Re: [Fwd: [squid-announce] Squid 4.1 is available]

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [Fwd: [squid-announce] Squid 4.1 is available]
Date: Wed, 04 Jul 2018 20:52:07 +0200	[thread overview]
Message-ID: <9aa23d5a-0f10-2508-a2c5-707b78193f9d@ipfire.org> (raw)
In-Reply-To: <75be0f91059782319bfc82621ac4df7646f35dfa.camel@ipfire.org>

[-- Attachment #1: Type: text/plain, Size: 3452 bytes --]

On 04.07.2018 18:43, Michael Tremer wrote:
> On Wed, 2018-07-04 at 17:04 +0200, Matthias Fischer wrote:
>> On 04.07.2018 16:57, Michael Tremer wrote:
>> > On Wed, 2018-07-04 at 16:54 +0200, Matthias Fischer wrote:
>> > > Hi,
>> > > 
>> > > On 04.07.2018 11:12, Michael Tremer wrote:
>> > > > Squid 4.1 has been released.
>> > > 
>> > > Yep.
>> > > 
>> > > > @Matthias: As far as I remember, you have been working on updating squid
>> > > > before.
>> > > > Will you have a look at this?
>> > > 
>> > > I'm "looking at it" right now. ;-)
>> > > 
>> > > When I came home, Devel was ready.
>> > > 
>> > > First compiled version (32bit) is running here. No seen problems.
>> > > 
>> > > But today they released the first patch
>> > > (http://www.squid-cache.org/Versions/v4/changesets/squid-4-01fd74072310c3b
>> > > 018f
>> > > 4b6a5b5c6be4816f72166.patch).
>> > > Great...
>> > > 
>> > > I think we're not affected ("There is a Segfault when opening long URLs
>> > > if Bump is enabled and the on_unsupported_protocol option is set. Proxy
>> > > mode is transparent.") but to be complete, I'd like to include this one.
>> > > 
>> > > This requires a clean build (~5:30 hours). Patched version will be ready
>> > > tomorrow. Ok?
>> > 
>> > No hurry at all. I guess this already shows us that we should not migrate to
>> > squid 4, yet. There are still many bugs in it. But what we need to do is to
>> > review the proxy.cgi and see if the configuration file is valid and make
>> > changes
>> > if required.
>> 
>> Im testing the squid4-branch since ~4.0.22, 'squid -k parse' hasn't
>> shown an error since then, except this one - and I can't find the reason:
>> 
>> "WARNING: Ignoring error setting default trusted CA : An unimplemented
>> or disabled feature has been requested."
> 
> Did you go through the changelog to identify any configuration options that you
> might not be using and which have been discontinued?

Yes, but I didn't find an option or something in the squid conf - with
MY eyes - that could me to the culprit.

What I found:
That warning is triggered by 'PeerOptions.cc':

...
    if (!flags.tlsDefaultCa)
        return;

    if (const char *err = loadSystemTrustedCa(ctx)) {
        debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting
default trusted CA : " << err);
    }
...

Which leads me to:

...
loadSystemTrustedCa(Security::ContextPointer &ctx)
{
    debugs(83, 8, "Setting default system Trusted CA. ctx=" <<
(void*)ctx.get());
#if USE_OPENSSL
    if (SSL_CTX_set_default_verify_paths(ctx.get()) == 0)
        return Security::ErrorString(ERR_get_error());

#elif USE_GNUTLS
    auto x = gnutls_certificate_set_x509_system_trust(ctx.get());
    if (x < 0)
        return Security::ErrorString(x);
...

Perhaps we should add ---without-gnutls'?

Since SSL is already disabled that is the only option I can think of and
it clearly is found by 'squid':

...
checking for LIBGNUTLS... yes
checking gnutls/gnutls.h usability... yes
checking gnutls/gnutls.h presence... yes
checking for gnutls/gnutls.h... yes
checking gnutls/x509.h usability... yes
checking gnutls/x509.h presence... yes
checking for gnutls/x509.h... yes
checking gnutls/abstract.h usability... yes
checking gnutls/abstract.h presence... yes
checking for gnutls/abstract.h... yes
configure: GnuTLS library support: auto  -lgnutls
...

Best,
Matthias

next prev parent reply	other threads:[~2018-07-04 18:52 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <c8f9202f-47b1-c34e-5480-8191d57f8a2b@treenet.co.nz>
2018-07-04  9:12 ` Michael Tremer
2018-07-04 14:54   ` Matthias Fischer
2018-07-04 14:57     ` Michael Tremer
2018-07-04 15:04       ` Matthias Fischer
2018-07-04 16:43         ` Michael Tremer
2018-07-04 18:52           ` Matthias Fischer [this message]
2018-07-05 14:55             ` Matthias Fischer
2018-07-05 16:57   ` Matthias Fischer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=9aa23d5a-0f10-2508-a2c5-707b78193f9d@ipfire.org \
    --to=matthias.fischer@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox