SafeSquid for Linux SWG safesquid-2019.1115.1826.3-swg-standard released
From Secure Web Gateway
Revision as of 16:05, 25 November 2019 by Santosh.thorat (Created page with " '''Enhancement''' #New startup parameter "FORCE_SNI" added in startup.ini file.<br/> Default value is 0. Any other integer forces use of the SNI routine to determine the SSL...")
- New startup parameter "FORCE_SNI" added in startup.ini file.
Default value is 0. Any other integer forces use of the SNI routine to determine the SSL certificate that should be used for SSL handshake with client.
- Large number of incoming connections at startup could cause lockup of the SSL section.
This was due to lack of synchronization between the activation key validation process and initialization of the caches for SSL sessions.
"Pull" mechanism in SSL section now replaces the earlier "push" mechanism by the activation key validation process.
- SafeSquid was generating a "fake" SSL certificate for each intercepted HTTPS web-site.
Now wild card certificates are generated to cover entire sub-domains.
This reduces the number of certificates created, with cascading benefits in latency, and reduced inode memory.
- "Fake" SSL certificates generated by SafeSquid were directly signed by the Trusted Root CA certificate gnerated or uploaded on the SafeSquid's self-service portal.
SafeSquid now creates a unique intermediate CA certificate on each instance that uses the same Activation Key.
The fake SSL certificates are signed by this intermediate CA certificate.
This mechanism enables distinguishing the interceptor in a load-balanced cluster, and ensures seamless web-experience in fail-over events, or when connections are simultaneously handled by different instances in an active-active cluster.
- SafeSquid previously generated a separate private key for each "Fake" SSL certificate.
Now it generates a common key for all these certificates, reducing the disk storage space, and memory cache by 50%.
- SafeSquid now serves complete trust chain to clients.
This includes the Trusted Root CA certificate and intermediate CA certificate.
This ensures, seamless acceptance by clients who need to install just the Trusted Root CA in their client applications like Browsers.
- The SSL cache clean interval has now been reduced to 1 hour.
The cache now intelligently evicts artefacts that were not reused in the past hour.
- A logical flaw caused mis-interpretation of the configuration option that enables disabling of the real-time SQLite db inserts.
This caused data to be created and held in memory, unneccesarily.
SafeSquid now efficiently prevents generation of such data when not required.
Also, this data was earlier held in stack memory, and has now been moved to heap.
- SafeSquid uses high priority threads for internal house-keeping.
The affinity of these threads is set to prevent use of the CPU cores that are dedicated for listening and accepting new clients.
A logical flaw could cause SafeSquid to crash if the startup parameter for assigning the core dedication was incorrect.
This has now been fixed.
New Users? Getting_Started
Download SafeSquid ISO to create your appliance.
Download safesquid-2019.1115.1826.3-swg-standard.tar.gz tarball for up-gradation or If you already have Linux 14.04 machine.