The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.13 release!

This release is a bug fix release resolving issues found in the prior
Squid releases and hardening security.

  Please note the TLS feature backport is an exceptional situation.
  The Squid Project policy is (and remains) not to backport feature
  changes affecting squid.conf within a stable/production release.

The major changes to be aware of:

* Support Ephemeral Elliptic Curve Diffie-Hellman (EECDH) key exchange

The Squid-4 functionality supporting Elliptic Curve cryptography has
been backported to this release to better suit community needs.

* Complete certificate chains using external intermediate certificates

Many origin servers do not send complete certificate chains. Many
browsers use certificate extensions in the server certificate to
download the missing intermediate certificates automatically from the
Internet. Squid-3 does not do that.

This backported Squid-4 feature allows an admin to supply a file with
intermediate certificates that Squid may use to complete certificate
chains. These intermediate certificates are _not_ treated as trusted
root certificates.

* SSL-Bump: Avoid memory overuse with X.509 certificate validator

SSL-Bump TLS contexts are created dynamically and potentially in large
numbers. When certificate validator was used the validator response was
causing the context to be leaked.

Note: There are other known (and some unknown) memory issues related to
certificate validation which remain to be solved.

* Fix connection retry and fallback after failed server TLS connections

Previous Squid-3.4 and 3.5 releases would attempt only one server
connection when forwarding a bumped https:// and if that failed would
produce an error. This release will now retry with other servers as done
with http:// requests.

 All users of Squid are urged to upgrade to this release as soon as

 See the ChangeLog for the full list of changes in this and earlier

Please refer to the release notes at
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

or the mirrors. For a list of mirror sites see

If you encounter any issues with this release please file a bug report.

Amos Jeffries
squid-announce mailing list

Reply via email to