_options cipher=.
Replaced by tls_outgoing_options cert=.
Replaced by tls_outgoing_options key=.
Replaced by tls_outgoing_options flags=.
Replaced by tls_outgoing_options options=.
All values for SSLv2 configuration or disabling have been removed.
Manual squid.conf update may be required on upgrade.
Replaced by tls_outgoing_options options=.
All values for SSLv2 configuration or disabling have been removed.
Manual squid.conf update may be required on upgrade.
There have been some changes to Squid's build configuration since Squid-3.5.
This section gives an account of those changes in three categories:
The MSNT-multi-domain helper has been removed.
Auto-detection of SMP related modules has been fixed to actually auto-detect them without configuring the module list manually.
Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-4
If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.
Not yet ported from 2.6
monitorinterval= not yet ported from 2.6
monitorsize= not yet ported from 2.6
monitortimeout= not yet ported from 2.6
monitorurl= not yet ported from 2.6
Not yet ported from 2.6
Not yet ported from 2.6
Not yet ported from 2.7
Not yet ported from 2.6
Not yet ported from 2.6
Not yet ported from 2.6
Not yet ported from 2.6
stale-while-revalidate= not yet ported from 2.7
ignore-stale-while-revalidate= not yet ported from 2.7
negative-ttl= not yet ported from 2.7
Not yet ported from 2.7
Not yet ported from 2.7
Copyright (C) 1996-2015 The Squid Software Foundation and contributors
Squid software is distributed under GPLv2+ license and includes contributions from numerous individuals and organizations. Please see the COPYING and CONTRIBUTORS files for details.