Hi,
Found something, see below.
On 04.07.2018 20:52, Matthias Fischer wrote:
On 04.07.2018 18:43, Michael Tremer wrote:
On Wed, 2018-07-04 at 17:04 +0200, Matthias Fischer wrote:
On 04.07.2018 16:57, Michael Tremer wrote:
On Wed, 2018-07-04 at 16:54 +0200, Matthias Fischer wrote:
Hi,
On 04.07.2018 11:12, Michael Tremer wrote:
Squid 4.1 has been released.
Yep.
@Matthias: As far as I remember, you have been working on updating squid before. Will you have a look at this?
I'm "looking at it" right now. ;-)
When I came home, Devel was ready.
First compiled version (32bit) is running here. No seen problems.
But today they released the first patch (http://www.squid-cache.org/Versions/v4/changesets/squid-4-01fd74072310c3b 018f 4b6a5b5c6be4816f72166.patch). Great...
I think we're not affected ("There is a Segfault when opening long URLs if Bump is enabled and the on_unsupported_protocol option is set. Proxy mode is transparent.") but to be complete, I'd like to include this one.
This requires a clean build (~5:30 hours). Patched version will be ready tomorrow. Ok?
No hurry at all. I guess this already shows us that we should not migrate to squid 4, yet. There are still many bugs in it. But what we need to do is to review the proxy.cgi and see if the configuration file is valid and make changes if required.
Im testing the squid4-branch since ~4.0.22, 'squid -k parse' hasn't shown an error since then, except this one - and I can't find the reason:
"WARNING: Ignoring error setting default trusted CA : An unimplemented or disabled feature has been requested."
Did you go through the changelog to identify any configuration options that you might not be using and which have been discontinued?
Yes, but I didn't find an option or something in the squid conf - with MY eyes - that could me to the culprit.
What I found: That warning is triggered by 'PeerOptions.cc':
... if (!flags.tlsDefaultCa) return;
if (const char *err = loadSystemTrustedCa(ctx)) { debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting
default trusted CA : " << err); } ...
Which leads me to:
... loadSystemTrustedCa(Security::ContextPointer &ctx) { debugs(83, 8, "Setting default system Trusted CA. ctx=" << (void*)ctx.get()); #if USE_OPENSSL if (SSL_CTX_set_default_verify_paths(ctx.get()) == 0) return Security::ErrorString(ERR_get_error());
#elif USE_GNUTLS auto x = gnutls_certificate_set_x509_system_trust(ctx.get()); if (x < 0) return Security::ErrorString(x); ...
Perhaps we should add ---without-gnutls'?
Since SSL is already disabled that is the only option I can think of and it clearly is found by 'squid':
... checking for LIBGNUTLS... yes checking gnutls/gnutls.h usability... yes checking gnutls/gnutls.h presence... yes checking for gnutls/gnutls.h... yes checking gnutls/x509.h usability... yes checking gnutls/x509.h presence... yes checking for gnutls/x509.h... yes checking gnutls/abstract.h usability... yes checking gnutls/abstract.h presence... yes checking for gnutls/abstract.h... yes configure: GnuTLS library support: auto -lgnutls ...
After adding 'without-gnutls' and another clean build, warning is gone.
New version is running.
Best, Matthias