Release Notes 6.0.10

blog and release notes | Dec 7, 2016

Improvements

You can now set a fallback service in Advanced Protocol Recognition, to use when the protocol used in the connection is not recognized.

You can disable client-initiated renegotiation, which prevents client-initiated renegotiation attacks, and is necessary to achieve grade A+ in Qualys and HTBridge tests.
During the TLS handshake, in addition to the certificate, Zorp sends the intermediate CAs as well. This is necessary to achieve grade A+ in Qualys and HTBridge tests.
Zorp now supports perfect forward secrecy. This is necessary to achieve grade A+ in Qualys and HTBridge tests.
- Zorp now supports the elliptic curve Diffie-Hellman protocol used by modern clients and servers.
- Zorp now supports Diffie-Hellman ephemeral used by older clients and servers.

Munin plugins are available for:
- memory usage of kZorp which shows possible memory leaks
- statistics of internal hash in kZorp to show possible hash imbalance
- statistics of internal cache events

Fixed the certificate cache of dynamic certificate generator, which might have sent wrong certificate when private key was changed in certificate generator.
Fixed side-stack chaining mechanism, which caused Python tracebacks.
Decrased the memory usage of configuration dump from kernel by kZorp client (kzorp-client -dzs), which might exhaust memory in case of extreme large number of configuration items (Service, Rule, Zone).
Fixed a zone lookup failure in case of IPv6 (/128 subnets only), which caused Zorp to ignore traffic from/to this Zone.
Fixed encrypted data channel creation failure in case of FTP protocol.

Log level of the kZorp daemon can be set (default is 3). This greatly reduces the number of log messages generated by hostname-based Zones