Hi, Found something, see below. On 04.07.2018 20:52, Matthias Fischer wrote: > On 04.07.2018 18:43, Michael Tremer wrote: >> On Wed, 2018-07-04 at 17:04 +0200, Matthias Fischer wrote: >>> On 04.07.2018 16:57, Michael Tremer wrote: >>> > On Wed, 2018-07-04 at 16:54 +0200, Matthias Fischer wrote: >>> > > Hi, >>> > > >>> > > On 04.07.2018 11:12, Michael Tremer wrote: >>> > > > Squid 4.1 has been released. >>> > > >>> > > Yep. >>> > > >>> > > > @Matthias: As far as I remember, you have been working on updating squid >>> > > > before. >>> > > > Will you have a look at this? >>> > > >>> > > I'm "looking at it" right now. ;-) >>> > > >>> > > When I came home, Devel was ready. >>> > > >>> > > First compiled version (32bit) is running here. No seen problems. >>> > > >>> > > But today they released the first patch >>> > > (http://www.squid-cache.org/Versions/v4/changesets/squid-4-01fd74072310c3b >>> > > 018f >>> > > 4b6a5b5c6be4816f72166.patch). >>> > > Great... >>> > > >>> > > I think we're not affected ("There is a Segfault when opening long URLs >>> > > if Bump is enabled and the on_unsupported_protocol option is set. Proxy >>> > > mode is transparent.") but to be complete, I'd like to include this one. >>> > > >>> > > This requires a clean build (~5:30 hours). Patched version will be ready >>> > > tomorrow. Ok? >>> > >>> > No hurry at all. I guess this already shows us that we should not migrate to >>> > squid 4, yet. There are still many bugs in it. But what we need to do is to >>> > review the proxy.cgi and see if the configuration file is valid and make >>> > changes >>> > if required. >>> >>> Im testing the squid4-branch since ~4.0.22, 'squid -k parse' hasn't >>> shown an error since then, except this one - and I can't find the reason: >>> >>> "WARNING: Ignoring error setting default trusted CA : An unimplemented >>> or disabled feature has been requested." >> >> Did you go through the changelog to identify any configuration options that you >> might not be using and which have been discontinued? > > Yes, but I didn't find an option or something in the squid conf - with > MY eyes - that could me to the culprit. > > What I found: > That warning is triggered by 'PeerOptions.cc': > > ... > if (!flags.tlsDefaultCa) > return; > > if (const char *err = loadSystemTrustedCa(ctx)) { > debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting > default trusted CA : " << err); > } > ... > > Which leads me to: > > ... > loadSystemTrustedCa(Security::ContextPointer &ctx) > { > debugs(83, 8, "Setting default system Trusted CA. ctx=" << > (void*)ctx.get()); > #if USE_OPENSSL > if (SSL_CTX_set_default_verify_paths(ctx.get()) == 0) > return Security::ErrorString(ERR_get_error()); > > #elif USE_GNUTLS > auto x = gnutls_certificate_set_x509_system_trust(ctx.get()); > if (x < 0) > return Security::ErrorString(x); > ... > > Perhaps we should add ---without-gnutls'? > > Since SSL is already disabled that is the only option I can think of and > it clearly is found by 'squid': > > ... > checking for LIBGNUTLS... yes > checking gnutls/gnutls.h usability... yes > checking gnutls/gnutls.h presence... yes > checking for gnutls/gnutls.h... yes > checking gnutls/x509.h usability... yes > checking gnutls/x509.h presence... yes > checking for gnutls/x509.h... yes > checking gnutls/abstract.h usability... yes > checking gnutls/abstract.h presence... yes > checking for gnutls/abstract.h... yes > configure: GnuTLS library support: auto -lgnutls > ... > After adding 'without-gnutls' and another clean build, warning is gone. New version is running. Best, Matthias