Update Squid to version 7.1 in FreeBSD ports/www/squid #1420
Conversation
Fixes filter being off and blocking youtube still
$sslproxy_options = "NO_SSLv3, NO_TLSv1, NO_TLSv1_1"; This variable is also used with tls_outgoing_options However without the feature flags set TLS1 and TLS1_1 is being used, this can be seen inside of pcap files. This causes issues with websites sending change cipher requests. Please set this directive's feature flags to no longer use TLS1 or TLS1.1. This leaves TLS1.2 and TLS1.3 for use with the proxy. I have confirmed this forces use of TLS1.2 and TLS1.3. With this feature flag set TLS1 and 1.1 are no longer seen in pcap files when communicating with the proxy. The pcap files were generated inside of pfsense to find this issue.
it needs USES= tar:tgz for this to work
|
Issues with heimdal-krb5.pc working problem do not merge yet. |
|
“Reopening PR #1420 with updated Makefile and distinfo for Squid 7 compatibility.” |
|
I think this resolved it I got it to do a build in FreeBSD 14 with the URL changes it does need a test from someone with more background on how to test this in pfsense repo merge with caution. |
|
My primary concern is whether the NO_TLSv1 directive is still present or if it has been removed entirely, effectively forcing the use of newer TLS versions. In the past, when this directive was changed, the upstream adapted to it by making NO_TLSv1 the default and subsequently removed the ability to override it manually. It felt like after I flagged the issue and submitted a PR to explicitly set NO_TLSv1 in the config, the newer Squid version hardcoded that behavior and eliminated the option to configure it. I'm trying to determine if the same situation is happening again with the current changes. |
2 participants
This PR updates the Squid proxy package in the FreeBSD ports tree to the latest stable release version 7.1. Key changes include:
Updated Makefile to reflect the new version, updated DISTVERSION, MASTER_SITES, and checksum info in distinfo.
Changed tarball compression format from .tar.xz to .tar.gz according to the official release archive.
Verified dependencies and options to ensure compatibility with Squid 7.1.
Adjusted patches and configurations to align with upstream changes.
Tested build and installation successfully on FreeBSD/pfSense environments.
This upgrade brings improved performance, security fixes, and new features from the Squid 7.1 release, keeping the pfSense package up to date and stable.
Maintainers:
Special thanks to @marcos-ng for the epic work maintaining Squid on pfSense.
CC: @pfsense-maintainers @freebsd-ports @Netgate @squid-cache
Related Issues: Closes # (if any existing issue)
Testing:
Built on FreeBSD 13.x / pfSense 2.7
Basic functional testing of proxy and authentication helpers