The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.20 release!
This release is a bug fix release resolving several issues found in the
prior Squid releases.
The major changes to be aware of:
* Regression Bug 4692: SSL-Bump breaks intercepted IPv6 connections
This bug applies to all IPv6 intercepted traffic (TPROXY, etc.). It is
especially visible with SSL/TLS (port 443) traffic. It affects Google
searches, YouTube videos, and many other websites. With non-TLS/SSL
requests, it can cause what appear to be timeouts as well as other
problems. It is a regression specific to the Squid-4 release series, not
affecting any other installations.
* Regression Bug 4659: sslproxy_foreign_intermediate_certs does not work
This bug appears as loading of custom intermediate certificates not
working since the auto-download feature was implemented in Squid-4.
This release is now able to verify a certificate chain with both
configured intermediates and auto-downloaded CA certificates.
* Bug 4662: build errors with LibreSSL 2.4.4
This release updates the OpenSSL v1.1 support to use API feature
detection to resolve many issues identified with LibreSSL and
potentially other OpenSSL derived libraries. New tests have been added,
existing feature tests have been updated to obey the --with-openssl=PATH
parameter more accurately for custom library locations, and the squid -v
output is updated to report which library is being loaded and used at
As such there are some potentially significant changes to the code being
used by LibreSSL and other derivative libraries. These should build and
work now, but are not specifically tested by the Squid team developing
the TLS/SSL code. Community testing and feedback is very welcome.
* Bug 4321: ssl_bump terminate does not terminate at step1
This release adds support for terminating TLS connections before any TLS
protocol has been received. Previous versions of Squid would require
some of the handshake to be received before terminate would work. This
also causes non-TLS connections to be able to properly terminate before
step1 of the SSL-Bump process.
* Improved cache_peer handling
This release updates the DEAD peer probe behaviour and handling to
reduce HTTP response times when a cache_peer previously marked DEAD is
involved as a potential destination for the request. For example as a
failover destination after an initial attempt to a LIVE peer failed, or
as a probe to investigate peer recovery when ICP, HTCP, Digest, NetDB
and ICMP are all disabled.
Also, as of this release a new DNS query no longer revives DEAD peers
unconditionally. This prevents periodic timeouts on transactions when
DNS TTL is short and a peer is unavailable for extended periods of time
relative to that TTL.
These changes will impact all Squid installations depending on these
passive DNS or HTTP revival methods as the sole ways for peers to be
detected as usable once they go down. An active probe of at least one
type mentioned above is now required to avoid an increase in user
visible connection failures.
* Make PID file check/creation atomic and earlier
This release adds further improvements to the Squid startup process for
better PID file related behaviour to set the file contents earlier and
in an atomic manner. Fixing many race condition issues when SMP workers
are involved or an init system such as systemd, upstart, and OpenRC with
potentially parallel startup procedures is used.
* OpenSSL support better compliance with license requirements
The OpenSSL license requires that all binaries which are built to
utilize the library API (that includes any library derived from OpenSSL)
must publicly advertise that OpenSSL or derivative library in all
documentation detailing features of that software.
This release of Squid will now include the required OpenSSL
advertisement on builds -v output where features are displayed. This is
primarily intended as a way to easily identify which library is being
used by Squid at run-time when multiple libraries are present on a system.
Please note even with this update Squid is still not directly compatible
with the OpenSSL terms of distribution. Distributors of OpenSSL enabled
Squid are required to ensure they meet both GPL and OpenSSL licensing
All users of Squid-4.x are urged to upgrade to this release as
soon as possible.
All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.
See the ChangeLog for the full list of changes in this and earlier
Please refer to the release notes at
when you are ready to make the switch to Squid-4
This new release can be downloaded from our HTTP or FTP servers
or the mirrors. For a list of mirror sites see
If you encounter any issues with this release please file a bug report.
squid-announce mailing list
|Free forum by Nabble||Edit this page|