For details see: http://www.squid-cache.org/Versions/v4/changesets/
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org --- lfs/squid | 9 +- ...b_exchange_with_a_TLS_cache_peer_307.patch | 91 ------------ ...all_format_formally_to_make_dist_325.patch | 22 --- .../03_The_handshake_logformat_code_331.patch | 132 ------------------ ... squid-4.5-fix-max-file-descriptors.patch} | 4 +- 5 files changed, 5 insertions(+), 253 deletions(-) delete mode 100644 src/patches/squid/01_Fix_netdb_exchange_with_a_TLS_cache_peer_307.patch delete mode 100644 src/patches/squid/02_Maintenance_add_xz_tarball_format_formally_to_make_dist_325.patch delete mode 100644 src/patches/squid/03_The_handshake_logformat_code_331.patch rename src/patches/squid/{squid-4.4-fix-max-file-descriptors.patch => squid-4.5-fix-max-file-descriptors.patch} (92%)
diff --git a/lfs/squid b/lfs/squid index aaa2d0b96..6033ab394 100644 --- a/lfs/squid +++ b/lfs/squid @@ -24,7 +24,7 @@
include Config
-VER = 4.4 +VER = 4.5
THISAPP = squid-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -42,7 +42,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 892504ca9700e1f139a53f84098613bd +$(DL_FILE)_MD5 = 8275da5846f9f2243ad2625e5aef2ee0
install : $(TARGET)
@@ -72,10 +72,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/01_Fix_netdb_exchange_with_a_TLS_cache_peer_307.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/02_Maintenance_add_xz_tarball_format_formally_to_make_dist_325.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/03_The_handshake_logformat_code_331.patch - cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-4.5-fix-max-file-descriptors.patch
cd $(DIR_APP) && autoreconf -vfi cd $(DIR_APP)/libltdl && autoreconf -vfi diff --git a/src/patches/squid/01_Fix_netdb_exchange_with_a_TLS_cache_peer_307.patch b/src/patches/squid/01_Fix_netdb_exchange_with_a_TLS_cache_peer_307.patch deleted file mode 100644 index 09f8961dc..000000000 --- a/src/patches/squid/01_Fix_netdb_exchange_with_a_TLS_cache_peer_307.patch +++ /dev/null @@ -1,91 +0,0 @@ -commit bc54d7a6f7ec510a25966f2f800d3ea874657546 -Author: chi-mf 43963496+chi-mf@users.noreply.github.com -Date: 2018-10-30 04:48:40 +0000 - - Fix netdb exchange with a TLS cache_peer (#307) - - Squid uses http-scheme URLs when sending netdb exchange (and possibly - other) requests to a cache_peer. If a DIRECT path is selected for that - cache_peer URL, then Squid sends a clear text HTTP request to that - cache_peer. If that cache_peer expects a TLS connection, it will reject - that request (with, e.g., error:transaction-end-before-headers), - resulting in an HTTP 503 or 504 netdb fetch error. - - Workaround this by adding an internalRemoteUri() parameter to indicate - whether https or http URL scheme should be used. Netdb fetches from - CachePeer::secure peers now get an https scheme and, hence, a TLS - connection. - -diff --git a/src/icmp/net_db.cc b/src/icmp/net_db.cc -index 0f488de..526093f 100644 ---- a/src/icmp/net_db.cc -+++ b/src/icmp/net_db.cc -@@ -1282,7 +1282,7 @@ netdbExchangeStart(void *data) - #if USE_ICMP - CachePeer *p = (CachePeer *)data; - static const SBuf netDB("netdb"); -- char *uri = internalRemoteUri(p->host, p->http_port, "/squid-internal-dynamic/", netDB); -+ char *uri = internalRemoteUri(p->secure.encryptTransport, p->host, p->http_port, "/squid-internal-dynamic/", netDB); - debugs(38, 3, "Requesting '" << uri << "'"); - const MasterXaction::Pointer mx = new MasterXaction(XactionInitiator::initIcmp); - HttpRequest *req = HttpRequest::FromUrl(uri, mx); -diff --git a/src/internal.cc b/src/internal.cc -index 6ebc7a6..ff7b4d6 100644 ---- a/src/internal.cc -+++ b/src/internal.cc -@@ -82,7 +82,7 @@ internalStaticCheck(const SBuf &urlPath) - * makes internal url with a given host and port (remote internal url) - */ - char * --internalRemoteUri(const char *host, unsigned short port, const char *dir, const SBuf &name) -+internalRemoteUri(bool encrypt, const char *host, unsigned short port, const char *dir, const SBuf &name) - { - static char lc_host[SQUIDHOSTNAMELEN]; - assert(host && !name.isEmpty()); -@@ -115,7 +115,7 @@ internalRemoteUri(const char *host, unsigned short port, const char *dir, const - static MemBuf mb; - - mb.reset(); -- mb.appendf("http://" SQUIDSBUFPH, SQUIDSBUFPRINT(tmp.authority())); -+ mb.appendf("%s://" SQUIDSBUFPH, encrypt ? "https" : "http", SQUIDSBUFPRINT(tmp.authority())); - - if (dir) - mb.append(dir, strlen(dir)); -@@ -132,7 +132,10 @@ internalRemoteUri(const char *host, unsigned short port, const char *dir, const - char * - internalLocalUri(const char *dir, const SBuf &name) - { -- return internalRemoteUri(getMyHostname(), -+ // XXX: getMy*() may return https_port info, but we force http URIs -+ // because we have not checked whether the callers can handle https. -+ const bool secure = false; -+ return internalRemoteUri(secure, getMyHostname(), - getMyPort(), dir, name); - } - -diff --git a/src/internal.h b/src/internal.h -index c91f9ac..13a43a6 100644 ---- a/src/internal.h -+++ b/src/internal.h -@@ -24,7 +24,7 @@ void internalStart(const Comm::ConnectionPointer &clientConn, HttpRequest *, Sto - bool internalCheck(const SBuf &urlPath); - bool internalStaticCheck(const SBuf &urlPath); - char *internalLocalUri(const char *dir, const SBuf &name); --char *internalRemoteUri(const char *, unsigned short, const char *, const SBuf &); -+char *internalRemoteUri(bool, const char *, unsigned short, const char *, const SBuf &); - const char *internalHostname(void); - int internalHostnameIs(const char *); - -diff --git a/src/peer_digest.cc b/src/peer_digest.cc -index 36a8705..f515aaa 100644 ---- a/src/peer_digest.cc -+++ b/src/peer_digest.cc -@@ -323,7 +323,7 @@ peerDigestRequest(PeerDigest * pd) - if (p->digest_url) - url = xstrdup(p->digest_url); - else -- url = xstrdup(internalRemoteUri(p->host, p->http_port, "/squid-internal-periodic/", SBuf(StoreDigestFileName))); -+ url = xstrdup(internalRemoteUri(p->secure.encryptTransport, p->host, p->http_port, "/squid-internal-periodic/", SBuf(StoreDigestFileName))); - debugs(72, 2, url); - - const MasterXaction::Pointer mx = new MasterXaction(XactionInitiator::initCacheDigest); diff --git a/src/patches/squid/02_Maintenance_add_xz_tarball_format_formally_to_make_dist_325.patch b/src/patches/squid/02_Maintenance_add_xz_tarball_format_formally_to_make_dist_325.patch deleted file mode 100644 index 58ceaa034..000000000 --- a/src/patches/squid/02_Maintenance_add_xz_tarball_format_formally_to_make_dist_325.patch +++ /dev/null @@ -1,22 +0,0 @@ -commit 3c23ae8c7431344f8fc50bb5ee8f4b56d08c10a4 -Author: Amos Jeffries yadij@users.noreply.github.com -Date: 2018-11-11 04:29:58 +0000 - - Maintenance: add .xz tarball format formally to make dist (#325) - - Automake can now handle generating this format itself and the - experiments of providing it for downstream have gone well. - -diff --git a/configure.ac b/configure.ac -index 3f8af6d..f668567 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -10,7 +10,7 @@ AC_PREREQ(2.61) - AC_CONFIG_HEADERS([include/autoconf.h]) - AC_CONFIG_AUX_DIR(cfgaux) - AC_CONFIG_SRCDIR([src/main.cc]) --AM_INIT_AUTOMAKE([tar-ustar nostdinc subdir-objects]) -+AM_INIT_AUTOMAKE([tar-ustar nostdinc subdir-objects dist-xz]) - AC_REVISION($Revision$)dnl - AC_PREFIX_DEFAULT(/usr/local/squid) - AM_MAINTAINER_MODE diff --git a/src/patches/squid/03_The_handshake_logformat_code_331.patch b/src/patches/squid/03_The_handshake_logformat_code_331.patch deleted file mode 100644 index 2ce8bdc4a..000000000 --- a/src/patches/squid/03_The_handshake_logformat_code_331.patch +++ /dev/null @@ -1,132 +0,0 @@ -commit 0022167d80725513d95b38aaebc90086fc0b6938 (tag: refs/tags/M-staged-PR331, refs/remotes/origin/v4) -Author: Christos Tsantilas christos@chtsanti.net -Date: 2018-11-14 15:17:06 +0000 - - The %>handshake logformat code (#331) - - Logging client "handshake" bytes is useful in at least two contexts: - - * Runtime traffic bypass and bumping/splicing decisions. Identifying - popular clients like Skype for Business (that uses a TLS handshake but - then may not speak TLS) is critical for handling their traffic - correctly. Squid does not have enough ACLs to interrogate most TLS - handshake aspects. Adding more ACLs may still be a good idea, but - initial sketches for SfB handshakes showed rather complex - ACLs/configurations, _and_ no reasonable ACLs would be able to handle - non-TLS handshakes. An external ACL receiving the handshake is in a - much better position to analyze/fingerprint it according to custom - admin needs. - - * A logged handshake can be used to analyze new/unusual traffic or even - trigger security-related alarms. - - The current support is limited to cases where Squid was saving handshake - for other reasons. With enough demand, this initial support can be - extended to all protocols and port configurations. - - This is a Measurement Factory project. - -diff --git a/src/cf.data.pre b/src/cf.data.pre -index fa8af56..a8ca587 100644 ---- a/src/cf.data.pre -+++ b/src/cf.data.pre -@@ -4394,6 +4394,37 @@ DOC_START - <qos Server connection TOS/DSCP value set by Squid - <nfmark Server connection netfilter mark set by Squid - -+ >handshake Raw client handshake -+ Initial client bytes received by Squid on a newly -+ accepted TCP connection or inside a just established -+ CONNECT tunnel. Squid stops accumulating handshake -+ bytes as soon as the handshake parser succeeds or -+ fails (determining whether the client is using the -+ expected protocol). -+ -+ For HTTP clients, the handshake is the request line. -+ For TLS clients, the handshake consists of all TLS -+ records up to and including the TLS record that -+ contains the last byte of the first ClientHello -+ message. For clients using an unsupported protocol, -+ this field contains the bytes received by Squid at the -+ time of the handshake parsing failure. -+ -+ See the on_unsupported_protocol directive for more -+ information on Squid handshake traffic expectations. -+ -+ Current support is limited to these contexts: -+ - http_port connections, but only when the -+ on_unsupported_protocol directive is in use. -+ - https_port connections (and CONNECT tunnels) that -+ are subject to the ssl_bump peek or stare action. -+ -+ To protect binary handshake data, this field is always -+ base64-encoded (RFC 4648 Section 4). If logformat -+ field encoding is configured, that encoding is applied -+ on top of base64. Otherwise, the computed base64 value -+ is recorded as is. -+ - Time related format codes: - - ts Seconds since epoch -diff --git a/src/format/ByteCode.h b/src/format/ByteCode.h -index ad230bb..a6f8fd9 100644 ---- a/src/format/ByteCode.h -+++ b/src/format/ByteCode.h -@@ -46,6 +46,8 @@ typedef enum { - LFT_CLIENT_LOCAL_TOS, - LFT_CLIENT_LOCAL_NFMARK, - -+ LFT_CLIENT_HANDSHAKE, -+ - /* client connection local squid.conf details */ - LFT_LOCAL_LISTENING_IP, - LFT_LOCAL_LISTENING_PORT, -diff --git a/src/format/Format.cc b/src/format/Format.cc -index c1e19b4..8fd6720 100644 ---- a/src/format/Format.cc -+++ b/src/format/Format.cc -@@ -8,6 +8,7 @@ - - #include "squid.h" - #include "AccessLogEntry.h" -+#include "base64.h" - #include "client_side.h" - #include "comm/Connection.h" - #include "err_detail_type.h" -@@ -547,6 +548,24 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logS - } - break; - -+ case LFT_CLIENT_HANDSHAKE: -+ if (al->request && al->request->clientConnectionManager.valid()) { -+ const auto &handshake = al->request->clientConnectionManager->preservedClientData; -+ if (const auto rawLength = handshake.length()) { -+ // add 1 byte to optimize the c_str() conversion below -+ char *buf = sb.rawAppendStart(base64_encode_len(rawLength) + 1); -+ -+ struct base64_encode_ctx ctx; -+ base64_encode_init(&ctx); -+ auto encLength = base64_encode_update(&ctx, buf, rawLength, reinterpret_cast<const uint8_t*>(handshake.rawContent())); -+ encLength += base64_encode_final(&ctx, buf + encLength); -+ -+ sb.rawAppendFinish(buf, encLength); -+ out = sb.c_str(); -+ } -+ } -+ break; -+ - case LFT_TIME_SECONDS_SINCE_EPOCH: - // some platforms store time in 32-bit, some 64-bit... - outoff = static_cast<int64_t>(current_time.tv_sec); -diff --git a/src/format/Token.cc b/src/format/Token.cc -index 186ade5..06c60cf 100644 ---- a/src/format/Token.cc -+++ b/src/format/Token.cc -@@ -141,6 +141,7 @@ static TokenTableEntry TokenTableMisc[] = { - TokenTableEntry("<qos", LFT_SERVER_LOCAL_TOS), - TokenTableEntry(">nfmark", LFT_CLIENT_LOCAL_NFMARK), - TokenTableEntry("<nfmark", LFT_SERVER_LOCAL_NFMARK), -+ TokenTableEntry(">handshake", LFT_CLIENT_HANDSHAKE), - TokenTableEntry("err_code", LFT_SQUID_ERROR ), - TokenTableEntry("err_detail", LFT_SQUID_ERROR_DETAIL ), - TokenTableEntry("note", LFT_NOTE ), diff --git a/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch b/src/patches/squid/squid-4.5-fix-max-file-descriptors.patch similarity index 92% rename from src/patches/squid/squid-4.4-fix-max-file-descriptors.patch rename to src/patches/squid/squid-4.5-fix-max-file-descriptors.patch index 8d1a4e03a..57fd0a6a6 100644 --- a/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch +++ b/src/patches/squid/squid-4.5-fix-max-file-descriptors.patch @@ -1,6 +1,6 @@ --- configure.ac.~ Wed Apr 20 14:26:07 2016 +++ configure.ac Fri Apr 22 17:20:46 2016 -@@ -3156,6 +3156,9 @@ +@@ -3160,6 +3160,9 @@ ;; esac
@@ -10,7 +10,7 @@ dnl --with-maxfd present for compatibility with Squid-2. dnl undocumented in ./configure --help to encourage using the Squid-3 directive AC_ARG_WITH(maxfd,, -@@ -3186,8 +3189,6 @@ +@@ -3190,8 +3193,6 @@ esac ])
Hello,
This is quite good that we finally have a stable release of this (am I right that 4.4 wasn’t considered to be stable?).
This however removes support for the SMB_LM helper which we still use and I will have to remove that from the CGI. We will have to announce that properly, but I do not think that it is a huge problem because this is Windows 2000 era. Hopefully nobody is using that any more.
Apart from that, I hope that we can now stay on the releases in this series until there is a new one.
Best, -Michael
On 1 Jan 2019, at 17:39, Matthias Fischer matthias.fischer@ipfire.org wrote:
For details see: http://www.squid-cache.org/Versions/v4/changesets/
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
lfs/squid | 9 +- ...b_exchange_with_a_TLS_cache_peer_307.patch | 91 ------------ ...all_format_formally_to_make_dist_325.patch | 22 --- .../03_The_handshake_logformat_code_331.patch | 132 ------------------ ... squid-4.5-fix-max-file-descriptors.patch} | 4 +- 5 files changed, 5 insertions(+), 253 deletions(-) delete mode 100644 src/patches/squid/01_Fix_netdb_exchange_with_a_TLS_cache_peer_307.patch delete mode 100644 src/patches/squid/02_Maintenance_add_xz_tarball_format_formally_to_make_dist_325.patch delete mode 100644 src/patches/squid/03_The_handshake_logformat_code_331.patch rename src/patches/squid/{squid-4.4-fix-max-file-descriptors.patch => squid-4.5-fix-max-file-descriptors.patch} (92%)
diff --git a/lfs/squid b/lfs/squid index aaa2d0b96..6033ab394 100644 --- a/lfs/squid +++ b/lfs/squid @@ -24,7 +24,7 @@
include Config
-VER = 4.4 +VER = 4.5
THISAPP = squid-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -42,7 +42,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 892504ca9700e1f139a53f84098613bd +$(DL_FILE)_MD5 = 8275da5846f9f2243ad2625e5aef2ee0
install : $(TARGET)
@@ -72,10 +72,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/01_Fix_netdb_exchange_with_a_TLS_cache_peer_307.patch
- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/02_Maintenance_add_xz_tarball_format_formally_to_make_dist_325.patch
- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/03_The_handshake_logformat_code_331.patch
- cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-4.5-fix-max-file-descriptors.patch
cd $(DIR_APP) && autoreconf -vfi cd $(DIR_APP)/libltdl && autoreconf -vfi
diff --git a/src/patches/squid/01_Fix_netdb_exchange_with_a_TLS_cache_peer_307.patch b/src/patches/squid/01_Fix_netdb_exchange_with_a_TLS_cache_peer_307.patch deleted file mode 100644 index 09f8961dc..000000000 --- a/src/patches/squid/01_Fix_netdb_exchange_with_a_TLS_cache_peer_307.patch +++ /dev/null @@ -1,91 +0,0 @@ -commit bc54d7a6f7ec510a25966f2f800d3ea874657546 -Author: chi-mf 43963496+chi-mf@users.noreply.github.com -Date: 2018-10-30 04:48:40 +0000
- Fix netdb exchange with a TLS cache_peer (#307)
- Squid uses http-scheme URLs when sending netdb exchange (and possibly
- other) requests to a cache_peer. If a DIRECT path is selected for that
- cache_peer URL, then Squid sends a clear text HTTP request to that
- cache_peer. If that cache_peer expects a TLS connection, it will reject
- that request (with, e.g., error:transaction-end-before-headers),
- resulting in an HTTP 503 or 504 netdb fetch error.
- Workaround this by adding an internalRemoteUri() parameter to indicate
- whether https or http URL scheme should be used. Netdb fetches from
- CachePeer::secure peers now get an https scheme and, hence, a TLS
- connection.
-diff --git a/src/icmp/net_db.cc b/src/icmp/net_db.cc -index 0f488de..526093f 100644 ---- a/src/icmp/net_db.cc -+++ b/src/icmp/net_db.cc -@@ -1282,7 +1282,7 @@ netdbExchangeStart(void *data)
- #if USE_ICMP
CachePeer *p = (CachePeer *)data;
static const SBuf netDB("netdb");
-- char *uri = internalRemoteUri(p->host, p->http_port, "/squid-internal-dynamic/", netDB); -+ char *uri = internalRemoteUri(p->secure.encryptTransport, p->host, p->http_port, "/squid-internal-dynamic/", netDB);
debugs(38, 3, "Requesting '" << uri << "'");
const MasterXaction::Pointer mx = new MasterXaction(XactionInitiator::initIcmp);
HttpRequest *req = HttpRequest::FromUrl(uri, mx);
-diff --git a/src/internal.cc b/src/internal.cc -index 6ebc7a6..ff7b4d6 100644 ---- a/src/internal.cc -+++ b/src/internal.cc -@@ -82,7 +82,7 @@ internalStaticCheck(const SBuf &urlPath)
- makes internal url with a given host and port (remote internal url)
- */
- char *
--internalRemoteUri(const char *host, unsigned short port, const char *dir, const SBuf &name) -+internalRemoteUri(bool encrypt, const char *host, unsigned short port, const char *dir, const SBuf &name)
- {
static char lc_host[SQUIDHOSTNAMELEN];
assert(host && !name.isEmpty());
-@@ -115,7 +115,7 @@ internalRemoteUri(const char *host, unsigned short port, const char *dir, const
static MemBuf mb;
mb.reset();
-- mb.appendf("http://" SQUIDSBUFPH, SQUIDSBUFPRINT(tmp.authority())); -+ mb.appendf("%s://" SQUIDSBUFPH, encrypt ? "https" : "http", SQUIDSBUFPRINT(tmp.authority()));
if (dir)
mb.append(dir, strlen(dir));
-@@ -132,7 +132,10 @@ internalRemoteUri(const char *host, unsigned short port, const char *dir, const
- char *
- internalLocalUri(const char *dir, const SBuf &name)
- {
-- return internalRemoteUri(getMyHostname(), -+ // XXX: getMy*() may return https_port info, but we force http URIs -+ // because we have not checked whether the callers can handle https. -+ const bool secure = false; -+ return internalRemoteUri(secure, getMyHostname(),
getMyPort(), dir, name);
- }
-diff --git a/src/internal.h b/src/internal.h -index c91f9ac..13a43a6 100644 ---- a/src/internal.h -+++ b/src/internal.h -@@ -24,7 +24,7 @@ void internalStart(const Comm::ConnectionPointer &clientConn, HttpRequest *, Sto
- bool internalCheck(const SBuf &urlPath);
- bool internalStaticCheck(const SBuf &urlPath);
- char *internalLocalUri(const char *dir, const SBuf &name);
--char *internalRemoteUri(const char *, unsigned short, const char *, const SBuf &); -+char *internalRemoteUri(bool, const char *, unsigned short, const char *, const SBuf &);
- const char *internalHostname(void);
- int internalHostnameIs(const char *);
-diff --git a/src/peer_digest.cc b/src/peer_digest.cc -index 36a8705..f515aaa 100644 ---- a/src/peer_digest.cc -+++ b/src/peer_digest.cc -@@ -323,7 +323,7 @@ peerDigestRequest(PeerDigest * pd)
if (p->digest_url)
url = xstrdup(p->digest_url);
else
-- url = xstrdup(internalRemoteUri(p->host, p->http_port, "/squid-internal-periodic/", SBuf(StoreDigestFileName))); -+ url = xstrdup(internalRemoteUri(p->secure.encryptTransport, p->host, p->http_port, "/squid-internal-periodic/", SBuf(StoreDigestFileName)));
debugs(72, 2, url);
const MasterXaction::Pointer mx = new MasterXaction(XactionInitiator::initCacheDigest);
diff --git a/src/patches/squid/02_Maintenance_add_xz_tarball_format_formally_to_make_dist_325.patch b/src/patches/squid/02_Maintenance_add_xz_tarball_format_formally_to_make_dist_325.patch deleted file mode 100644 index 58ceaa034..000000000 --- a/src/patches/squid/02_Maintenance_add_xz_tarball_format_formally_to_make_dist_325.patch +++ /dev/null @@ -1,22 +0,0 @@ -commit 3c23ae8c7431344f8fc50bb5ee8f4b56d08c10a4 -Author: Amos Jeffries yadij@users.noreply.github.com -Date: 2018-11-11 04:29:58 +0000
- Maintenance: add .xz tarball format formally to make dist (#325)
- Automake can now handle generating this format itself and the
- experiments of providing it for downstream have gone well.
-diff --git a/configure.ac b/configure.ac -index 3f8af6d..f668567 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -10,7 +10,7 @@ AC_PREREQ(2.61)
- AC_CONFIG_HEADERS([include/autoconf.h])
- AC_CONFIG_AUX_DIR(cfgaux)
- AC_CONFIG_SRCDIR([src/main.cc])
--AM_INIT_AUTOMAKE([tar-ustar nostdinc subdir-objects]) -+AM_INIT_AUTOMAKE([tar-ustar nostdinc subdir-objects dist-xz])
- AC_REVISION($Revision$)dnl
- AC_PREFIX_DEFAULT(/usr/local/squid)
- AM_MAINTAINER_MODE
diff --git a/src/patches/squid/03_The_handshake_logformat_code_331.patch b/src/patches/squid/03_The_handshake_logformat_code_331.patch deleted file mode 100644 index 2ce8bdc4a..000000000 --- a/src/patches/squid/03_The_handshake_logformat_code_331.patch +++ /dev/null @@ -1,132 +0,0 @@ -commit 0022167d80725513d95b38aaebc90086fc0b6938 (tag: refs/tags/M-staged-PR331, refs/remotes/origin/v4) -Author: Christos Tsantilas christos@chtsanti.net -Date: 2018-11-14 15:17:06 +0000
- The %>handshake logformat code (#331)
- Logging client "handshake" bytes is useful in at least two contexts:
- Runtime traffic bypass and bumping/splicing decisions. Identifying
popular clients like Skype for Business (that uses a TLS handshake but
then may not speak TLS) is critical for handling their traffic
correctly. Squid does not have enough ACLs to interrogate most TLS
handshake aspects. Adding more ACLs may still be a good idea, but
initial sketches for SfB handshakes showed rather complex
ACLs/configurations, _and_ no reasonable ACLs would be able to handle
non-TLS handshakes. An external ACL receiving the handshake is in a
much better position to analyze/fingerprint it according to custom
admin needs.
- A logged handshake can be used to analyze new/unusual traffic or even
trigger security-related alarms.
- The current support is limited to cases where Squid was saving handshake
- for other reasons. With enough demand, this initial support can be
- extended to all protocols and port configurations.
- This is a Measurement Factory project.
-diff --git a/src/cf.data.pre b/src/cf.data.pre -index fa8af56..a8ca587 100644 ---- a/src/cf.data.pre -+++ b/src/cf.data.pre -@@ -4394,6 +4394,37 @@ DOC_START
<qos Server connection TOS/DSCP value set by Squid
<nfmark Server connection netfilter mark set by Squid
-+ >handshake Raw client handshake -+ Initial client bytes received by Squid on a newly -+ accepted TCP connection or inside a just established -+ CONNECT tunnel. Squid stops accumulating handshake -+ bytes as soon as the handshake parser succeeds or -+ fails (determining whether the client is using the -+ expected protocol). -+ -+ For HTTP clients, the handshake is the request line. -+ For TLS clients, the handshake consists of all TLS -+ records up to and including the TLS record that -+ contains the last byte of the first ClientHello -+ message. For clients using an unsupported protocol, -+ this field contains the bytes received by Squid at the -+ time of the handshake parsing failure. -+ -+ See the on_unsupported_protocol directive for more -+ information on Squid handshake traffic expectations. -+ -+ Current support is limited to these contexts: -+ - http_port connections, but only when the -+ on_unsupported_protocol directive is in use. -+ - https_port connections (and CONNECT tunnels) that -+ are subject to the ssl_bump peek or stare action. -+ -+ To protect binary handshake data, this field is always -+ base64-encoded (RFC 4648 Section 4). If logformat -+ field encoding is configured, that encoding is applied -+ on top of base64. Otherwise, the computed base64 value -+ is recorded as is. -+
- Time related format codes:
ts Seconds since epoch
-diff --git a/src/format/ByteCode.h b/src/format/ByteCode.h -index ad230bb..a6f8fd9 100644 ---- a/src/format/ByteCode.h -+++ b/src/format/ByteCode.h -@@ -46,6 +46,8 @@ typedef enum {
LFT_CLIENT_LOCAL_TOS,
LFT_CLIENT_LOCAL_NFMARK,
-+ LFT_CLIENT_HANDSHAKE, -+
/* client connection local squid.conf details */
LFT_LOCAL_LISTENING_IP,
LFT_LOCAL_LISTENING_PORT,
-diff --git a/src/format/Format.cc b/src/format/Format.cc -index c1e19b4..8fd6720 100644 ---- a/src/format/Format.cc -+++ b/src/format/Format.cc -@@ -8,6 +8,7 @@
- #include "squid.h"
- #include "AccessLogEntry.h"
-+#include "base64.h"
- #include "client_side.h"
- #include "comm/Connection.h"
- #include "err_detail_type.h"
-@@ -547,6 +548,24 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logS
}
break;
-+ case LFT_CLIENT_HANDSHAKE: -+ if (al->request && al->request->clientConnectionManager.valid()) { -+ const auto &handshake = al->request->clientConnectionManager->preservedClientData; -+ if (const auto rawLength = handshake.length()) { -+ // add 1 byte to optimize the c_str() conversion below -+ char *buf = sb.rawAppendStart(base64_encode_len(rawLength) + 1); -+ -+ struct base64_encode_ctx ctx; -+ base64_encode_init(&ctx); -+ auto encLength = base64_encode_update(&ctx, buf, rawLength, reinterpret_cast<const uint8_t*>(handshake.rawContent())); -+ encLength += base64_encode_final(&ctx, buf + encLength); -+ -+ sb.rawAppendFinish(buf, encLength); -+ out = sb.c_str(); -+ } -+ } -+ break; -+
case LFT_TIME_SECONDS_SINCE_EPOCH:
// some platforms store time in 32-bit, some 64-bit...
outoff = static_cast<int64_t>(current_time.tv_sec);
-diff --git a/src/format/Token.cc b/src/format/Token.cc -index 186ade5..06c60cf 100644 ---- a/src/format/Token.cc -+++ b/src/format/Token.cc -@@ -141,6 +141,7 @@ static TokenTableEntry TokenTableMisc[] = {
TokenTableEntry("<qos", LFT_SERVER_LOCAL_TOS),
TokenTableEntry(">nfmark", LFT_CLIENT_LOCAL_NFMARK),
TokenTableEntry("<nfmark", LFT_SERVER_LOCAL_NFMARK),
-+ TokenTableEntry(">handshake", LFT_CLIENT_HANDSHAKE),
TokenTableEntry("err_code", LFT_SQUID_ERROR ),
TokenTableEntry("err_detail", LFT_SQUID_ERROR_DETAIL ),
TokenTableEntry("note", LFT_NOTE ),
diff --git a/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch b/src/patches/squid/squid-4.5-fix-max-file-descriptors.patch similarity index 92% rename from src/patches/squid/squid-4.4-fix-max-file-descriptors.patch rename to src/patches/squid/squid-4.5-fix-max-file-descriptors.patch index 8d1a4e03a..57fd0a6a6 100644 --- a/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch +++ b/src/patches/squid/squid-4.5-fix-max-file-descriptors.patch @@ -1,6 +1,6 @@ --- configure.ac.~ Wed Apr 20 14:26:07 2016 +++ configure.ac Fri Apr 22 17:20:46 2016 -@@ -3156,6 +3156,9 @@ +@@ -3160,6 +3160,9 @@ ;; esac
@@ -10,7 +10,7 @@ dnl --with-maxfd present for compatibility with Squid-2. dnl undocumented in ./configure --help to encourage using the Squid-3 directive AC_ARG_WITH(maxfd,, -@@ -3186,8 +3189,6 @@ +@@ -3190,8 +3193,6 @@ esac ])
-- 2.18.0
Hi,
On 02.01.2019 18:27, Michael Tremer wrote:
Hello,
This is quite good that we finally have a stable release of this (am I right that 4.4 wasn’t considered to be stable?).
'squid 4.4' was "stable", too:
In July 2018, 'squid 4' was "released for production use", see: https://wiki.squid-cache.org/Squid-4
This however removes support for the SMB_LM helper which we still use and I will have to remove that from the CGI. We will have to announce that properly, but I do not think that it is a huge problem because this is Windows 2000 era. Hopefully nobody is using that any more.
I'm not an expert for this - never used it -, but I found this on the above website:
"Major UI changes: ... basic_msnt_multi_domain_auth: Superceeded by basic_smb_lm_auth ..."
Best, Matthias
Apart from that, I hope that we can now stay on the releases in this series until there is a new one.> Best, -Michael
On 1 Jan 2019, at 17:39, Matthias Fischer matthias.fischer@ipfire.org wrote:
For details see: http://www.squid-cache.org/Versions/v4/changesets/ ...
On 2 Jan 2019, at 18:55, Matthias Fischer matthias.fischer@ipfire.org wrote:
Hi,
On 02.01.2019 18:27, Michael Tremer wrote:
Hello,
This is quite good that we finally have a stable release of this (am I right that 4.4 wasn’t considered to be stable?).
'squid 4.4' was "stable", too:
In July 2018, 'squid 4' was "released for production use", see: https://wiki.squid-cache.org/Squid-4
Why do they compare everything to squid 3.5 then?
This however removes support for the SMB_LM helper which we still use and I will have to remove that from the CGI. We will have to announce that properly, but I do not think that it is a huge problem because this is Windows 2000 era. Hopefully nobody is using that any more.
I'm not an expert for this - never used it -, but I found this on the above website:
"Major UI changes: ... basic_msnt_multi_domain_auth: Superceeded by basic_smb_lm_auth …"
The latter is not being compiled any more. You removed it from the rootfiles.
Best, Matthias
Apart from that, I hope that we can now stay on the releases in this series until there is a new one.> Best, -Michael
On 1 Jan 2019, at 17:39, Matthias Fischer matthias.fischer@ipfire.org wrote:
For details see: http://www.squid-cache.org/Versions/v4/changesets/ ...
On 02.01.2019 20:01, Michael Tremer wrote:
On 2 Jan 2019, at 18:55, Matthias Fischer matthias.fischer@ipfire.org wrote:
Hi,
On 02.01.2019 18:27, Michael Tremer wrote:
Hello,
This is quite good that we finally have a stable release of this (am I right that 4.4 wasn’t considered to be stable?).
'squid 4.4' was "stable", too:
In July 2018, 'squid 4' was "released for production use", see: https://wiki.squid-cache.org/Squid-4
Why do they compare everything to squid 3.5 then?
No idea. Perhaps to make upgrading easier for people running (huge/complex) 3.x-installations? They even still list "missing squid.conf options available in Squid-2.7"! ;-)
But as I read it, 3.x will not be continued, see:
https://wiki.squid-cache.org/RoadMap/Squid3
"We are no longer releasing new Squid series with 3.x numbers."
Best, Matthias
This however removes support for the SMB_LM helper which we still use and I will have to remove that from the CGI. We will have to announce that properly, but I do not think that it is a huge problem because this is Windows 2000 era. Hopefully nobody is using that any more.
I'm not an expert for this - never used it -, but I found this on the above website:
"Major UI changes: ... basic_msnt_multi_domain_auth: Superceeded by basic_smb_lm_auth …"
The latter is not being compiled any more. You removed it from the rootfiles.
Best, Matthias
Apart from that, I hope that we can now stay on the releases in this series until there is a new one.> Best, -Michael
On 1 Jan 2019, at 17:39, Matthias Fischer matthias.fischer@ipfire.org wrote:
For details see: http://www.squid-cache.org/Versions/v4/changesets/ ...
On 2 Jan 2019, at 19:10, Matthias Fischer matthias.fischer@ipfire.org wrote:
On 02.01.2019 20:01, Michael Tremer wrote:
On 2 Jan 2019, at 18:55, Matthias Fischer matthias.fischer@ipfire.org wrote:
Hi,
On 02.01.2019 18:27, Michael Tremer wrote:
Hello,
This is quite good that we finally have a stable release of this (am I right that 4.4 wasn’t considered to be stable?).
'squid 4.4' was "stable", too:
In July 2018, 'squid 4' was "released for production use", see: https://wiki.squid-cache.org/Squid-4
Why do they compare everything to squid 3.5 then?
No idea. Perhaps to make upgrading easier for people running (huge/complex) 3.x-installations? They even still list "missing squid.conf options available in Squid-2.7"! ;-)
But as I read it, 3.x will not be continued, see:
https://wiki.squid-cache.org/RoadMap/Squid3
"We are no longer releasing new Squid series with 3.x numbers.”
No, it is indeed time to migrate!
Best, Matthias
This however removes support for the SMB_LM helper which we still use and I will have to remove that from the CGI. We will have to announce that properly, but I do not think that it is a huge problem because this is Windows 2000 era. Hopefully nobody is using that any more.
I'm not an expert for this - never used it -, but I found this on the above website:
"Major UI changes: ... basic_msnt_multi_domain_auth: Superceeded by basic_smb_lm_auth …"
The latter is not being compiled any more. You removed it from the rootfiles.
Best, Matthias
Apart from that, I hope that we can now stay on the releases in this series until there is a new one.> Best, -Michael
On 1 Jan 2019, at 17:39, Matthias Fischer matthias.fischer@ipfire.org wrote:
For details see: http://www.squid-cache.org/Versions/v4/changesets/ ...
Hi,
On 02.01.2019 20:11, Michael Tremer wrote:
...
Why do they compare everything to squid 3.5 then?
No idea. Perhaps to make upgrading easier for people running (huge/complex) 3.x-installations? They even still list "missing squid.conf options available in Squid-2.7"! ;-)
...3.x will not be continued, see:
https://wiki.squid-cache.org/RoadMap/Squid3
"We are no longer releasing new Squid series with 3.x numbers.”
No, it is indeed time to migrate! ...
Just for completeness - excerpts from the official announcement which came today: ;-)
***SNIP*** The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-4.5 release!
This release is a security and bug fix release resolving several issues found in the prior Squid releases.
The major changes to be aware of:
* Bug 4253: ssl_bump prevents access to some web contents
...
* Redesign forward_max_tries to count TCP connection attempts
...
* Fix client_connection_mark ACL handling of clientless transactions
...
* Multiple NetDB behaviour updates
...
* The logformat code %>handshake is added
...
* Use pkg-config for detecting libxml2
...
All users of Squid-4 with SSL-Bump functionality are urged to upgrade as soon as possible.
All other users of Squid-4 are encouraged to upgrade as time permits.
All users of Squid-3 are encouraged to upgrade where possible. ***SNAP***
The last sentence says it all...
Best, Matthias
Hey,
indeed. Luckily we are not users of this SSL bump nightmare.
Best, -Michael
On 4 Jan 2019, at 18:02, Matthias Fischer matthias.fischer@ipfire.org wrote:
Hi,
On 02.01.2019 20:11, Michael Tremer wrote:
...
Why do they compare everything to squid 3.5 then?
No idea. Perhaps to make upgrading easier for people running (huge/complex) 3.x-installations? They even still list "missing squid.conf options available in Squid-2.7"! ;-)
...3.x will not be continued, see:
https://wiki.squid-cache.org/RoadMap/Squid3
"We are no longer releasing new Squid series with 3.x numbers.”
No, it is indeed time to migrate! ...
Just for completeness - excerpts from the official announcement which came today: ;-)
***SNIP*** The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-4.5 release!
This release is a security and bug fix release resolving several issues found in the prior Squid releases.
The major changes to be aware of:
- Bug 4253: ssl_bump prevents access to some web contents
...
- Redesign forward_max_tries to count TCP connection attempts
...
- Fix client_connection_mark ACL handling of clientless transactions
...
- Multiple NetDB behaviour updates
...
- The logformat code %>handshake is added
...
- Use pkg-config for detecting libxml2
...
All users of Squid-4 with SSL-Bump functionality are urged to upgrade as soon as possible.
All other users of Squid-4 are encouraged to upgrade as time permits.
All users of Squid-3 are encouraged to upgrade where possible. ***SNAP***
The last sentence says it all...
Best, Matthias