SafeSquid Secure Web Gateway 2025.1001.1232.3
---------------------------------------------
Upgrade: SafeSquid now minimally requires Kernel 6.8, and glibc 2.39
BugFix: Buffering Chunked responses even when the server responses were not compressed
BugFix: Semantic error resulting in incorrect handling of password cache
Enhancement: Re-implementation of the SO_INCOMING_CPU in the listen sockets for SMP optimization
Enhancement: Kerberos keytab generation now uses rndc key to add required zones instead of creating zone files in the /etc/bind directory
Enhancement: Automatic eviction of expired kerberos tokens
Enhancement: Kerberos operations now logged to a separate file /var/log/safesquid/kerberos.
			This is a temporary measure, the path shall be changed in future releases
Enhancement: The upgrade path is now changed from /tmp/safesquid to /srv/safesquid
Enhancement: Failure to create folders is now considered as a system anomaly, and SafeSquid exits with an ASSERTION alert.


SafeSquid Secure Web Gateway 2025.0721.1508.3
---------------------------------------------
BugFix: Protocol select options in the Request Types Profiling section
BigFix: Handling of AIA URL presented in Intermediate Certification Authority
Enhancement: API http://safesquid.cfg/ping to test connectivity of the client with the SafeSquid proxy service.
Enhancement: SafeSquid pins Listen sockets to CPUs specified in the LISTEN_CPUS in the startup.ini. Leave it blank to listen on each CPU.
Enhancement: Optimized Performance logging
Enhancement: Increased the Socket Read Buffer default size from 32768 to 131072 to reduce latency.
Enhancement: Negotiated adjustment of TLS Record sizes and Fragments post SSL handshake with clients and web servers
Enhancement: Host TSO and MTU detection for MSS optimization
Enhancement: POODLE remediation: SSL_MODE_SEND_FALLBACK_SCSV for TLS protocol version downgrade protection.
Enhancement: Round-Robin IP selection for outbound connections for improved performance with upstream Firewall or Proxy.
Enhancement: Reduced time spent by a socket in CLOSE_WAIT state


SafeSquid Secure Web Gateway 2025.0415.1559.3
---------------------------------------------
Enhancement: Optimized SSL error handling


safesquid-2025.0321.1432.3-swg-concept  Concept Edition
---------------------------------------------
Enhancement: Tuning for Receive Side Scaling
Enhancement: Increased DNS Cache duration
Enhancement: Improved Responsiveness for TCP_DEFER_ACEPT
BugFix: Logical bug prevented SSL Session Resumption with remote web server


safesquid-2025.0129.1451.3-swg-concept  Concept Edition
---------------------------------------------
Support for zstd compression
BugFix: Semantic errors causing unhandled errors
Enhanced SSL Read Buffer to improve user experience
BugFix: Prevent negative caching of password when LDAP server connectivity fails


safesquid-2025.0114.2015.3-swg-concept
---------------------------------------------
HTTPS Inspection: option to bypass SSL error X509_V_ERR_HOSTNAME_MISMATCH and X509_V_ERR_IP_ADDRESS_MISMATCH
HTTPS Inspection: BugFix: limit session reuse for TLS v1.3
HTTPS Inspection: BugFix: Memory leak in session cache management
YouTube Categorization: All videos are now addtionally categorized as "Youtube * Video" to ease policy making
Startup INI: Option to disable realtime Sqlite DB updation for heavily loaded servers
Network: Workaround for broken SO_INCOMING_CPU in Linux Kernel 
Network: Optimization for better resonance with RPS/RFS/RSS
Content Decoding: Support for Brotli Compression
URL Categorization: BugFix: Prevent Dynamic Categorization for user triggered requests
URL Categorization: Defer cloud based categorization on heavily loaded servers using async
URL Categorization: improved categorization cache reliability
Update downloads: Limit retries in event of fetch errors
Kerberos Authentication: DNS Stub now sets the Active Directory Sever as "Forwarders" besides "Master"
Response Profile: BugFix: Profile based on actual content type/mime discovered by SafeSquid
URL Redirect: BugFix: Logical Error ignored explicit URL directive
Time Profile: BugFix: Logical error caused incorrect time window determination
DNSBL: BugFix: GEOIP not showing country code


SafeSquid Secure Web Gateway 2024.0715.1656.3  Concept Edition
---------------------------------------------
Critical update:
Embedded CA updated for SSL verification of Activation Key


SafeSquid Secure Web Gateway 2024.0709.1752.3 Concept Edition
-------------------------------------------------------------
BugFix:
Failure to detect Connection Pool exceeding maximum limit set in the System Configuration
Enhancement:
SIGUSR2 will now immediately close all idle client connections and idle outbound connections


SafeSquid Secure Web Gateway 2024.0624.1721.3 Concept Edition
---------------------------------------------
BugFix:
When removing trusted-ca-certificates.crt file, for the first restart SafeSquid ignore the file and does not loads the file into the CA bundle.
When disabling ipv6 in the proxy server, SafeSquid does not auto switch to ipv4 when "*" is set as listenip in startup.ini
URL for connections is missing for all methods "GET,POST" apart from method CONNECT, in extended logs
Connections are not kept alive for UI requests including CSP logging


SafeSquid Secure Web Gateway 2024.0425.2012.3 Concept Edition
-------------------------------------------------------------
BugFix:
Crash when malformed Authorization Header were sent in request headers in an HTTPS transaction
Monit failure to detect already running script for removal of expired ssl certificates


SafeSquid Secure Web Gateway 2024.0417.1946.3 Concept Edition
-------------------------------------------------------------
BugFix:
Preserve permissions of /tmp folder
Default Locale set to en_US.UTF-8 to prevent anomalous behavior on non-English host systems
Username and password specified in Access Restrictions now functions as expected
Modules discovery mechanism rebuilt to prevent discovery failure.
Connection errors to servers are now reported with appropriate explanation.

Enhancements:
Block requestes based on web servers Geo Location
Block DNS queries to resolve malicious websites or requests
Block Connections to web services rendered from IP addresses of known malicious actors
Use multiple DNSBL service providers
Intuitive Blocking and Error Templates
Suggestions for important default policies in configuration
Removal of expired interception SSL certificates now also removes expired intermediate CA certificate
Generation of Kerberos Keytabs is now load balancing aware
Field to specify IP ranges in Access restrictions section is now multiline
Improved detection of YouTube Videos
Malformatted response from web servers now reported as status code 452 ("Bad Response By Server")
DNSBL reports threats blocked as status code 454 ("Malicious Server")
Malware Detction reports blocked threats as status code 453 ("Malicious Response From Server")
Fixed UI exception handling for unknown functions
Automatic addition of "IPv4 Host" / "IPv6 Host" for IP based requests
Category set to "#" for uncategorized requests
Requests matching any private category are not tested for additional categorization
Dynamic Categorization ignores referer for user triggered requests
User configurable path for fetching application signatures
User configurable path for configuration backup and restore
User configurable path for default config
Hostname considers the system hostname if not specified in startup.ini
Changes to entry in Text Analyzer for keyword filtering are now enforced immediately
Rationalized error and warning reporting in logs and templates for easier understanding
Improved reporting of PAM authentication failures
Authentication failures in event of PAM failure are not stored in negative cache
New Default subsection in Access Profiles, to prevent human errors leading to accidental override of default Policy requirements.
Logs report the profile that matched leading to allow or block of a request
Intuitive suggestions for creating entries based on recommended configuration
New subsection in Request Profiles section for bulk labelling of URLS and Domains to a Request Type
Optimized the SSL operations for speed and memory


SafeSquid Secure Web Gateway 2023.0921.1522.3
---------------------------------------------
BugFix: Handling of requests to ports normally reserved for Proxy Service
Enhancement: Dynamic Categorization is no more applied to cross-site requests explicitly initiated by user
Enhancement: Monit now triggers removal of any expired SSL Certificates
Enhancement: Improved handling of WebSockets
Enhancement: Configurable Backup URL Path
Enhancement: Proxy hostname set in the Global sub-section of the System Configuration section is now the default Authentication Realm 
Enhancement: DNS Blacklist now enables blocking connections to malicious IP addresses 


SafeSquid Secure Web Gateway 2023.0706.1529.3
---------------------------------------------
Changes: 
install and init scripts now write to syslog
/etc/logrotate.d/safesquid now invokes safesquid init script to rotate logs
some of the internal process information is now sent to syslog instead of the earlier /tmp/safesquid/tty
In event of process reaching the maxthreads limit the client connections are now held in client pool for reconsideration instead of being summarily closed.

Enhancements:
The network operations now use fewer FDs
Reduction in overheads for detection of log file sizes
Improved response time for new client connections
CPU optimizations now improve the overall transactions speed by almost 30% 

BugFix:
Faulty logic caused unwanted misses of outbound connections from the pool
Faulty logic caused delays in closure of client connections leading to very high counts of stale connections
Faulty semantic caused validation failure of certificate chain when a server presented certificates incorporating the AIA URL
The connection pool, and client pool counters in performance logs reported inaccurate values


SafeSquid Secure Web Gateway 2022.1110.1953.3
---------------------------------------------
This is an experimental release to determine delays in wakeup of client connections in idling pool


SafeSquid Secure Web Gateway 2022.1101.1921.3
---------------------------------------------
Releasing the earlier version safesquid-2022.1031.1958.3-swg-concept.tar.gz as a standard release.
BugFix: Semantic error caused unnecessary change of directory ownership.

SafeSquid Secure Web Gateway 2022.1031.1958.3
---------------------------------------------
Experimental changes:
Enhancement: Increased the priority of thread dedicated to closing idle connections.
Enhancement: Automatic retries in event the server is heavily loaded or network is clogged when fetching important updates.
BugFix: Prevent reuse of ClamAV daemon connections as the unix socket no longer supports connection reuse.
Enhancement: Improve DDoS protection: Drop connection to remote server if the client has closed connection while SafeSquid is awaiting response from remote server.
Enhancement: Improve logging of user actions when interacting with the WebUI.
Enhancement: Faster response to pipelined requests
BugFix: Avoid retrying to read from the socket when previous read was partly successful.

SafeSquid Secure Web Gateway 2022.1008.1240.3
---------------------------------------------
BugFix: Incorrect reflection in the SafeSquid UI when user membership is modified in the Directory Service
BugFix: UDP based transmission of logs to remote servers could choke because of data fragmentation
BugFix: Failure to verify SSL certificates created with Authority Information Access indicating the URL of an intermediate CA Issuer that serves certificates that necessitate further AIA fetch
BugFix: Semantic error causing SafeSquid to close all idle connections when Trusted SSL Root CA Certificates were updated
Enhancement: Use of connection variables in the header->insert feature for refined implementation of Content-Security-Policy
Enhancement: Introducing http://safesquid.cfg/csp as the REST interface for collecting Content Security Policy Violation reports
Enhancement: csp.log now logs all Content Security Policy Violations

SafeSquid Secure Web Gateway 2022.0802.1537.3
---------------------------------------------
BugFix: Custom Categorization section of the SafeSquid Interface reported incorrect categorization
BugFix: Logical bug in evaluation of time ranges in Time Profiles
BugFix: unhandled exception in malformed Origin or Referer headers detection caused SafeSquid to crash
Enhancement: Websites added in custom categories are now presented in the UI when editing profiles for easy reference.


SafeSquid Secure Web Gateway 2022.0718.1917.3
SafeSquid Secure Web Gateway 2022.0718.1917.3
---------------------------------------------
BugFix: logical bug caused safesquid to crash when a client sent malformed headers
BugFix: upgrading SafeSquid from interface failed die to an inconsistent directive in monit configuration
BugFix: prevent unnecessary retry and delay in detection of SSL_SHUTDOWN from peer
BugFix: fo not apply private categorization based on rferer when disabled in the general section


SafeSquid Secure Web Gateway 2022.0610.1620.3
---------------------------------------------
Support for WebSockets.
Web-sockets are no longer mandatorily blocked, but the users can specifically choose to restrict use of web-sockets.
Web socket requests are marked as TCP_WEBSOCKET in extended logs if it is not blocked and TCP_DENIED_WEBSOCKET if it is blocked.
BugFix: Match the Regular Expression for File Extension against File Downloads in Custom Settings >> Response Types
If "." is the first letter of a private category, it will be applied only to requests to matching web-sites, but not to cross-site requests referred to by such web-sites.
If "#" is the first letter of a private category, it will not be applied to any website, though will be visible in UI for categorization modification.
Additional new option in the general section to force buffering of chunked responses, for processing.
For detection of cross-site requests, HTTP request header Origin is now considered as referer in case the request does not have a referer.
Buffering chunked responses is now controllable from the system configuration, instead of the Content Modification section.

SafeSquid Secure Web Gateway 2022.0502.1923.3
---------------------------------------------
Minor patch for compatibility with Activation Key generated on revamped SafeSquid Self-Service Portal


SafeSquid Secure Web Gateway 2022.0402.1601.3
---------------------------------------------
Enhancement: 
	Dynamic Categorization:
		Determines requests made by Internet Browser to serve a web-page included in a Custom Category.
		Custom Categories applicable to the "Referring Web-Page" are added to the list of categories determined for the requested URL.
		The System Configuration section provides the option to enable / disable this behaviour.	
	HTTP Status and Error codes
		The HTTP status codes now sent to the web client have been re-organized for maximum conformance with Mozilla standards https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
		The HTTP status code sent to the web client will also be reflected in the corresponding lines of SafeSquid's Extended Log
		Note: All Requests blocked due to a policy configuration shall now reflect HTTP Status Code
			451: Unavailable For Legal Reasons
		The TCP_STATUS code in Extended log now ensure improved precision for debugging purposes:
			NONE:	The Client sent invalid request headers 
			TCP_MISS:	requested object not in the cache 
			TCP_HIT:	valid copy of object in cache 
			TCP_REFRESH_MISS:	stale copy of object failed validation, new content sent 
			TCP_REFRESH_HIT:	stale copy of object in cache was validated 
			TCP_REF_FAIL_HIT:	stale copy of object in cache couldn't be validated so stale copy sent 
			TCP_CLIENT_REFRESH:	request with no-cache pragma issued 
			TCP_IMS_MISS:	if-modified-since request sent and object was stale 
			TCP_IMS_HIT:	if-modified-since request sent and object was still fresh 
			TCP_DENIED:	access denied for request 
			TCP_DNS_FAILED:	DNS Resolution Failed 
			TCP_CONNECTION_FAILED:	Connection Failed
			TCP_CONNECTION_NOROUTE:	Connection to requested destination is not possible 
			TCP_TUNNEL:	A binary tunnel was established for this transaction
			TCP_ABORTED:	The response was not completed due to the connection being aborted (usually by the client). 
			TCP_TIMEOUT:	The response was not completed due to a connection timeout. 
			TCP_SSL_FAILED:	The SSL Handshake with remote server failed 
			TCP_AUTH_FAILED:	Client authentication Failed 
			TCP_BIND_FAILED:	The Bind Service is unresponsive 
			TCP_INVALID_RESPONSE:	The Client sent invalid request headers 
			TCP_AUTH_ABSENT:	Authentication Required But Not Provided in Client Request Headers 
			TCP_DENIED_COOKIES:	Cookies were stripped from the Request or Response Headers 
			TCP_INVALID_SSL_CERT:	The remote server presented invalid SSL certificate 
			TCP_SYSTEM_ERROR:	The application host system had errors 
			TCP_DENIED_WEBSOCKET:	Request for a Web-Socket was denied 
			TCP_SSL_HANDSHAKE	SSL Handshake done with client
			TCP_INTERFACE	Response for UI

		2 new templates have been added:
			"responsetimedout" : Server @HTTP_HOST@:@HTTP_PORT@ did not respond within @TIMEOUT@ seconds
				This is displayed to the client with HTTP Status Code 599, when the request is sent to the remote web server, but no response is received within the specified TIMEOUT period
			"connectiondropped" : Server @HTTP_HOST@:@HTTP_PORT@ closed connection abruptly
				This is displayed to the client with HTTP Status Code 521, when the connection to the remote web server is disrupted while we are awaiting a response.
	SSL Certificate Validation:
		By default SafeSquid considers files with extension ".crt" stored in "/usr/local/safesquid/security/ssl/trusted/" folder as Trusted Root CA Certificates.
		SafeSquid automatically updates periodically the file trusted-ca-certificates.crt in this folder.
		Any new .crt file copied into the folder will now be considered a Trusted Root CA Certificate and used without restart of the process.
		AIA fetching:
			Web-servers that send incomplete certificate chain during SSL handshake will be validated if the certificates are created with Authority Information Access indicating the URL of the CA Issuer.
			SafeSquid now extracts the CA Issuer URL from the certificate, fetches the required certificate, validates it against already Trusted Root CA Certificates.
			These certificates are also stored in the trusted certificates folder, for reuse in event of process restart.
	Processing Chunked Responses:
		By default chunked responses were not buffered to safeguard web browsing experience.
		Now SafeSquid "may" buffer encoded (compressed) chunked responses sent by web servers, if a policy matching the response is found.
		This increases the probability of discovering threats and inappropriate content in compressed responses.
		It is expected that CPU utilization may increase because of the increased in-memory sand-boxing for decompression and content inspection.
	Content Rewrite of Chunked responses:
		Some users requested option to force buffering and processing of chunked responses with the Content Rewrite function.
		An option to enable this behaviour is now available in the SafeSquid UI.
		This option triggers buffering of chunked responses, even if they are not encoded.
	Identifying SafeSquid Instance
		For debugging in a clustered environment the HTTP response headers now show the instance ID of the SafeSquid instance that served the response as "X-SafeSquid-Instance"
	IP address of the remote web server
		The IP address of remote web server is logged as "peer" in the Extended log
	Using opensource log analyzers against SafeSquid's Extended log
		Modifying Custom Date Format in Extended Logs:
			Use any of the formats acceptable for strftime. Default is "%d/%b/%Y:%H:%M:%S". For unix timestamping set format to "%s"
			This is a startup parameter, and is effected at the start of SafeSquid process.
		Converting logs to popular Squid access log format
			Utility log_convert is now installed in /usr/local/bin
			the Extended log can be piped into log_convert to produce logs in the access log format.
BugFix:
	The Startup Params dialog in the SafeSquid UI did not display new startup parameters if introduced in an upgrade.


SafeSquid Secure Web Gateway 2022.0319.1457.3
---------------------------------------------
BugFix: Using "." as decimal separator caused abnormal termination in the image filtering module, on platforms that had incompatible locale.
BugFix: On heavily loaded systems Thread scheduling delay could increase the time taken to actually close FDs of sockets.
Enhancement: Service ID of the SafeSquid instance that handled the request in now included in the response headers for simplifying debugging at browser level.


SafeSquid Secure Web Gateway 2021.1216.1825.3
---------------------------------------------
BugFix: Illogical display of negated options for fields such as Added Profiles, Removed Profiles, etc.
BugFix: SSL errors when downloading content signatures.
BugFix: Fresh installations crashed when accessing WebUI via https://safesquid.cfg due lack of appropriate SSL certificate.
Enhancement: Setting CPU_RESERVATION parameter to 1, will now pin the client socket, handling thread, and socket for the outgoing connection to the same CPU, improving performance.
Enhancement: Introduced a dedicated thread to monitor file changes, in real-time. Currently it is set to monitor only the VPN authenticated user database file for translating IP address to username.
Enhancement: Provision for displaying hints in WebUI to help creation of profiles referenced in multiple sections.


SafeSquid Secure Web Gateway 2021.1020.1704.3
---------------------------------------------
BugFix: Flush Text Analyzer cached results when section is reconfigured.


SafeSquid Secure Web Gateway 2021.1015.1501.3
---------------------------------------------
BugFix: Incorrect display of disk and memory usage by content cache
BugFix: Incorrect computation of age in caching functions
BugFix: Incorrect computation md5 in caching journal function
BugFix: Incorrect computation time in If-Modified-Since headers
BugFix: Semantic flaw in script invoked for SSO/Kerberos Microsoft Active Directory Integration
Note: Disk Caching for Content Caching has been disabled.


SafeSquid Secure Web Gateway 2021.0904.1613.3
---------------------------------------------
BugFix: If time taken for response from a remote web server exceeds the Buffer Wait Time specified in the matching entry of System Configuration, it could lead to abnormal termination if caching is enabled.


SafeSquid Secure Web Gateway 2021.0823.1511.3
---------------------------------------------
BugFix: Invalid username was found to result in an unhandled exception leading to abnormal termination.
The fix prevents the termination and responds with a 407 status code to the users.
Disabled TCP_USER_TIMEOUT
Experimental introduction of DNS based categorization.
Set DNS_CAT_ZONE to c.ssquid.in for test purposes.
Support for https://safesquid.cfg
Fixed statistics display


SafeSquid Secure Web Gateway 2021.0729.1821.3
---------------------------------------------
BugFix: A logical flaw in header-filtering section was discovered to cause disruption of config synchronization in master / slave clusters.


SafeSquid Secure Web Gateway 2021.0716.2221.3
---------------------------------------------
Optimized SSqore disk caching to prevent obstructions while cache is in use

SafeSquid Secure Web Gateway 2021.0709.1703.3
---------------------------------------------
Some users have complained inability to modify configuration of the header filtering section via UI.
The symptoms observed suggest possibilities of some mutex locking failure.
Though we have not been able to replicate it, we have considered theoretical possibility of configuration document locks.


SafeSquid Secure Web Gateway 2021.0630.1858.3
---------------------------------------------
BugFix: config synchronization across clusters was failing due to a logical flaw in calculating time differential


SafeSquid Secure Web Gateway 2021.0601.1436.3
---------------------------------------------
BugFix: Synchronization of the SSL certificate expiry dates with that of the Intermediate CA certificate

SafeSquid Secure Web Gateway 2021.0529.2248.3
---------------------------------------------
BugFix: Length of serial number was found to violate RFC 5280
This flaw was discovered to impact only the MacOS users of Chrome Browser


SafeSquid Secure Web Gateway 2021.0511.2137.3
---------------------------------------------
Optimization: HTTP referer will be excluded from categorization
Added X509 extension for ExtendedKeyUsage to SSL certificates generated by SafeSquid
Optimization: Reduced CPU usage priority for nascent accepted connections
Optimization: Max Expiry of SSL Intermediate CA Certificate generated by SafeSquid now reduced to 366 days.
Optimization: Max Expiry of SSL Certificates generated by SafeSquid now reduced to 365 days.

SafeSquid Secure Web Gateway 2021.0507.1708.3
---------------------------------------------
BugFix: SSqore web site categorization logical error in hot cache timestamping could cause faulty mutex handling, leading to abnormal shutdown.
BugFix: SSqore cold cache buffer overflow when more than 2500 new URLs are added but cold cache flush is delayed.
Optimization: Reduced CPU utilization of ServerPool for caching connections to remote web servers.
Optimization: Reduced keep-alive for half-closed sockets to socket timeout. 


SafeSquid Secure Web Gateway 2021.0426.0036.3
---------------------------------------------
Enhancement: Introduced hot cache for SSqore web site categorization. Categorization latency should now be generally less than 0.1ms and in some exceptional case more than 1ms.


SafeSquid Secure Web Gateway 2021.0422.2048.3
---------------------------------------------
BugFix: Incorrect storage of client headers caused regex based entries for request profiling to fail.
Change: poll for data while buffering data from client connection is now level triggered instead of edge-triggered
BugFix: SSqore cache save mechanism was too aggressive and could cause bottle-necks


SafeSquid Secure Web Gateway 2021.0421.1528.3
---------------------------------------------
BugFix: Handling of Transfer-Encoding Chunked Requests without buffering in previous release was ineffective
Enhancement: Reuse of connection to remote web servers for POST requests


SafeSquid Secure Web Gateway 2021.0420.1835.3
---------------------------------------------
BugFix: Handling of Transfer-Encoding Chunked Requests without buffering.
Enhancement: Option in Access Restrictions to limit concurrent connections.
Enhancement: Upgrade to TLS 1.3
Enhancement: Asynchronous monitoring of Network Caches (Connection Pool and Client Pool)
Enhancement: Lockless Performance counters now eliminate bottle-necks experienced under heavy load.
Enhancement: Lockless Logging
Enhancement: Asynchronous Accept on Listen Sockets
Enhancement: Distribution of Listen / Accept on all CPU cores
Enhancement: Near Real-Time reporting of Data I/O in performance log. (previously bytes were reported only when sockets were closed)
Integration with OpenVPN: Generation of OVPN files for VPN clients
Integration with OpenVPN: Generation of server certificates for server
Option to set Cipher Suite (for TLS 1.3) and Cipher List for (TLS 1.2)
Performance now improves with larger connection pool size and connection pool timeout.
Faster SSL Handshakes with TLS 1.3

This release is built on Ubuntu 18.04 and marks end of support for operating systems with Linux Kernel older than 4.15
Optimizes benefits offered by kernel 4.15+ and OpenSSL 1.1.1 to improve CPU utilization.

Added new option to init script for purging old log files and sqlite DB file from disk.
/etc/init.d/safesquid space_clean [VAR_LOG_DIR|REPORT_DB_DIR] <condition>
specify either VAR_LOG_DIR|REPORT_DB_DIR to clean the /var/log/safesquid partition or the partition holding /var/db/safesquid/reports respectively.
condition is the maximum percentage of disk use acceptable.
For example to remove old files in the /var/log/safesquid to reduce the disk utilization to 80%: 
/etc/init.d/safesquid space_clean VAR_LOG_DIR 80
Rules added to the Monit configuration to execute init script feature every 5 minutes.
The TCP Tuning invoked by the init script previously interpreted SEND_SOCKET_BUFFERS & RECEIVE_SOCKET_BUFFERS to set net.ipv4.tcp_wmem[2] & net.ipv4.tcp_rmem[2] limiting max socket buffer sizes. Now they are interpreted to set net.ipv4.tcp_wmem[1] & net.ipv4.tcp_rmem[1] thus set the default socket buffer sizes.

Logging subroutine is now lockless, eliminating the choking witnessed in earlier releases due logging on heavily loaded servers.

SafeSquid is now built with OpenSSL 1.1.1d. This upgrade from the 1.0.2q used for previous releases, now enables TLS1.3 support.
"ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM" is set as the default cipherlist used for client & server communication.
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" is the default ciphersuite.
Future releases shall provide startup parameters to specify alternative cipherlist / ciphersuite.

Connection Caching and HTTP Multiplexing subroutines now use Asynchronous Polling.
SafeSquid now offers increased efficiency with higher connection pool timeouts.
Asynchronous Polling is also used for key network I/O subroutines.

Improved detection and automatic re-download of updates and upgrades in events of connection drops or such errors.
Threads running in background for house-keeping try to defer their subroutines enabling favouring of threads servicing the client connections.
SafeSquid process now waits for setup of house-keeping threads before progressing at the time of starting up. Crashes were witnessed in previous releases, when run on slow systems.

Reporting of bytes read/write by sockets was deferred until the sockets were closed in the previous releases, into the performance log.
This reporting is now done at 128KB until the socket is closed or immediately cached in an idle state.
This should provide a better visualization of data I/O for tunnelled connections.



SafeSquid Secure Web Gateway 2021.0413.2236.3
---------------------------------------------
Rebuilt the previous release to fix anomalies caused by failures in release commits.


SafeSquid Secure Web Gateway 2021.0412.2154.3
---------------------------------------------
BugFix: Disabled buffering of POSTDATA when client uses chunked encoding, to ensure application stability.
In future versions feature to control uploads via chunked encoding.
Monit configuration updated to remove oldest files if disk partition has less than 20% free space


SafeSquid Secure Web Gateway 2021.0217.1636.3
---------------------------------------------
Minor BugFix: URL encoding in UI JavaScript funtion for handling special characters in user supplied data for password encryption.


SafeSquid Secure Web Gateway 2021.0208.1440.3
---------------------------------------------
Independent thread to manage stale privileged bypass records.
Independent thread to reset limitgroup counters.
Avoid buffering POSTDATA into memory when connection requires authentication.
BugFix: Parsing If-Modified-Since request headers for SafeSquid UI
BugFix: Logical error in detecting misconfigured LISTEN_CPUS startup parameter.
Upon startup SafeSquid now records the last modified date of the config.xml as the document modified time for referencing during sync'ing
SafeSquid now sends the last recorded document modification time as If-Modified-Since in request headers for config sync'ing
BugFix: Prevent crashes in CPU starved systems when logging threads need time to get started.


SafeSquid Secure Web Gateway 2021.0122.1537.3
---------------------------------------------
Early detection of client disconnection while fetching response from remote werb servers.
CPU optimization in network I/O.
BugFix: Client Connection is not kept alive when blocked by access restrictions.

SafeSquid Secure Web Gateway 2020.1226.1848.3
---------------------------------------------
Proxy-Aunthenitcation now accepts usernames with special characters !()_`~#$%^& and -.@\\
The second set of special characters however should not be the first character of a username.
The username may now also contain any UTF-8 characters (>= 0xC0)

SafeSquid Secure Web Gateway 2020.1207.1620.3
---------------------------------------------
Enhancement: In earlier releases TCP_DEFER_ACCEPT was set to tcp_keepintvl_time for the listening sockets, reflecting on all the accepted connections.
This could lead to connections occupying FDs while hung in SYN_RECV state in noisy or chaotic environments.
This is now a configurable option. CLIENT_DEFER_ACCEPT parameter set in startup parameters shall now be used to set TCP_DEFER_ACCEPT.
Setting it to zero shall disable setting the TCP_DEFER_ACCEPT entirely.
By default it is now set to zero, unless specified in the startup parameters.


SafeSquid Secure Web Gateway 2020.1130.1625.3
---------------------------------------------
BugFix: Detected race condition in the self-monitor thread introduced in 2020.0928.1506.3.
The self-monitor thread was a part of the performance logging object, and now it is an independent sub-routine.


SafeSquid Secure Web Gateway 2020.1127.2149.3
---------------------------------------------
BugFix: Fixed Handling of SIGCHLD signal. Flags set to SA_NOCLDSTOP | SA_NOCLDWAIT | SA_RESTART, and the handler set to report only.
Date field in all SafeSquid generated response headers now assured in GMT time.
If-Modified-Since headers now fixed to determine proper GMT time of existing files
Cookies with errors such as bad date format shall be suffixed with Max-Age=-1 and trigger eviction of such cookies from browser.
Supports etching compressed files for all updates and signature downloads
Update of Content Detection Signatures is now done asynchronously to prevent delays in SafeSquid starting to accept connections on process startup

SafeSquid Secure Web Gateway 2020.1123.1259.3
---------------------------------------
BugFix: A logical flaw in the previous release caused crashes when server connection pool overflowed.
SafeSquid now raises SIGSYS signal to notify anomalous behavior that require a process restart
Optimized eviction of idle client connections.
FIN_WAIT timeout for both connected and accepted sockets is now set to 1 second.
Introduced TCP_USER_TIMEOUT for all accepted connections. It is automatically set to the SOCKET_TIMEOUT specified in the startup parameters.
Signal handler now explicitly ignores SIGPIPE, enabling quick detection of write failures.
Fixed init script to prevent hanging in event of failed starts.

SafeSquid Secure Web Gateway 2020.1102.1748.3
---------------------------------------------
Graceful blocking of WebSockets
Support for Keep-Alive timeout HTTP headers to improve network connection caching efficiency
SafeSquid now intimates both the client (Socket Timeout) and the server (Connection Pool Timeout) about the timeout desired.
Improved logging of internal threads for easy debugging.
Preloading and caching of custom templates for fast blocking response
Send Date in HTTP headers when a request is served with a blocking response
Idle client connections are now maintained in the pool as per the Connection Keep-Alive Timeout set in the System Configuration
The cleaning cycle of Server connection pool now dynamically adjusts to scavenge idle connections that outlive the timeout.
Eliminated some redundant SSL data read validations for CPU optimization


SafeSquid Secure Web Gateway 2020.1013.0759.3
---------------------------------------------
Detection and Prevention of SSRF attacks
Optimized DNS purge events
SSL updates now fetched from https://sslupdates.safesquid.com/
Handle EMFILE like ENFILE event to trigger closure of idle connections
Compensate for slow networks when getting HTTP response headers from remote web servers
Set clockskew = 86400 in dynamically produced krb5.conf to accomodate clients with bad time sync.
Handle race condition when native logging statements are called before the loggers are setup
Rationalized template selection for some of the connection failure events
Templates for HTTP status code 503, and 429 SafeSquid incudes a Retry-After set to 360 seconds

SafeSquid Secure Web Gateway 2020.1001.1833.3
---------------------------------------------
Minor Change: removed redundant log statements
Minor Change: removed redundant error checks
BugFix: Detect corrupted download of security updates
BugFix: Erratic replication of unfiltered headers sent to remote web servers
Enhancement: Automatic detection of IPv6 connectivity

SafeSquid Secure Web Gateway 2020.0928.1506.3
---------------------------------------------
BugFix: Parsing Date in Cookies
BugFix: Reduce CPU overheads when networks congestion may choke throughput
BugFix: Avoid compression when response data is less than 1400 bytes
Enhancement: Improved caching of URL categorization
Enhancement: Advertizes TCP_KEEPIDLE_TIME as keepalive timeout to clients in HTTP headers, and keeps the connections alive appropriately.
Enhancement: Headers to and from remote web servers now filtered just before sending, instead of immediately upon getting them.
Enhancement: Self-monitor thread detects conditions when the process is heavily loaded


SafeSquid Secure Web Gateway 2020.0904.1519.3
---------------------------------------------
BugFix: logical error in handling disconnected client when watching logs on the UI.
BugFix: insufficient wait before disconecting a client after sending data when the connection is not set to keepalive.


SafeSquid Secure Web Gateway 2020.0902.1515.3
---------------------------------------------
LISTEN_IP * prevented SafeSquid to bind on all IPs if IPv6 is disabled on the system
Changed default LISTEN_IP in setup.ini to "0.0.0.0"
This is a temporary fix until SafeSquid can automatically detect IPv6 and adjust.

SafeSquid Secure Web Gateway 2020.0901.1723.3
---------------------------------------------
Bugfix: piping ulimit command to logging in init script caused the command to be ineffective
Change: ASSERT logs are now tagged as error_check
Bugfix: redundant calls to alter TCP_KEEPALIVE for idle connections were causing increased network traffic for ACK packets
Enhancements: 
linger_off is now set when poll() detects errors like POLLRDHUP, POLLHUP, etc.
client is notified of keepalive timeout value in response headers
the self-monitoring thread now updates pidfile timestamp only when internal processes report some activity, or no request handling threads is alive
linger_off is now set on listening socket fds to safeguard against any connections stuck in LAST_ACK state, of older process.
wait for SOCKET_TIMEOUT seconds before moving an active connection to idle pool


SafeSquid Secure Web Gateway 2020.0820.2025.3
---------------------------------------------
Optimized init script to reduce verbosity
Optimized setup script to check dependency libraries
Optimized monit configuration
Removed unwanted logging statements when safesquid is running in debug mode


SafeSquid Secure Web Gateway 2020.0711.2255.3
---------------------------------------------
This is a conceptual release to fix incorrect calculation of header length


SafeSquid Secure Web Gateway 2020.0708.2340.3
---------------------------------------------
This is a conceptual release to identify abnormal behavior with some ICAP servers when handling zero-sized body


SafeSquid Secure Web Gateway 2020.0624.1916.3
---------------------------------------------
This is a conceptual release for troubleshooting timeout related problems reported by a user
Enhancement: Optimize various logging functions
Enhancement: Optimized ICAP service scanning for failure recovery

SafeSquid Secure Web Gateway 2020.0618.1813.3
---------------------------------------------
This is a conceptual release for troubleshooting timeout related problems reported by a user

SafeSquid Secure Web Gateway 2020.0616.1735.3
---------------------------------------------
This release contains minor BugFixes.

BugFix: ICAP server socket timeout to honor the use configuration
BugFix: timeout to get response headers from remote web servers was set to startup parameter TCP_KEEPINTVL_TIME instead of user configure header timeout
Bugfix: connection timeout for remote web servers was set to  startup parameter TCP_KEEPINTVL_TIME instead of user configure connection timeout
BugFix: Flag for S_CHECK_SSL_PENDING was set prior to the completion of the SSL handshake process
BugFix: Do not retry when user has requested a file upload and the remote server does not respond.

SafeSquid Secure Web Gateway 2020.0305.1433.3
---------------------------------------------
Updation of URL Categorization (SScore) and Anti-Malware (SvScan) modules required manual intervention.
Setup now supplants outdated modules automatically.

The names of some web categories have changed.
Users shall be required to erase references to older category names and use the new names.
This does not impact the names of the private categories created by the users.

Defence against emerging Firewall attacking threats.
SafeSquid now avoids cloud lookup for categorization of ill-formed FQDN requests.


SafeSquid Secure Web Gateway 2020.0213.1725.3
---------------------------------------------
SafeSquid supports integration with multiple Active Directories.
Users can specify all the the domains and their respecive Active Directories in the UI for LDAP configuration.
SafeSquid automatically generates the keytabs required to accomplish the integration, enabling Kerberos/SSO authentication for all the users across the domains.
Users that have multiple Active Directory services but use the same instance of SafeSquid discovered that the keytab was produced only for the first Directory Service listed in the configuration.
The flaw was rooted in a shell script that SafeSquid invokes to produce the keytabs.
This script is executed only to produce the keytabs.
The bug is now fixed, and users can seamlessly integrate with multiple Active Directory services.
The fix also makes the domain name assigned to host, during the initial setup non-critical.
However users need to ensure the domain controllers are time-sync'd.
In a future release the mechanism should be able to raise better alerts and diagnostic information for such discrepencies.

The mechanism of generating SSL certificates for HTTPS inspection was updated with the release of SafeSquid SWG-2019.1115.1826.3
Ensuring fidelity of SSL certificates in a load balanced cluster, was an important feature of this release.
The mechanism uses intermediate CA, and serves the entire certificate chain to clients ensuring protocol adherence.
It was discovered that SafeSquid could inadvertently load the entire chain multiple times that could overwhelm the clients.
As a result users could be presented with protocol violation alerts by the web browsers, and required to refresh web pages.
SafeSquid now re-orders the chain, eliminating such violation.

SafeSquid UI facilitates upload of configuration.
Users are expected to upload a valid xml file structured as per confg.xml.
Uploading unacceptably structured files, resulted in invocation of SafeSquid's ASSERT method, leading to process termination.
The mechanism has now been altered to validate usability of the uploaded configuration file.
Non-xml files will now be detected and seamlessly ignored.

Users discovered the URL command xx--password could be abused to cause abnormal termination of the SafeSquid process.
A logical flaw was discovered to be the root cause of the vulnerability, and has been fixed.

SafeSquid Secure Web Gateway 2020.0131.1457.3
---------------------------------------------
SafeSquid now handles content-encoding gzip and deflate in POST requests.
More Web2.0 applications now use this method to reduce network bandwith.
SafeSquid now decompresses such uploads to enforce upload policies implemented in the DLP section, and Image Filter section.

SafeSquid now analyzes and stores the mime-type of POST data, when it splits the multipart mime, preventing repeated call for mime-type checking.
This should make DLP usage more efficient.

A vulnerabilty was detected in the sub-routine that analyzed base64 encoded POST data.
This could cause ill-formed base64 POST data to crash SafeSquid process.
This has now been fixed.

SafeSquid Secure Web Gateway 2020.0117.1422.3
---------------------------------------------
BugFix: Users reported too mmany connections hanging in CLOSE_WAIT state.
The problem was identified to SafeSquid waiting for peer response "close notify" when SSL_shutdown is called.
This is a standard TLS protocol requirement.
However the response can take extremely long time in heavily loaded networks that witness packet drops.
SafeSquid now adopts the "quiet shutdown" mode for connections that are detected to have been closed or broken.


SafeSquid Secure Web Gateway 2020.0108.1756.3
---------------------------------------------
BugFix: Detection of client POST requests that timeout before sending POSTDATA.
Users reported high CPU utilization in such events due to SafeSquid continuing to attempt getting reposnse from the web-server.
SafeSquid now immediately terminates client connections that do not send POSTDATA within the timeout settings.


SafeSquid Secure Web Gateway 2020.0102.1331.3
---------------------------------------------
Introduced new tunables:
* Startup parameter: SOCK_MEM - Upper limit Percentage of Memory for TCP Stack. Decrease this if system is memory starved. Default: 50.
* Startup parameter: HEAP_MEM - Percentage of Memory to reseve for Heap. SafeSquid will automatically reduce the MAXTHREADS to ensure sufficient memory is available for I/O and various data caches. Decrease this if system is memory starved. Default 66 
This gives users the contol over safety feature introduced in 2019.0925.2004.3 to limit the concurrent threads created below MAXTHREADS.
* Send Debugging Headers To: Vital debugging information like application of profiling and filtering policies can be included in the HTTP protocol headers. Specify if this information should be sent to client, server, both or none.

Changes:
Startup Parameter: SEND_SOCKET_BUFFERS was used for setting a fixed wmem size for sockets. It shall now set the upper limit for socket wmem.
Startup Parameter: RECEIVE_SOCKET_BUFFERS was unused. It shall now be used to set the upper limit for the socket rmem.
The tcp_tune.sh script invoked by the safesquid init script, now uses startup parameters - SOCK-MEM, SEND_SOCKET_BUFFERS, RECEIVE_SOCKET_BUFFERS and MAX_CONCURRENT to calculate various sysctl parameters for TCP tuning.

Optimizations:
Reduced use of stack memory.
Improved adherence of SOCKET_TIMEOUT for defending against DoS.

BugFix: 
* Detection of cookie expiry date
* Stripping invaid characters from category names and access profiles entry comment.

SafeSquid Secure Web Gateway 2019.1202.1333.3
---------------------------------------------
BugFix: logical flaw in assigning threadid was causing abnormal behaviour on Ubuntu 18.04
BugFix: Browsing FTP sites was impacted as SafeSquid proceeded to perform FTP handshake before receiving the initial 220 Response Header
Enhancement: Optimization of CTX pool for handling SSL clients, to reduce memory utlization and OpenSSL's mutex contentions.

SafeSquid Secure Web Gateway 2019.1125.1346.3
---------------------------------------------
* Detection of youtube-nocookies.com for categorization
* Acceptance of "-" in Youtube developer keys

This release contains minor hot-fixes for Youtube Categorization.

The previous releases categorized videos only from youtube.com.
They did not categorize videos when users access youtube-nocookies website.
This was because the applicability was restricted to URLs matching youtube.com/watch?
The logic controlling applicability of the Youtube Categorizer has now been altered.
The new logic covers youtube-nocookies.com.

The previous releases rejected youtube keys that contained "-" character.
SafeSquid now accepts youtube keys that may have "-" character.

SafeSquid Secure Web Gateway 2019.1115.1826.3
---------------------------------------------
This release focuses on scalability issues, and other challenges pertaining to HTTPS inspection in large user networks.

HTTPS inspection requires proxy servers to generate fake SSL certificates for intercepted websites.
Malware can detect presence of such proxy servers, and generate requests for random sites, to perpetuate DDoS attacks.
This would cause proxy servers to spend much CPU and storage resources for generating and storing useless fake SSL certificates.
The result can be quite overwhelming for the proxy service.
SafeSquid validates genuineness of the requested website, before generating the required fake SSL certificates.
A new generation of malware that could request for hundreds of such sites, is expected.
A new startup parameter FORCE_SNI has been introduced to further galvanize defence against such attacks.
Enabling this parameter causes SafeSquid to generate SSL certificates only after the client proceeds with the TLS handshakes.
By default the parameter is set to "0" (disabled), to allow proxy service for web clients that may not be SNI aware.
In environments where only SNI aware web clients are to be considered valid, enabling this feature improves defence against such malware.
It is intended to set this parameter to "1" (enabled) by default in future releases.

Previous releases of SafeSquid SWG generated an SSL certificate for each unique FQDN that was intercepted for HTTPS inspection.
This required a substantial use of disk storage space and also in-memory cache.
The mechanism has been altered with this release.
SafeSquid now generates wild-card SSL certificate for a sub-domain, reducing the storage requirements, inode memory usage, and also RAM.

SafeSquid now avoids serial number overlaps in fake SSL certificates by creating a intermediate CA for each SafeSquid instance.
The intermediate CA certificate is signed with the Trusted Root CA keypair setup on SafeSquid's self-service portal.
A common key is then generated to pair with all the fake SSL certificates generated by the SafeSquid instance.
The common key and intermediate CA are unique to each SafeSquid instance.
SafeSquid serves the full trusted chain including the Trusted Root CA certificate, thus giving a seamless experience to the clients.

The SSL cache cleaning frequency has now been reduced to 3600 seconds (1 hour).
All SSL artefacts that were not used in the past hour are automatically evicted to prune memory usage.

In future release the SSL artefacts cache will be further optimized for speed and memory utilization.

This release also incorporates a few other minor bugfixes and enhancements.


SafeSquid Secure Web Gateway 2019.1105.1428.3
---------------------------------------------
Enhancement: Improved connection pool performance
Enhancement: Optimized connection closing managment to boost performance of request handling threads


SafeSquid Secure Web Gateway 2019.1026.1608.3
---------------------------------------------
Users observed extremely large pile-up of connections queued up for closing.
This was traced to long durations involved in the SSL shutdown protocol.
SafeSquid now just sets the SSL shutdown state, instead of invoking the complete shutdown protocol.
This behavior shall be changed in future when a better mechanism can be implemented to avoid the latency.

The ServerPool that maintains idle connections to remote web-servers, for reuse is now moved to the heap memory
The legacy use of stack memory caused huge delays in release of unused memory.
This should improve memory optimization.

Users can now alter the update frequency as per their individual needs.
This frequency is now a configurable start-up parameter.
The users can also trigger updates by sending signal USR1 to the SafeSquid process.

The setup script has been minimally altered to support installation on Red-Hat Linux distributions.

SafeSquid Secure Web Gateway 2019.1022.1338.3
---------------------------------------------
* Users reported abnormal termination of socket.
	This was traced to a faulty logic in handling unexpected socket disconnection while receirving headers from the peer connection.
	The fix now handles the connection disruption gracefully, and also quickly.
* Users discovered the feature of specifying IP address for outbound connections was broken.
	This was traced to an inadvertent bypass of the routine that performed the lookup of the Interface subsection of the Network Section.
	This has been fixed and the relevant logging operation has been optimized for performance.
* Users observed CPU saturation in event of large concurrent disconnections
	The threads handling connection closures are now high priority threads but will "intelligently" yield their time slice allowing CPU resources to other threads.
	

SafeSquid Secure Web Gateway 2019.0925.2004.3
---------------------------------------------
We noticed a rise in web-applications that use half-closed connections.
This can be dangerous for Web-Proxy servers that support persistent connections.
An advanced low-level socket manager has now been implemented to handle half-closed connections.
This also improves reliability in delivering response to half-closed client connections. 
The new low level socket manager intelligently optimizes I/O operations for better CPU performance.

Users reported incompatibility of SafeSquid with web-sites that used Authorization: Bearer XXXX in the HTTP response headers to validate users.
This incompatibility resulted from SafeSquid's intervention of these headers and handling it as required for HTTP status code 401 Authenticate.
This intervention has been modified to permit exchange of Authorization Headers irrespective of HTTP Status Code

Use of half-closed connections is harder to detect and easier to exploit Web-Proxy servers in HTTPS connections.
This caused SafeSquid to create threads leading to application saturation.
A new logic has now been introduced to limit use of System Memory to 33% for thread stacks.
Thus on a host with 8GB RAM, SafeSquid will limit itself to use of only (8 / 3) = 2.7GB RAM for allocating Thread Stacks.
Thus if SafeSquid is set to a stack size of 21 (i.e. 2^21 = 2MB), it will not create more than 1365 concurrent threads.
While this limits the number of concurrent active connections, it does not directly limit the idle connections.
This enables SafeSquid to drop connections instead of causing application saturation.
It is proposed to offer SafeSquid users a better control over this feature, in future releases.


Eliminated overlapped logging of various events for easier understanding.
Logs now depict ephermal socket IP:PORT activity


SafeSquid Secure Web Gateway 2019.0806.1738.3
---------------------------------------------
* Enhancement: Added factors for reliable creation of Application Signatures.
* Enhancement: Users can override Application Signatures with Custom Request Types.
* Increased session cache clean cycle to 8 days.
* Detect client closure when retrying a failed connection to remote web server.
* Prioritize threads - listen_and_accept threads get high priority, request handling thread gets mid-priority, and threads handling clientpool and serverpool get low priority.
* Prevent repeated logging when client stops writing but is still waiting to get data from web server.
* Introduced a delay of 100ms when retrying in event of DNS resolution failure.
* Improved detection of closed or hung connections.
* BugFix: Memory leak when SSL clients close connection, in events of blocking, before the template is served.
* BugFix: Incorrect detection of private categories.
* BugFix: Restored support for automatic retry if remote web server drops connection before receiving request headers.


SafeSquid Secure Web Gateway 2019.0623.2332.3
* Support for YouTube Category Control
* BugFix: Incorrect CPU pinning
* Increased flush period of Result Caches from 6 minute to 30 minute

SafeSquid Secure Web Gateway 2019.0604.1842.3
* Reduced latency in accepting new connections
* BugFix: Determination of hostname TLD
* Reduced aggression of CPU utilization when networks may be saturated
* Support for proxy-aware user-agents without SNI support

SafeSquid Secure Web Gateway 2019.0401.1624.3
* Prevent blocking of POST requests in DLP if accompanied with text content.

SafeSquid Secure Web Gateway 2019.0329.1502.3
* BugFix: Detection of closed peer conection when buffering response form remote web server

SafeSquid Secure Web Gateway 2019.0326.1652.3
* flush SSL_CTX cache used for SNI
* disable session caching in SSL_CTX used for SNI
* fix vulnerability in file lookup on disk
* fix bug in detection of old files when downloading updates
* fix bug in cookie reconstruction
* fix bug in handling Range in HTTP response headers
* optimize memory utilization of SSL cache stores
* improved DoS detection when client sends a request but closes connection before reaching logical milestones


SafeSquid Secure Web Gateway 2019.0206.1745.3
* Introduced extra debugging information in client response headers
* Optimization of web server response header profiling
* BugFix: SafeSquid failed to block downloads of files when policies were created on basis of content type.

SafeSquid Secure Web Gateway SWG 2019.0131.1958.3
* Debugging information in response headers to client
Validating profiling and application of relveant policies can now be done by just looking at the response headers sent to clients.

SafeSquid Secure Web Gateway SWG 2019.0129.1437.3
* SSL error handling to compensate network delays in handshake in heavily loaded networks

SafeSquid Secure Web Gateway SWG 2019.0128.0042.3
* Memory Optimization
* SNI is now default behavior

SafeSquid Secure Web Gateway SWG 2019.0121.0018.3
* performance optimization 

SafeSquid Secure Web Gateway SWG 2019.0109.2045.3
* read residue data in TCP stack before closing socket descriptor
* display tabulated connection information in logs like output of netstat command for inbound and outbound connections
* countermeasures for DDoS attacks designed to overwhelm SSL servers
* minor enhancements to accelerate connection acceptance


SafeSquid Secure Web Gateway SWG 2018.1231.2157.3
* Minor BigFixes
* Optimized log statements


SafeSquid Secure Web Gateway SWG 2018.1227.1658.3
* Introduced support for SSL session tickets
	SafeSquid now supports use of SSL session tickets in accepted connections
	Startup Parameter "USE_SESSION_TICKETS" is set to "0" by default, set it to "1" to enable this feature
* SSL Session Timeouts increased from 6 minutes to 1 Day
	The SSL sessions now have longer timeouts, to reduce protocol renegotiation


SafeSquid SWG 2018.1219.1504.3 released
* minor optimization in thread startup for SSL
* BugFix: download of incorrect default configuration
* Vulnerability Fix: username encoding for invalid usernames

SafeSquid SWG 2018.1218.1818.3 Released
* Fixed vulnerability in handling IP based SSL Web-sites.
	It was observed that SafeSquid was creating inaccurate certificate for IP based SSL Web-sites.
	Identified vulnerability and fixed.
	
SafeSquid Secure Web Gateway SWG 2018.1209.2147.3
* Performance Optimization
* BugFix: Dashboard reports display when web categories contain special characters like "&"

SafeSquid SWG 2018.1205.1507.3 released
* Minor bugix to correctly identify port in Request Headers

SafeSquid SWG 2018.1204.1921.3 released
* Optimized SSL Memory Utilization
Some users had reported abnormal memory utlization patterns.
This was caused due to incremental collection of of OpenSSL's error message queues.
SafeSquid now has a better ability to flush such queues.
Users in heavily loaded environments can take further adavantage of this by increasing THREAD_TIMEOUT values in the start-up parameters.

* The SSL context and session eviction algorithms implemented in the previous release, have been further optimized.
The optimization enables SafeSquid to intelligently extend the age of more heavily used SSL contexts and sessions.
This enhancement enables further reduction of SafeSquid's memory foot-print.

* Vulnerabilities that could lead to abnormal termination of SafeSquid was detected.
** It was found that a hacker could successfully cause SafeSquid to crash by engineering a request to web-sites with FQDN longer than 2730 characters.
The flaw could be exploited by making such malafide requests using tools such as Curl.
** It was found that a hacker could engineer a bufferflow, if SafeSquid was configured to use LDAP services for user validation, when Kerberos Authentication was not enabled.
The attack required hackers to respond to authentication challenges with usernames longer than 512 characters.
Both of the above vulnerabilities have been fixed.

A minor bug that could abrupt SafeSquid's automatic log rotation mechanism, was also detected and fixed.


SafeSquid SWG 2018.1019.1803.3 released
* Optimized memory utilization
* SafeSquid now automatically evicts SSL contexts and sessions when not used for 6 minutes


SafeSquid SWG 2018.0924.1451.3 released
* Detection of half-closed web-server conections in tunnels.

SafeSquid SWG 2018.0921.1903.3 released
* Policy based blocking of HTTPS web-sites was discovered to be over-ridden if HTTPS Inspection was disabled.
This was caused due to SSL inspection bypass, also bypassing the sending of blocking template instead of the actual content.
Now in event of blocking an HTTPS web-site:
** if HTTPS section is enabled, but matching entry is set to bypass SSL inspection, then SSL encryption is inititaed on the client connection, and template is sent.
** if HTTPS section is disabled, unencrypted template is sent to the users.
* Some web-servers prefer brotli compression, this mechanism is not handled by SafeSquid.
This caused bypassing of the real-time security scanners. 
SafeSquid now hides the acceptability of brotli compression in the the request headers sent to the web-server.
This forces the web-servers to serve only gzip / deflate based compression, which can be elegantly handled by SafeSquid and the content can be screened by real-time scanners.
* The HTML code of the template rendered in event of blocking due to policies was discovered to be flawed.
This caused incorrect rendering of the template, in event of request being blocked due to a policy that had multi-line comments containing CR/LF.
The flawed rendering suggested the users that they have the privilege to bypass and continue accessing the blocked website. 
The user is however prevented from proceeding by a subsequent template.
This has now been fixed.

SafeSquid SWG 2018.0917.1410.3 released
* Abnormal termination (Segmentation Fault) was detected when SafeSquid handled connections for which SSL inspection was bypassed.
Users of Google Drive client (desktop) application reported this anomaly.
The root cause was identified to be a typographical error in the software routine that handled direct socket to socket transfers.
The error manifests in all releases since 12th September 2018
This flaw remain undetected in simulated tests prior to release, as it occurs in a rare event of remote server half-closing connection while the client is still sending data.
* A logical error was detected in the Access profiles section.
This error led to mis-interpretation is the users set a single negated entry in the request types rule in an Access Profiles entry.
For example, if you wanted to create a policy that impacted all requests, except those from Internet Browsers, you would have set the request types rule in the entry to !Internet Browsers.
This would get mis-interpreted and cause the entry to be applicable to all requests including Internet Browsers.


SafeSquid SWG safesquid-2018.0915.2159.3 released
* Enhancement for compatibility with Chrome Browser's unusual request headers 
* Auto suggestion list increased to display upto 150 suggestions

SafeSquid SWG safesquid-2018.0914.2006.3 released
* BugFix for clients sending empty username / password in proxy-authorization headers
Compatibilty for recent releases of Chrome Browser, that sends just a ":" as Basic proxy-authorization in initial requests.

SafeSquid SWG 2018.0806.2020.3 Released
---------------------------------------
* Optimization in speed.
	You will get better user experience and surfing speed.

* Optimization in intelligent error correction.
	Users reported inconvenience when connection timeout occurs when any server takes too long to reply to intitial connection request.
	SafeSquid now makes 3 automatic retries in such events.

* Optimized SNI implementation for automatic error correction while making SSL connection to remote websites.
	A logical error, leading to faulty evaluation of SSL certificates presented by servers, was identified.
	The error pertained to a flaw in SNI implementation, and has been fixed.

* Optimized SSL session management.
	Optimization done to reduce the memory utilization on SSL sessions.
	SafeSquid now replaces SSL sessions to remote servers, more aggressively.

* DLP configuration has been simplified and redundant options have been removed.
	Redundant fields were removed from SafeSquid to simplify the DLP configuration.
	DLP policies are now easier to configure.

* Modified Access profiles section to directly use Ldap Profiles in User groups.
	Mapping LDAP profiles to Usergroups in Access Restrictions section is now not necessary. 
	Access profiles section now displays and allows use of LDAP Profiles as User groups.
	LDAP user groups are displayed in richer details in autosuggest mechanism.

* Chunked content will not trigger buffering. Chunked responses by default will be automatically and intelligently bypassed for buffering.
	Earlier when webserver was sending chunked content to SafeSquid automatic buffering was been done.
	To suppress this administrator had to create complicated policies in SafeSquid.
	SafeSquid will not anymore trigger buffering for chunked response.

* Introduced new debugging mode in Image Analyzer.
	A new field "Debug", added in the Image Analyzer, to facilitate easy debugging of the feature.
	Enabling debug field to TRUE annotates the image with the scoring analysis.
	If the scoring analysis predicts the image to be pornographic, the image will be automatically blurred.
	Setting debug field to FALSE will replace blocked image with default template like checkeredgif.

* Modified System configuration section to display mime type in autosuggest form that are to be compressed.
	Earlier releases user had to create proper regular expressions to match MIME-types which should be buffered and compressed.
	A semantic mistake in such regular expression could lead to ineffectiveness of the entry.
	Autosuggest mechanism implemented on Always compress mimetype field to overcome this issue.

* Implemented facility of User consent before any entry is deleted.
	Ensured implementation of User consent before any entry is deleted from SafeSquid configuration.

* Modified the broken bypass functionality.
	When a user with bypass privileges now chooses to opens a website that has not been explicitly allowed, third-party urls seamlesslesly inherit the bypass. This bypass ensures clean rendering of the website requested by the user.
	The third-party urls will however remain blocked if they have been explictly blocked, or if any filter considers the content to be unacceptable.
	The bypass feature intelligently supports clustered environment.

* Fixed the problem of not blocking session based cookie which was without expiry time.
	SafeSquid was not blocking the session based cookie that was having either wrong or no expiry time.
	This is now fixed.

* Introduced "privacy" and "bypass" logging mechanism.
	Two new logs introduced in SafeSquid.
	Privacy log captures incidences of third party web-sites when a user accesses a web-site, and action taken by elevated privacy. 
	When users with bypass privilege, execute their privilege to access a web-site that is not explicitly allowed, it is recorded in the bypass logs. It also records the users opinions about the site, and the URLs that were additionally bypassed, to present a seamless experience.

* Modification for transparent redirect.
	For transparent redirection (when 302 redirect is disabled) users were required to set the port to -1. However the default value in the configuration was 0. This anomaly caused dysfunction, because SafeSquid attempted to connect to remote web service on port 0. Now simply leaving the port to 0, when 302 redirect is disabled, the redirection intelligently keeps the port unchanged.	

* Introduced display of End User License Agreement(EULA) to user before product activation.
	After new installation of SafeSquid End User License Agreement(EULA) will be shown. Please read the EULA properly.
	Product activation process will continue only after your consent.

* Improved the cloud restore mechanism.
	Cloud restore mechanism is improved with proper display of files downloaded from cloud on SafeSquid WebGui.



SafeSquid SWG 2018.0206.2141.3 Released
---------------------------------------
* SafeSquid loads in-memory configuration from user generated config.xml or default config.xml to reduce the disk I/O.
	Abnormal behaviour was discovered in SafeSquid process when in-memory configuration not loaded due to absence of these config.xml.
	SafeSquid now creates an empty in-memory configuration, to safeguard against such abnormal behaviour.

* The performance of SafeSquid can be impacted by TCP parameters like sysctl, Keepalive, etc. 
	SafeSquid uses TCP tuning script to derive some of these TCP parameters.
	A semantic error was found in this script due to which derived sysctl values was not been loaded.
	Correction was done in the tcp tuning script, to ensure loading of the derived sysctl values.

* SafeSquid closes all sockets which are not required and have no data present to transmit.
	Flaw was detected in some of these sockets' closure, where peer closes before recieving pending data.
	These sockets were running in endless loops result in high CPU usage.
	Correction was done to ensure closure and release of such sockets.

* SafeSquid uses SSL_Pending to determine presence of residual data after reading from an SSL socket, to eliminate wait before a subsequent read call.
	The logic of this checking of SSL_Pending has been further optimized for reducing CPU utilization.

* SafeSquid displays streaming of Native Logs on dashboard.
	The streaming automatically pauses, when user hovers mouse over the display. 
	Users reported inconvenience in event of accidental mouse hover, requiring the user has to click on Resume button to restart streaming.
	The WebUI now offers an option to the user to prevent this automatic pause.

* SafeSquid can listen on multiple sockets and accept new connections.
	SafeSquid's legacy design used a single thread to listen and accept connections on multiple sockets.
	This design under-utilised the TCP option SO_REUSEPORT.
	A new design has now been implemented that creates a dedicated thread for listening and accepting connection on each socket.
	Each of these dedicated threads is confined to a single CPU core.
	Currently you may have to create multiple entries in the Network Section to get maximum benefits from this new design.
	SafeSquid will use a round-robin distribution of these dedicated threads to load-balance across all the available CPU cores.
	You can expect 50% improvement in handling connections with increase in throughput.

* SafeSquid was sending only the Host details while sending request headers to remote web-servers.
	Some web-sites that serve on non-standard ports may require HOST to be specified as Host:Port format in the request headers.
	Failure was discovered when accessing https web-sites served on ports other than the standard 443.
	SafeSquid now ensures port is included in the Host directive, when sending request headers to a server listening on non-standard port.



SafeSquid SWG 2017.1115.1800.3 Released
---------------------------------------
Improvements
------------
* Optimized TCP congestion control algorithm.
	Ensured implementation of TCP RENO for outgoing connections and TCP CUBIC for incoming connections.
* Improvement in the data transfer speed. 
	SafeSquid can now handle 10-15% more transactions per second. CPU and RAM utilization also decreased by almost 50%.
* Logging improved to report the actual speed of data transfer.
	Ex> debug: network: net_filebuf_read: speed: swgupdates2.safesquid.net 7082 bytes in 6.1520 ms [ 1.1512 MBps ]
		debug: network: net_transfer: speed: 192.168.0.12 downloaded from 1.client-channel.google.com 487 bytes in 116.0000 us [ 4.1983 MBps ]
* Rationalization in logs.
* Optimization done in HTTPS. Initial SSL connect will be faster now.
* Optimization in memory utilization.
* Optimization in safesquid init script and tcp tuning script.

BugFixes
--------
* Fix for Captive Portal feature.
	It was observed a conflict and broken web-security client implementation via Captive Portal.
	Identified the flaw and fixed it.
* Fix for tcp tuning script.
	It was observed that tcp_tune.sh script was passing wrong variables to init script which then resulted in safesquid crashing immediately at start.
	Identified the flaw and fixed it.


SafeSquid SWG 2017.0817.1602.3 Released
---------------------------------------
* Improved overall performance by 20%. You will be get better user experience and surfing speeds.
	Evaluated performance of product by enabling and disabling each feature and identified that DLP feature is contributing to major performance drag. Reworked on DLP module for performance improvements and evaluated performance once again, as a result we have observed 20% overall improvement.


SafeSquid SWG 2017.0804.1805.3 Released
---------------------------------------
* Improved private categorization security.
	It was observed that private categorization implementation is not strict.
	When a user classified google.com as search category, SafeSquid classify www.abcdgoogle.com as search.
	Fixed it in this release, Now when you classify google.com as search SafeSquid will say www.google.com, mail.google.com as search but not www.abcdgoogle.com.


SafeSquid SWG 2017.0705.1832.3 Released
---------------------------------------
* Implemented Captive Portal for securing WIFI-Hotspots.
* The reporting database architecture modified to reduce CPU utilization & Implemented database rotation. 
	It was observed that real time database writing is hitting hard on CPU, So we have modified the writing method to reduce CPU utilization.
	Additionally added a switch to disable real time database write on resource constrained environments.


SafeSquid SWG 2017.0506.1827.3 Released
---------------------------------------
The changes in SafeSquid Secure Web Gateway 2017.0506.1827.3 are big enough to qualify it as a MAJOR release.

* Improved UI based on user experience and added plenty of features.
* Architectural changes in policy creation, entirely profiles driven.
* Updated application and content signatures.
* SSL session resumption implemented.
* Upload controls improved and now you can control uploads into Google Drive.
* VPN support implemented.
* Cloud based management of website categorization and SSL certificates using self service portal.


SafeSquid SWG 2016.1231.1230.3 Released
---------------------------------------
* Improvements in SQLite performance.
	Enhancement in the SQLite functionality wise. Fixed few vulnerabilities which were observed in writing the information to the database.
* Fix for memory leaks in trusted ca load functionality.
	It was observed that there was a memory leak in the trusted ca update functionality which would happen for every one hour.
	Identified the issue and fixed it.
* Integrated latest webfiltering engine.
	Brought in the latest available webfiltering engine which is used for categorization.


SafeSquid SWG 2016.1222.1807.3 Released
---------------------------------------
* Minor bug-fix in ICAP feature.


SafeSquid SWG 2016.1017.1234.3 Released
---------------------------------------
* Bug fix in cookies transmission.
	It was reported that SafeSquid was unable to handle some Java applications which are depending on set-cookies values. Previous versions SafeSquid was not handling well for all different type of set-cookies. Identified the bug and fixed it.
	Known issue: Performance plot is not getting generated. Will be fixed in next releases.


SafeSquid SWG 2016.0921.1950.3 Released
---------------------------------------
* Enhancement in reporting performance. Two time faster than the previous release.
	The reporting engine has been enhanced with changes in querying mechanism. This ensures that the users are served with the reports at least two times faster than the previous releases' reports.

* Improved analysis of drilled reports.
	It was observed that there were few drilled reports that have not been generated successfully. Identified the faults and fixed them to ensure all the drilling goes fine.


SafeSquid SWG 2016.0914.1836.3 Released
---------------------------------------
* Completely restructured database architecture to reduce database size and enhance reporting performance (3 times improvement).
	The database architecture used by SafeSquid was rapidly increasing the size and causing delays in generating the reports once the database size starts increasing(above 20GB - 30GB). Major optimizations have been done to reduce the database size as much as possible and to reduce the time taken in generation of reports with improved querying mechanism.

* Complete change in the display of reporting dashboard.
	The dashboard displaying reports is completely changed from the previous versions. The bars and graphs used to display the reports have been replaced completely with simple tabular display resulting in more visual clarity for the users.
	
* Migration script available for the users who are using the older SafeSquid releases to import old database to the new database.
	A migration script has been made available on downloads.safesquid.net readily for the existing customers to change the database architecture. The migration script easily migrates the existing database to the latest architecture and SafeSquid starts writing to the new architecture. This has been done to ensure users won't lose any previous reports.

* Critical bug fix for crash due to enabling caching section.
	It was observed that SafeSquid was crashing when users enable the caching section, but it was a rare scenario. Replicated the scenario, identified the cause and fixed the crash.

* Critical bug fix for crash due to enabling forwarding section for usage with an upstream proxy.
	It was reported that SafeSquid was crashing when it was configured to use an upstream proxy using the forwarding section. Identified the bug and fixed it.


SafeSquid SWG 2016.0824.1234.3 Released
---------------------------------------
* Improved performance of reporting engine with larger databases (30GB).
	The way SafeSquid was querying the database for reports generation was causing delay to render the reports page on the browser. Improved the querying mechanism resulting in the faster rendering of reports with database sizes up to 30GB. Previously the querying was taking around 5 minutes on a 10GB database, now it was optimized up to 10 seconds on a 20GB database.

* Real-time reports are now generated 3x faster.
	Now the reports are generated 3 times faster than that was in previous releases. Can expect much user experience enhancements in near future.
	
* Fix for intermittent SSO authentication prompts on the user's browsers.
	It was observed that the SSO authentication was not running smoothly because of the slowness in the clients machines resulting in prompts on the user's browser. Authentication prompt was given to the user on the browser intermittently when surfing was going on. Identified the flaw in such scenarios and fixed it.

* Critical bug fix for crash due to abuse of database vacuum options.
	SafeSquid was using vacuum algorithm to reduce the memory utilization. But it was observed that using vacuum at inappropriate places was causing crashes.	The vacuum algorithm is optimized now and efficiently used.

* Implemented facility to configure the policies when reports pages are rendering.
	Previously user was not provided to click on configure unless the reports were rendered. Now user can click on configure and make policies irrespective of the rendering of reports.

Known Issues
------------
* Caching has a problem.


SafeSquid SWG 2016.0803.1027.3 Released
---------------------------------------
* Updates for trusted CA infrastructure.
	Updates trusted CA bundle regularly. SafeSquid uses trusted CA bundle to verify SSL server's identity.
	This ensures defence against security breaches due to stolen or compromised or expired CA usage.
	
* Implemented facility to use corporate CA as SafeSquid CA & SafeSquid Trusted Authority. 
	You can upload corporate CA files via SafeSquid WebUI.	
	You can setup your websites with self-signed CA and upload self-signed CA to SafeSquid trusted bundle.	
	Your clients can access all your SSL websites seamlessly without even deploying self-signed CA to client browsers.
	If you have corporate CA provided by trusted party, 
	You need not to deploy SSL certificates on client browsers. You can avoid downloading and importing of SafeSquid CA certificate.
	Browsers default trusted bundles are enough to verify SafeSquid generated & signed certificates using corporate CA.
	Deployment of SafeSquid becomes much easier for following use cases and you can provide seamless experience to users. 
		Proxy aware mode usage with SSL Inspection.
		Reverse proxy mode usage for SSL website protection.
		Transparent proxy mode usage with SSL Inspection.

* Fixed issue for bypassed websites and upload content types not shown on the reporting.
	It was observed that the upload content types and bypassed websites are not shown on the reporting page. Identified the issue and fixed it.


SafeSquid SWG 2016.0727.2034.3 Released
---------------------------------------
* Simplified SSO configuration via SafeSquid WebUI.
	Configure Single Sign On using SafeSquid WebUI by following simple steps.
	Open WebUI->Configure->Application Setup->Integrate LDAP->SSO configuration. 
	There you can configure SSO and all you need to have is required credentials.
	
* Implemented application crash alert system using support_tarballs.
	SafeSquid now creates support tarball on every crash and send it to SafeSquid servers for analysis.
	This system gathers attention of SafeSquid team whenever something goes wrong.
	In upcoming releases you will get options to setup mail alerts.

* Fixed "Nothing to show" reporting issue.
	It was observed that, In some cases SafeSquid was not writing information to database due transaction failures.
	which results "Nothing to show" in reporting engine for drilled queries.
	Identified root cause and fixed.
	
* Fixed vulnerability in handling uploads on WebUI.
	It was observed that SafeSquid crashes when a faulty upload request fires on SafeSquid WebUI.
	Identified vulnerability and fixed.
	
* Fixed critical crash in downloading chunked response.
	We have observed a crash while downloading chunked response from some remote server.
	Identified faulty logic and fixed.


SafeSquid SWG 2016.0707.2047.3 Release Notes
--------------------------------------------
* Improved Reporting Engine & rendering of real-time reports. 
	Changed back-end architecture for reporting engine to deliver faster reports.
	You can expect 30% faster results with new reporting engine.
	In the next releases you will get options to customize report wizards.
		
* Improved handling of HTTPS connections when SSL inspection disabled.
	It was observed that clients are facing latency issues while opening few HTTPS websites.
	Identified that TCP_CORK causing delay in data transmission and Fixed.

* Improved SSL Caching.
	It was observed that SSL caching and session resumption techniques are consuming significantly high memory.
	Implemented work around and reduced memory consumption.


SafeSquid SWG 2016.0623.0012.3 Release Notes
--------------------------------------------
Major Release.
Optimized resource utilization.

* Optimized for Memory Consumption.
	It was observed that SafeSquid was consuming significantly more memory than estimated.
	Optimized various areas to reduce memory consumption, mainly Sqlite and SSL. 
	
* Optimized for Load Average.
	It was observed that the Load Average was shooting up to 50 on 4 core machine.
	Optimized various areas to reduce Load Average, mainly buffered data transfer. 

* Improved Reporting Engine & rendering of real-time reports. 
	Clients reported that they were experiencing latency while checking real time reporting.
	Improved real time reporting by optimizing queries and tuning Sqlite parameters.
	Implemented facility to enable or disable reporting using SQLITE_WRITE option in reporting_db.conf.
	Use this facility on memory constrained systems.
	
* Fixed critical bugs related to SSL applications.
	Clients reported that they were unable to use few SSL applications via SafeSquid.
	Identified faulty logic & Fixed.

* Fixed bug related logging.
	It was observed that SafeSquid native logs were written into extended logs.
	Identified that SafeSquid allocating stdout to one of the logs & Fixed.

* Fixed vulnerability. 	
	It was observed that SafeSquid crashes when client fires malformed section request.
	Fixed vulnerability in this release.
	
	
Known Issues
------------
* Speed limits section is not working.

Upcoming and conceptualizing the implementations:
------------------------------------------------
* Captive Portal.
* Bandwidth Management.
* OCSP & CRL related to SSL.
* Multicast
* UDP proxy
* MySql Integration
* Redis Integration
* A-Z of SSL.
* Video controls 
	protect network resources, provide custom allow/deny filters, enable YouTube educational videos, and provide control over viral, entertainment and surveillance videos.
* Network port monitoring
* Remote User Protection
* Malware Sandbox Services and Forensic Analysis
* Web based UI management.
* Easy Addition of Email Security
* AMI
* Roles based access.


SafeSquid SWG 2016.0422.2014.3 Released
---------------------------------------
Major Release.
Improved for better user experience. 

* Brand New UI & UI API.
	Simplified, Customizable UI.
	Use UI API to create UI that suits your organization needs and reselling purposes.

* Reporting & Monitor performance.
	Real time performance plots allows you to monitor performance.
	Solid Reporting system with 67 predefined reports.
	You can customize pre defined reports and apply filtering to deeply look at various scenarios.

* Category Management, local & cloud based.
	Category Engine with more than 100 categories.
	Manage your own categories.
	Upload files with multiple websites into specific categories.
	Search for categories of URL/websites.
	Real time updates to the Category databases.

* IPv6
	Supports both IPv6 and IPv4 at the same time.
	Configure on based on your network infrastructure.

* WCCP
	SafeSquid SWG now supports WCCP v1 & WCCP v2.
	With WCCP support, SafeSquid SWG can offer following things.
		* Interact with WCCP servers(Cisco routers or similar devices which supports WCCP). Dictate to WCCP servers how traffic can be distributed to the WCCP clients(web-caches, Proxies and similar devices).
		  SafeSquid can interact with WCCP servers and using WCCP protocol and the interaction takes place 

		* Transparently redirect traffic flows in real-time.
			--Full control is with administrators.
			--Client browsers configuration is not at all required.
			
		* Optimize resource utilization.
		
		* Lower response times.
		
		* Configure service-assurance (fail-safe) mechanisms.
		
		* Load balancing.
			
		* Scaling. 
		
		* Fault tolerance.
		
		* Inspect traffic from the clients perform various kinds of filtering and virus scanning.
		
		* Monitoring
		
		* Provides wccp client support for devices which does not support wccp. Redirect traffic to web-cache engines or similar devices which does not support wccp. 

	Known Information:
		The following things are in development process for WCCP future enhancements.
	Post release:	
		* Negotiation of capabilities
		* Hash assignment method
		* Security Check
		* Service group related work.
		* Choose mask or hash using source port, dest port , source ip or dest IP.
		* Efficient use of section fields.
		* Dynamic service groups testing. Router is not responding when we opt for DYNAMIC service.
		* set default options.
		* Multicast support
		* IPV6 support
 

* Application Control
	Control access to the 
	application categories BROWSERS, REMOTE ACCESS, FTP etc.
	applications like SKYPE, FACEBOOK, TWITTER etc.

* Content Control
	Control access to the 
	content categories IMAGE, TEXT , APPLICATION
	content types like JPEG, PNG, HTML, JS,CSS, EXECUTABLE, RAR etc.

* Custom access to users.
	At times users need to access blocked websites but you may not be availble to provide access.
	But, 
	You can configure policies to allow users access blocked websites for couple of hours.

* Policy evaluator Regex evaluator URL command executor.
	Evaluate configured policies and use handy tools to create robust policies.

* Sqlite Integration
	Provides strong backend database to store logs, Customized Categories database.

* User Groups.
	Create User groups using predefined users or Directory users or MySql users.
	You can import users from file.

* Improved complete feature set.
	All features revised to enhance user experience especially policy creation and SSL.

* DLP(Data Loss prevention).
	Secure your data from internal threats.
