The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.20 release!

This release is a bug fix release resolving several issues found in the
prior Squid releases.

The major changes to be aware of:

* Regression Bug 4692: SSL-Bump breaks intercepted IPv6 connections

This bug applies to all IPv6 intercepted traffic (TPROXY, etc.). It is especially visible with SSL/TLS (port 443) traffic. It affects Google searches, YouTube videos, and many other websites. With non-TLS/SSL requests, it can cause what appear to be timeouts as well as other problems. It is a regression specific to the Squid-4 release series, not affecting any other installations.

* Regression Bug 4659: sslproxy_foreign_intermediate_certs does not work

This bug appears as loading of custom intermediate certificates not working since the auto-download feature was implemented in Squid-4. This release is now able to verify a certificate chain with both configured intermediates and auto-downloaded CA certificates.

* Bug 4662: build errors with LibreSSL 2.4.4

This release updates the OpenSSL v1.1 support to use API feature detection to resolve many issues identified with LibreSSL and potentially other OpenSSL derived libraries. New tests have been added, existing feature tests have been updated to obey the --with-openssl=PATH parameter more accurately for custom library locations, and the squid -v output is updated to report which library is being loaded and used at run-time.

As such there are some potentially significant changes to the code being used by LibreSSL and other derivative libraries. These should build and work now, but are not specifically tested by the Squid team developing the TLS/SSL code. Community testing and feedback is very welcome.

* Bug 4321: ssl_bump terminate does not terminate at step1

This release adds support for terminating TLS connections before any TLS protocol has been received. Previous versions of Squid would require some of the handshake to be received before terminate would work. This also causes non-TLS connections to be able to properly terminate before step1 of the SSL-Bump process.

* Improved cache_peer handling

This release updates the DEAD peer probe behaviour and handling to reduce HTTP response times when a cache_peer previously marked DEAD is involved as a potential destination for the request. For example as a failover destination after an initial attempt to a LIVE peer failed, or as a probe to investigate peer recovery when ICP, HTCP, Digest, NetDB and ICMP are all disabled.

Also, as of this release a new DNS query no longer revives DEAD peers unconditionally. This prevents periodic timeouts on transactions when DNS TTL is short and a peer is unavailable for extended periods of time relative to that TTL.

These changes will impact all Squid installations depending on these passive DNS or HTTP revival methods as the sole ways for peers to be detected as usable once they go down. An active probe of at least one type mentioned above is now required to avoid an increase in user visible connection failures.

* Make PID file check/creation atomic and earlier

This release adds further improvements to the Squid startup process for better PID file related behaviour to set the file contents earlier and in an atomic manner. Fixing many race condition issues when SMP workers are involved or an init system such as systemd, upstart, and OpenRC with potentially parallel startup procedures is used.

* OpenSSL support better compliance with license requirements

The OpenSSL license requires that all binaries which are built to utilize the library API (that includes any library derived from OpenSSL) must publicly advertise that OpenSSL or derivative library in all documentation detailing features of that software.

This release of Squid will now include the required OpenSSL advertisement on builds -v output where features are displayed. This is primarily intended as a way to easily identify which library is being used by Squid at run-time when multiple libraries are present on a system.

Please note even with this update Squid is still not directly compatible with the OpenSSL terms of distribution. Distributors of OpenSSL enabled Squid are required to ensure they meet both GPL and OpenSSL licensing requirements.

 All users of Squid-4.x are urged to upgrade to this release as
soon as possible.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.

 See the ChangeLog for the full list of changes in this and earlier

Please refer to the release notes at
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

or the mirrors. For a list of mirror sites see

If you encounter any issues with this release please file a bug report.

Amos Jeffries

squid-announce mailing list

Reply via email to