diff -u -r -N squid-3.4.11/ChangeLog squid-3.4.12/ChangeLog
--- squid-3.4.11/ChangeLog 2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/ChangeLog 2015-02-18 03:05:44.000000000 -0800
@@ -1,3 +1,15 @@
+Changes to squid-3.4.12 (18 Feb 2015):
+
+ - Bug 4066: Digest auth nonce indefinite rollover
+ - Bug 3997: Excessive NTLM or Negotiate auth helper annotations
+ - Fix several crashes when debugging enabled
+ - Fix silent SSL/TLS failure on split-stack operating systems
+ - HTTP/1.1: Stop emitting (Proxy-)Authentication-Info for Negotiate
+ - HTTPS: Add TLS/SSL option NO_TICKET to http[s]_port
+ - Remove dst ACL dependency on HTTP request message existence
+ - Set cap_net_admin when Squid sets TOS/Diffserv packet values
+ - ... and some documentation updates
+
Changes to squid-3.4.11 (13 Jan 2015):
- Bug 4164: SEGFAULT when %W formating code used in errorpages
diff -u -r -N squid-3.4.11/compat/Makefile.in squid-3.4.12/compat/Makefile.in
--- squid-3.4.11/compat/Makefile.in 2015-01-13 03:54:03.000000000 -0800
+++ squid-3.4.12/compat/Makefile.in 2015-02-18 03:06:43.000000000 -0800
@@ -83,9 +83,9 @@
build_triplet = @build@
host_triplet = @host@
DIST_COMMON = $(top_srcdir)/src/Common.am $(srcdir)/Makefile.in \
- $(srcdir)/Makefile.am initgroups.c inet_pton.c drand48.c \
- inet_ntop.c getnameinfo.c psignal.c strtoll.c tempnam.c \
- strerror.c getaddrinfo.c $(top_srcdir)/cfgaux/depcomp \
+ $(srcdir)/Makefile.am inet_ntop.c getnameinfo.c drand48.c \
+ psignal.c strerror.c inet_pton.c tempnam.c strtoll.c \
+ initgroups.c getaddrinfo.c $(top_srcdir)/cfgaux/depcomp \
$(top_srcdir)/cfgaux/test-driver
check_PROGRAMS = testPreCompiler$(EXEEXT)
TESTS = testPreCompiler$(EXEEXT) testHeaders
diff -u -r -N squid-3.4.11/configure squid-3.4.12/configure
--- squid-3.4.11/configure 2015-01-13 03:54:50.000000000 -0800
+++ squid-3.4.12/configure 2015-02-18 03:07:32.000000000 -0800
@@ -1,7 +1,7 @@
#! /bin/sh
# From configure.ac Revision.
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for Squid Web Proxy 3.4.11.
+# Generated by GNU Autoconf 2.69 for Squid Web Proxy 3.4.12.
#
# Report bugs to .
#
@@ -595,8 +595,8 @@
# Identity of this package.
PACKAGE_NAME='Squid Web Proxy'
PACKAGE_TARNAME='squid'
-PACKAGE_VERSION='3.4.11'
-PACKAGE_STRING='Squid Web Proxy 3.4.11'
+PACKAGE_VERSION='3.4.12'
+PACKAGE_STRING='Squid Web Proxy 3.4.12'
PACKAGE_BUGREPORT='http://bugs.squid-cache.org/'
PACKAGE_URL=''
@@ -1605,7 +1605,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures Squid Web Proxy 3.4.11 to adapt to many kinds of systems.
+\`configure' configures Squid Web Proxy 3.4.12 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1675,7 +1675,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of Squid Web Proxy 3.4.11:";;
+ short | recursive ) echo "Configuration of Squid Web Proxy 3.4.12:";;
esac
cat <<\_ACEOF
@@ -2071,7 +2071,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-Squid Web Proxy configure 3.4.11
+Squid Web Proxy configure 3.4.12
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -3175,7 +3175,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by Squid Web Proxy $as_me 3.4.11, which was
+It was created by Squid Web Proxy $as_me 3.4.12, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -4042,7 +4042,7 @@
# Define the identity of the package.
PACKAGE='squid'
- VERSION='3.4.11'
+ VERSION='3.4.12'
cat >>confdefs.h <<_ACEOF
@@ -34378,7 +34378,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by Squid Web Proxy $as_me 3.4.11, which was
+This file was extended by Squid Web Proxy $as_me 3.4.12, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -34444,7 +34444,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-Squid Web Proxy config.status 3.4.11
+Squid Web Proxy config.status 3.4.12
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -u -r -N squid-3.4.11/configure.ac squid-3.4.12/configure.ac
--- squid-3.4.11/configure.ac 2015-01-13 03:54:50.000000000 -0800
+++ squid-3.4.12/configure.ac 2015-02-18 03:07:32.000000000 -0800
@@ -1,4 +1,4 @@
-AC_INIT([Squid Web Proxy],[3.4.11],[http://bugs.squid-cache.org/],[squid])
+AC_INIT([Squid Web Proxy],[3.4.12],[http://bugs.squid-cache.org/],[squid])
AC_PREREQ(2.61)
AC_CONFIG_HEADERS([include/autoconf.h])
AC_CONFIG_AUX_DIR(cfgaux)
diff -u -r -N squid-3.4.11/helpers/basic_auth/DB/basic_db_auth.8 squid-3.4.12/helpers/basic_auth/DB/basic_db_auth.8
--- squid-3.4.11/helpers/basic_auth/DB/basic_db_auth.8 2015-01-13 04:33:24.000000000 -0800
+++ squid-3.4.12/helpers/basic_auth/DB/basic_db_auth.8 2015-02-18 03:43:16.000000000 -0800
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "BASIC_DB_AUTH 1"
-.TH BASIC_DB_AUTH 1 "2015-01-13" "perl v5.20.1" "User Contributed Perl Documentation"
+.TH BASIC_DB_AUTH 1 "2015-02-18" "perl v5.20.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-3.4.11/helpers/external_acl/LDAP_group/ext_ldap_group_acl.8 squid-3.4.12/helpers/external_acl/LDAP_group/ext_ldap_group_acl.8
--- squid-3.4.11/helpers/external_acl/LDAP_group/ext_ldap_group_acl.8 2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/helpers/external_acl/LDAP_group/ext_ldap_group_acl.8 2015-02-18 03:05:44.000000000 -0800
@@ -7,19 +7,19 @@
.
.SH SYNOPSIS
.if !'po4a'hide' .B ext_ldap_group_acl
-.if !'po4a'hide' .B "\-b \""
-base DN
-.if !'po4a'hide' .B "\" \-f \""
-LDAP search filter
-.if !'po4a'hide' .B "\" ["
+.if !'po4a'hide' .B \-b
+base\-DN
+.if !'po4a'hide' .B \-f
+filter
+.if !'po4a'hide' .B "["
options
.if !'po4a'hide' .B "] ["
-LDAP server name
-.if !'po4a'hide' .B "[:"
+server
+.if !'po4a'hide' .B "[ ':' "
port
-.if !'po4a'hide' .B "]|"
+.if !'po4a'hide' .B "] |"
URI
-.if !'po4a'hide' .B "]..."
+.if !'po4a'hide' .B "] ..."
.
.SH DESCRIPTION
.B ext_ldap_group_acl
@@ -100,7 +100,7 @@
configuration file without getting the secretfile.
.
.if !'po4a'hide' .TP
-.if !'po4a'hide' .BI \-E certpath
+.if !'po4a'hide' .BI "\-E " certpath
Enable LDAP over SSL (requires Netscape LDAP API libraries)
.
.if !'po4a'hide' .TP
diff -u -r -N squid-3.4.11/helpers/external_acl/SQL_session/ext_sql_session_acl.8 squid-3.4.12/helpers/external_acl/SQL_session/ext_sql_session_acl.8
--- squid-3.4.11/helpers/external_acl/SQL_session/ext_sql_session_acl.8 2015-01-13 04:33:57.000000000 -0800
+++ squid-3.4.12/helpers/external_acl/SQL_session/ext_sql_session_acl.8 2015-02-18 03:43:38.000000000 -0800
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "EXT_SQL_SESSION_ACL 1"
-.TH EXT_SQL_SESSION_ACL 1 "2015-01-13" "perl v5.20.1" "User Contributed Perl Documentation"
+.TH EXT_SQL_SESSION_ACL 1 "2015-02-18" "perl v5.20.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-3.4.11/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 squid-3.4.12/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8
--- squid-3.4.11/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2015-01-13 04:34:01.000000000 -0800
+++ squid-3.4.12/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2015-02-18 03:43:41.000000000 -0800
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "EXT_WBINFO_GROUP_ACL.PL.IN 1"
-.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2015-01-13" "perl v5.20.1" "User Contributed Perl Documentation"
+.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2015-02-18" "perl v5.20.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-3.4.11/helpers/log_daemon/DB/log_db_daemon.8 squid-3.4.12/helpers/log_daemon/DB/log_db_daemon.8
--- squid-3.4.11/helpers/log_daemon/DB/log_db_daemon.8 2015-01-13 04:34:03.000000000 -0800
+++ squid-3.4.12/helpers/log_daemon/DB/log_db_daemon.8 2015-02-18 03:43:43.000000000 -0800
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "LOG_DB_DAEMON 1"
-.TH LOG_DB_DAEMON 1 "2015-01-13" "perl v5.20.1" "User Contributed Perl Documentation"
+.TH LOG_DB_DAEMON 1 "2015-02-18" "perl v5.20.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-3.4.11/helpers/storeid_rewrite/file/storeid_file_rewrite.8 squid-3.4.12/helpers/storeid_rewrite/file/storeid_file_rewrite.8
--- squid-3.4.11/helpers/storeid_rewrite/file/storeid_file_rewrite.8 2015-01-13 04:34:15.000000000 -0800
+++ squid-3.4.12/helpers/storeid_rewrite/file/storeid_file_rewrite.8 2015-02-18 03:43:55.000000000 -0800
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "STOREID_FILE_REWRITE 1"
-.TH STOREID_FILE_REWRITE 1 "2015-01-13" "perl v5.20.1" "User Contributed Perl Documentation"
+.TH STOREID_FILE_REWRITE 1 "2015-02-18" "perl v5.20.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-3.4.11/include/version.h squid-3.4.12/include/version.h
--- squid-3.4.11/include/version.h 2015-01-13 03:54:50.000000000 -0800
+++ squid-3.4.12/include/version.h 2015-02-18 03:07:32.000000000 -0800
@@ -7,7 +7,7 @@
*/
#ifndef SQUID_RELEASE_TIME
-#define SQUID_RELEASE_TIME 1421149989
+#define SQUID_RELEASE_TIME 1424257536
#endif
#ifndef APP_SHORTNAME
diff -u -r -N squid-3.4.11/RELEASENOTES.html squid-3.4.12/RELEASENOTES.html
--- squid-3.4.11/RELEASENOTES.html 2015-01-13 04:35:19.000000000 -0800
+++ squid-3.4.12/RELEASENOTES.html 2015-02-18 03:44:52.000000000 -0800
@@ -2,10 +2,10 @@
- Squid 3.4.11 release notes
+ Squid 3.4.12 release notes
-Squid 3.4.11 release notes
+Squid 3.4.12 release notes
Squid Developers
@@ -57,10 +57,10 @@
-The Squid Team are pleased to announce the release of Squid-3.4.11 for testing.
+The Squid Team are pleased to announce the release of Squid-3.4.12.
This new release is available for download from
http://www.squid-cache.org/Versions/v3/3.4/ or the
-mirrors.
+mirrors.
Some interesting new features adding system flexibility have been added along with general improvements all around.
While this release is not fully bug-free we believe it is ready for use in production on many systems.
@@ -432,6 +432,12 @@
+- log_access
-
+
Removed. Use access_log with ACLs instead
+
+ - log_icap
-
+
Removed. Use icap_log with ACLs instead
+
- storeurl_access
-
Replaced by store_id_access.
diff -u -r -N squid-3.4.11/src/acl/DestinationIp.cc squid-3.4.12/src/acl/DestinationIp.cc
--- squid-3.4.11/src/acl/DestinationIp.cc 2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/acl/DestinationIp.cc 2015-02-18 03:05:44.000000000 -0800
@@ -52,6 +52,10 @@
{
ACLFilledChecklist *checklist = Filled(cl);
+ // if there is no HTTP request details fallback to the dst_addr
+ if (!checklist->request)
+ return ACLIP::match(checklist->dst_addr);
+
// Bug 3243: CVE 2009-0801
// Bypass of browser same-origin access control in intercepted communication
// To resolve this we will force DIRECT and only to the original client destination.
diff -u -r -N squid-3.4.11/src/acl/DestinationIp.h squid-3.4.12/src/acl/DestinationIp.h
--- squid-3.4.11/src/acl/DestinationIp.h 2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/acl/DestinationIp.h 2015-02-18 03:05:44.000000000 -0800
@@ -58,7 +58,6 @@
ACLDestinationIP(): ACLIP(ACLDestinationIP::SupportedFlags) {}
virtual char const *typeString() const;
virtual int match(ACLChecklist *checklist);
- virtual bool requiresRequest() const {return true;}
virtual ACL *clone()const;
diff -u -r -N squid-3.4.11/src/anyp/PortCfg.cc squid-3.4.12/src/anyp/PortCfg.cc
--- squid-3.4.11/src/anyp/PortCfg.cc 2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/anyp/PortCfg.cc 2015-02-18 03:05:44.000000000 -0800
@@ -66,22 +66,34 @@
b->disable_pmtu_discovery = disable_pmtu_discovery;
b->tcp_keepalive = tcp_keepalive;
-#if 0
- // TODO: AYJ: 2009-07-18: for now SSL does not clone. Configure separate ports with IPs and SSL settings
-
#if USE_SSL
- char *cert;
- char *key;
- int version;
- char *cipher;
- char *options;
- char *clientca;
- char *cafile;
- char *capath;
- char *crlfile;
- char *dhfile;
- char *sslflags;
- char *sslContextSessionId;
+ if (cert)
+ b->cert = xstrdup(cert);
+ if (key)
+ b->key = xstrdup(key);
+ b->version = version;
+ if (cipher)
+ b->cipher = xstrdup(cipher);
+ if (options)
+ b->options = xstrdup(options);
+ if (clientca)
+ b->clientca = xstrdup(clientca);
+ if (cafile)
+ b->cafile = xstrdup(cafile);
+ if (capath)
+ b->capath = xstrdup(capath);
+ if (crlfile)
+ b->crlfile = xstrdup(crlfile);
+ if (dhfile)
+ b->dhfile = xstrdup(dhfile);
+ if (sslflags)
+ b->sslflags = xstrdup(sslflags);
+ if (sslContextSessionId)
+ b->sslContextSessionId = xstrdup(sslContextSessionId);
+
+#if 0
+ // TODO: AYJ: 2015-01-15: for now SSL does not clone the context object.
+ // cloning should only be done before the PortCfg is post-configure initialized and opened
SSL_CTX *sslContext;
#endif
diff -u -r -N squid-3.4.11/src/auth/digest/auth_digest.cc squid-3.4.12/src/auth/digest/auth_digest.cc
--- squid-3.4.11/src/auth/digest/auth_digest.cc 2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/auth/digest/auth_digest.cc 2015-02-18 03:05:44.000000000 -0800
@@ -1038,12 +1038,7 @@
debugs(29, 2, "Username for the nonce does not equal the username for the request");
nonce = NULL;
}
- /* check for stale nonce */
- if (authDigestNonceIsStale(nonce)) {
- debugs(29, 3, "The received nonce is stale from " << username);
- digest_request->setDenyMessage("Stale nonce");
- nonce = NULL;
- }
+
if (!nonce) {
/* we couldn't find a matching nonce! */
debugs(29, 2, "Unexpected or invalid nonce received from " << username);
diff -u -r -N squid-3.4.11/src/auth/digest/UserRequest.cc squid-3.4.12/src/auth/digest/UserRequest.cc
--- squid-3.4.11/src/auth/digest/UserRequest.cc 2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/auth/digest/UserRequest.cc 2015-02-18 03:05:44.000000000 -0800
@@ -152,10 +152,14 @@
}
/* check for stale nonce */
- if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc)) {
- debugs(29, 3, "user '" << auth_user->username() << "' validated OK but nonce stale");
- auth_user->credentials(Auth::Handshake);
- digest_request->setDenyMessage("Stale nonce");
+ /* check Auth::Pending to avoid loop */
+
+ if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc) && user()->credentials() != Auth::Pending) {
+ debugs(29, 3, auth_user->username() << "' validated OK but nonce stale: " << digest_request->nonceb64);
+ /* Pending prevent banner and makes a ldap control */
+ auth_user->credentials(Auth::Pending);
+ nonce->flags.valid = false;
+ authDigestNoncePurge(nonce);
return;
}
@@ -298,6 +302,8 @@
// add new helper kv-pair notes to the credentials object
// so that any transaction using those credentials can access them
auth_user_request->user()->notes.appendNewOnly(&reply.notes);
+ // remove any private credentials detail which got added.
+ auth_user_request->user()->notes.remove("ha1");
static bool oldHelperWarningDone = false;
switch (reply.result) {
diff -u -r -N squid-3.4.11/src/auth/negotiate/UserRequest.cc squid-3.4.12/src/auth/negotiate/UserRequest.cc
--- squid-3.4.11/src/auth/negotiate/UserRequest.cc 2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/auth/negotiate/UserRequest.cc 2015-02-18 03:05:44.000000000 -0800
@@ -229,6 +229,8 @@
// add new helper kv-pair notes to the credentials object
// so that any transaction using those credentials can access them
auth_user_request->user()->notes.appendNewOnly(&reply.notes);
+ // remove any private credentials detail which got added.
+ auth_user_request->user()->notes.remove("token");
Auth::Negotiate::UserRequest *lm_request = dynamic_cast(auth_user_request.getRaw());
assert(lm_request != NULL);
@@ -359,21 +361,3 @@
delete r;
}
-void
-Auth::Negotiate::UserRequest::addAuthenticationInfoHeader(HttpReply * rep, int accel)
-{
- http_hdr_type type;
-
- if (!server_blob)
- return;
-
- /* don't add to authentication error pages */
- if ((!accel && rep->sline.status() == Http::scProxyAuthenticationRequired)
- || (accel && rep->sline.status() == Http::scUnauthorized))
- return;
-
- type = accel ? HDR_AUTHENTICATION_INFO : HDR_PROXY_AUTHENTICATION_INFO;
- httpHeaderPutStrf(&rep->header, type, "Negotiate %s", server_blob);
-
- safe_free(server_blob);
-}
diff -u -r -N squid-3.4.11/src/auth/negotiate/UserRequest.h squid-3.4.12/src/auth/negotiate/UserRequest.h
--- squid-3.4.11/src/auth/negotiate/UserRequest.h 2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/auth/negotiate/UserRequest.h 2015-02-18 03:05:44.000000000 -0800
@@ -28,8 +28,6 @@
virtual Direction module_direction();
virtual void module_start(AUTHCB *, void *);
- virtual void addAuthenticationInfoHeader(HttpReply * rep, int accel);
-
virtual const char * connLastHeader();
/* we need to store the helper server between requests */
diff -u -r -N squid-3.4.11/src/auth/ntlm/UserRequest.cc squid-3.4.12/src/auth/ntlm/UserRequest.cc
--- squid-3.4.11/src/auth/ntlm/UserRequest.cc 2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/auth/ntlm/UserRequest.cc 2015-02-18 03:05:44.000000000 -0800
@@ -223,6 +223,8 @@
// add new helper kv-pair notes to the credentials object
// so that any transaction using those credentials can access them
auth_user_request->user()->notes.appendNewOnly(&reply.notes);
+ // remove any private credentials detail which got added.
+ auth_user_request->user()->notes.remove("token");
Auth::Ntlm::UserRequest *lm_request = dynamic_cast(auth_user_request.getRaw());
assert(lm_request != NULL);
diff -u -r -N squid-3.4.11/src/cf.data.pre squid-3.4.12/src/cf.data.pre
--- squid-3.4.11/src/cf.data.pre 2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/cf.data.pre 2015-02-18 03:05:44.000000000 -0800
@@ -180,6 +180,12 @@
DOC_END
# Options Removed in 3.2
+NAME: chunked_request_body_max_size
+TYPE: obsolete
+DOC_START
+ Remove this line. Squid is now HTTP/1.1 compliant.
+DOC_END
+
NAME: ignore_expect_100
TYPE: obsolete
DOC_START
@@ -1734,6 +1740,7 @@
NO_TLSv1_2 Disallow the use of TLSv1.2
SINGLE_DH_USE Always create a new key when using
temporary/ephemeral DH key exchanges
+ NO_TICKET Disables TLS tickets extension
ALL Enable various bug workarounds
suggested as "harmless" by OpenSSL
Be warned that this reduces SSL/TLS
@@ -5255,33 +5262,6 @@
a large file.
DOC_END
-NAME: chunked_request_body_max_size
-COMMENT: (bytes)
-TYPE: b_int64_t
-DEFAULT: 64 KB
-LOC: Config.maxChunkedRequestBodySize
-DOC_START
- A broken or confused HTTP/1.1 client may send a chunked HTTP
- request to Squid. Squid does not have full support for that
- feature yet. To cope with such requests, Squid buffers the
- entire request and then dechunks request body to create a
- plain HTTP/1.0 request with a known content length. The plain
- request is then used by the rest of Squid code as usual.
-
- The option value specifies the maximum size of the buffer used
- to hold the request before the conversion. If the chunked
- request size exceeds the specified limit, the conversion
- fails, and the client receives an "unsupported request" error,
- as if dechunking was disabled.
-
- Dechunking is enabled by default. To disable conversion of
- chunked requests, set the maximum to zero.
-
- Request dechunking feature and this option in particular are a
- temporary hack. When chunking requests and responses are fully
- supported, there will be no need to buffer a chunked request.
-DOC_END
-
NAME: broken_posts
IFDEF: USE_HTTP_VIOLATIONS
TYPE: acl_access
diff -u -r -N squid-3.4.11/src/Notes.cc squid-3.4.12/src/Notes.cc
--- squid-3.4.11/src/Notes.cc 2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/Notes.cc 2015-02-18 03:05:44.000000000 -0800
@@ -189,6 +189,21 @@
}
void
+NotePairs::remove(const char *key)
+{
+ Vector::iterator i = entries.begin();
+ while (i != entries.end()) {
+ if ((*i)->name.cmp(key) == 0) {
+ NotePairs::Entry *e = (*i);
+ entries.prune(e);
+ delete e;
+ i = entries.begin(); // vector changed underneath us
+ } else
+ ++i;
+ }
+}
+
+void
NotePairs::addStrList(const char *key, const char *values)
{
String strValues(values);
diff -u -r -N squid-3.4.11/src/Notes.h squid-3.4.12/src/Notes.h
--- squid-3.4.11/src/Notes.h 2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/Notes.h 2015-02-18 03:05:44.000000000 -0800
@@ -155,6 +155,11 @@
void add(const char *key, const char *value);
/**
+ * Remove all notes with a given key.
+ */
+ void remove(const char *key);
+
+ /**
* Adds a note key and values strList to the notes list.
* If the key name already exists in list, add the new values to its set
* of values.
diff -u -r -N squid-3.4.11/src/peer_select.cc squid-3.4.12/src/peer_select.cc
--- squid-3.4.11/src/peer_select.cc 2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/peer_select.cc 2015-02-18 03:05:44.000000000 -0800
@@ -122,7 +122,7 @@
assert(entry);
assert(entry->ping_status == PING_NONE);
assert(direct != DIRECT_YES);
- debugs(44, 3, "peerSelectIcpPing: " << entry->url() );
+ debugs(44, 3, "peerSelectIcpPing: " << entry->url());
if (!request->flags.hierarchical && direct != DIRECT_NO)
return 0;
@@ -262,7 +262,7 @@
if (fs && psstate->paths->size() < (unsigned int)Config.forward_max_tries) {
// send the next one off for DNS lookup.
const char *host = fs->_peer ? fs->_peer->host : psstate->request->GetHost();
- debugs(44, 2, "Find IP destination for: " << psstate->entry->url() << "' via " << host);
+ debugs(44, 2, "Find IP destination for: " << psstate->url() << "' via " << host);
ipcache_nbgethostbyname(host, peerSelectDnsResults, psstate);
return;
}
@@ -744,7 +744,7 @@
StoreEntry *entry = psstate->entry;
if (entry)
- debugs(44, 3, "peerPingTimeout: '" << entry->url() << "'" );
+ debugs(44, 3, "peerPingTimeout: '" << psstate->url() << "'" );
if (!cbdataReferenceValid(psstate->callback_data)) {
/* request aborted */
@@ -812,7 +812,7 @@
{
ps_state *psstate = (ps_state *)data;
icp_opcode op = header->getOpCode();
- debugs(44, 3, "peerHandleIcpReply: " << icp_opcode_str[op] << " " << psstate->entry->url() );
+ debugs(44, 3, "peerHandleIcpReply: " << icp_opcode_str[op] << " " << psstate->url() );
#if USE_CACHE_DIGESTS && 0
/* do cd lookup to count false misses */
@@ -845,9 +845,7 @@
peerHandleHtcpReply(CachePeer * p, peer_t type, HtcpReplyData * htcp, void *data)
{
ps_state *psstate = (ps_state *)data;
- debugs(44, 3, "peerHandleHtcpReply: " <<
- (htcp->hit ? "HIT" : "MISS") << " " <<
- psstate->entry->url() );
+ debugs(44, 3, "" << (htcp->hit ? "HIT" : "MISS") << " " << psstate->url());
++ psstate->ping.n_recv;
if (htcp->hit) {
diff -u -r -N squid-3.4.11/src/SquidConfig.h squid-3.4.12/src/SquidConfig.h
--- squid-3.4.11/src/SquidConfig.h 2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/SquidConfig.h 2015-02-18 03:05:44.000000000 -0800
@@ -120,7 +120,6 @@
} Timeout;
size_t maxRequestHeaderSize;
int64_t maxRequestBodySize;
- int64_t maxChunkedRequestBodySize;
size_t maxRequestBufferSize;
size_t maxReplyHeaderSize;
AclSizeLimit *ReplyBodySize;
diff -u -r -N squid-3.4.11/src/ssl/support.cc squid-3.4.12/src/ssl/support.cc
--- squid-3.4.11/src/ssl/support.cc 2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/ssl/support.cc 2015-02-18 03:05:44.000000000 -0800
@@ -488,6 +488,11 @@
"No_Compression", SSL_OP_NO_COMPRESSION
},
#endif
+#if SSL_OP_NO_TICKET
+ {
+ "NO_TICKET", SSL_OP_NO_TICKET
+ },
+#endif
{
"", 0
},
diff -u -r -N squid-3.4.11/src/tools.cc squid-3.4.12/src/tools.cc
--- squid-3.4.11/src/tools.cc 2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/tools.cc 2015-02-18 03:05:44.000000000 -0800
@@ -1319,7 +1319,10 @@
cap_value_t cap_list[10];
cap_list[ncaps] = CAP_NET_BIND_SERVICE;
++ncaps;
- if (Ip::Interceptor.TransparentActive() || Ip::Qos::TheConfig.isHitNfmarkActive() || Ip::Qos::TheConfig.isAclNfmarkActive()) {
+ if (Ip::Interceptor.TransparentActive() ||
+ Ip::Qos::TheConfig.isHitNfmarkActive() ||
+ Ip::Qos::TheConfig.isAclNfmarkActive() ||
+ Ip::Qos::TheConfig.isAclTosActive()) {
cap_list[ncaps] = CAP_NET_ADMIN;
++ncaps;
}