- These are the highlights of new features or additions to existing features in v5.0.x. For the complete list of all changes see this JIRA Release Notes.
SPDY
SPDY is now implemented in core Traffic Server. SPDY is supported for both TLS (encrypted) and non-TLS access. Protocol sniffing is used to detect SPDY for non-encrypted connections and for TLS connections that do not do NPN negotiations. SPDY versions 3.0 and 3.1 are supported.
As part of this work the custom logging format tags pitag
and piid
were added to make it possible to log SPDY related information.
Cache Backwards Compatiility
Traffic Server can now run on caches created by previous versions of Traffic Server back to version 3.2.0. This is done by run time conversions when an object is read from the cache. All data written to the cache is written in the current cache format. Over time a cache will gradually be converted to more recent formats. Interally, objects are now written out with version information per object to make future compatibility easier. This means that although the cache format changed for 5.1.x, this should not invalidate any 5.0.X cache.
Backwards compatibilty for the cache will not be indefinitely extended. Traffic Server may remove support for cache formats that are for version of Traffic Server that are past end of support.
Server Session Sharing
Traffic Server supports sharing server sessions between clients. Previously this was done only for requests that matched both the fully qualified domain name and IP address. This remains the default but can be adjusted to match on either the IP address or the FQDN only.
Sessions with auth headers can be placed in to the server session pool.
Jira: TS-2902
Transparency Hardening
The use of the client target address for the server address has been changed. The client supplied address is now checked against DNS results and if it does not match the request is not cached. The old (potenially unsafe) behavior can be restored by setting proxy.config.http.use_client_target_addr
to the value ``2``.
Jira: TS-2954
TLS
Several improvements for secure transport were made
Handling of ECDSA certificates was improved
Jira: TS-2893
The cipher suite and protocol used by ATS as a client are now configurable
Jira: TS-2924
SNI can be set for outbound connections from ATS
Jira: TS-2802
sslheaders
plugin added to inject information about connections in to the HTTP headers
Jira: TS-2957
OCSP is now supported
Jira: TS-2367
New Plugins
PageSpeed
SSL Headers
Minor Changes
traffic_line
can now do VIA string decoding.
Usage:
traffic_line --decode_via <via-string-here>
Jira: TS-2904
Many potential bugs were fixed by using Co-Verity and clang static checks.
A lot of work was done at a mini-summit during the summer
Jira: TS-1475
Support for TOS setting on TCP sockets.
Jira: TS-2995
Log filters on IP fields works
Log fields that are IP address can be used for log filters. This can be done per IP address or by range
Jira: TS-698
Base string for stripe assignment allocation is now configurable
This is a maintenance feature to help preserve the cache when the operating system paths to the storage devices changes.
Jira: TS-3000
Developer Changes
xptr
was removed and replaced withats_scoped_str
,ats_scoped_obj
andats_scoped_ptr
for temporarily or contingently allocated resources.- The
Doc
header was changed to store per object version information. traffic_manager
was moved to thecmd
directory.libutils
was merged in tolibmgmt
.WebMgmtUtils
moved tolibmgmt
.
5.1.1 Security Update
Due to security issues in 5.1.0, a possibly incompatible change was made to 5.1.1.
CVE-2014-3566 details a security vulnerability in SSL v3. Traffic Server was updated to disable SSL v3 in the default configuration. Explicit administrator action is required to enable user agents to use SSL v3 to connect to Traffic Server. SSL v3 is a very old protocol and should not be used and Traffic Server recommends leaving SSL v3 disabled.
CVW-2014-3624 details a potential Traffic Server vulnerability due to a change in how remap works This error has been fixed (TS-2677) in version 5.1.1 and requires no action on the part of the administrator beyond installing 5.1.1.
5.1.2 Security Update
Due to security issues in 5.1.1 a 5.1.2 release has been issued. It should require no changes to replace 5.1.1.