Re: [Fwd: [squid-announce] Squid 4.1 is available]

[Matthias Fischer <matthias.fischer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3799 bytes --]

Hi,

Found something, see below.

On 04.07.2018 20:52, Matthias Fischer wrote:
> On 04.07.2018 18:43, Michael Tremer wrote:
>> On Wed, 2018-07-04 at 17:04 +0200, Matthias Fischer wrote:
>>> On 04.07.2018 16:57, Michael Tremer wrote:
>>> > On Wed, 2018-07-04 at 16:54 +0200, Matthias Fischer wrote:
>>> > > Hi,
>>> > > 
>>> > > On 04.07.2018 11:12, Michael Tremer wrote:
>>> > > > Squid 4.1 has been released.
>>> > > 
>>> > > Yep.
>>> > > 
>>> > > > @Matthias: As far as I remember, you have been working on updating squid
>>> > > > before.
>>> > > > Will you have a look at this?
>>> > > 
>>> > > I'm "looking at it" right now. ;-)
>>> > > 
>>> > > When I came home, Devel was ready.
>>> > > 
>>> > > First compiled version (32bit) is running here. No seen problems.
>>> > > 
>>> > > But today they released the first patch
>>> > > (http://www.squid-cache.org/Versions/v4/changesets/squid-4-01fd74072310c3b
>>> > > 018f
>>> > > 4b6a5b5c6be4816f72166.patch).
>>> > > Great...
>>> > > 
>>> > > I think we're not affected ("There is a Segfault when opening long URLs
>>> > > if Bump is enabled and the on_unsupported_protocol option is set. Proxy
>>> > > mode is transparent.") but to be complete, I'd like to include this one.
>>> > > 
>>> > > This requires a clean build (~5:30 hours). Patched version will be ready
>>> > > tomorrow. Ok?
>>> > 
>>> > No hurry at all. I guess this already shows us that we should not migrate to
>>> > squid 4, yet. There are still many bugs in it. But what we need to do is to
>>> > review the proxy.cgi and see if the configuration file is valid and make
>>> > changes
>>> > if required.
>>> 
>>> Im testing the squid4-branch since ~4.0.22, 'squid -k parse' hasn't
>>> shown an error since then, except this one - and I can't find the reason:
>>> 
>>> "WARNING: Ignoring error setting default trusted CA : An unimplemented
>>> or disabled feature has been requested."
>> 
>> Did you go through the changelog to identify any configuration options that you
>> might not be using and which have been discontinued?
> 
> Yes, but I didn't find an option or something in the squid conf - with
> MY eyes - that could me to the culprit.
> 
> What I found:
> That warning is triggered by 'PeerOptions.cc':
> 
> ...
>     if (!flags.tlsDefaultCa)
>         return;
> 
>     if (const char *err = loadSystemTrustedCa(ctx)) {
>         debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting
> default trusted CA : " << err);
>     }
> ...
> 
> Which leads me to:
> 
> ...
> loadSystemTrustedCa(Security::ContextPointer &ctx)
> {
>     debugs(83, 8, "Setting default system Trusted CA. ctx=" <<
> (void*)ctx.get());
> #if USE_OPENSSL
>     if (SSL_CTX_set_default_verify_paths(ctx.get()) == 0)
>         return Security::ErrorString(ERR_get_error());
> 
> #elif USE_GNUTLS
>     auto x = gnutls_certificate_set_x509_system_trust(ctx.get());
>     if (x < 0)
>         return Security::ErrorString(x);
> ...
> 
> Perhaps we should add ---without-gnutls'?
> 
> Since SSL is already disabled that is the only option I can think of and
> it clearly is found by 'squid':
> 
> ...
> checking for LIBGNUTLS... yes
> checking gnutls/gnutls.h usability... yes
> checking gnutls/gnutls.h presence... yes
> checking for gnutls/gnutls.h... yes
> checking gnutls/x509.h usability... yes
> checking gnutls/x509.h presence... yes
> checking for gnutls/x509.h... yes
> checking gnutls/abstract.h usability... yes
> checking gnutls/abstract.h presence... yes
> checking for gnutls/abstract.h... yes
> configure: GnuTLS library support: auto  -lgnutls
> ...
> 

After adding 'without-gnutls' and another clean build, warning is gone.

New version is running.

Best,
Matthias