Zorp GPL

The security middleware.

Release Notes 6.0.10

Improvements

IPv6 support

  • PFService supports NAT in:
    • NAT policies
    • directed routers
    • forge addresses

Proxies

  • You can now set a fallback service in Advanced Protocol Recognition, to use when the protocol used in the connection is not recognized.

TLS handling

  • You can disable client-initiated renegotiation, which prevents client-initiated renegotiation attacks, and is necessary to achieve grade A+ in Qualys and HTBridge tests.
  • During the TLS handshake, in addition to the certificate, Zorp sends the intermediate CAs as well. This is necessary to achieve grade A+ in Qualys and HTBridge tests.
  • Zorp now supports perfect forward secrecy. This is necessary to achieve grade A+ in Qualys and HTBridge tests.
    • Zorp now supports the elliptic curve Diffie-Hellman protocol used by modern clients and servers.
    • Zorp now supports Diffie-Hellman ephemeral used by older clients and servers.

kZorp

  • kZorp now supports kernel version 4.4, the new LTS kernel in Ubuntu 14.04

Monitoring

  • Munin plugins are available for:
    • memory usage of kZorp which shows possible memory leaks
    • statistics of internal hash in kZorp to show possible hash imbalance
    • statistics of internal cache events

Fixes

Critical

  • Fixed reference counting problems in kZorp which might cause kernel crash
  • Fixed a race condition in kZorp which might make the host inaccessible

Moderate

  • Fixed the certificate cache of dynamic certificate generator, which might have sent wrong certificate when private key was changed in certificate generator.
  • Fixed side-stack chaining mechanism, which caused Python tracebacks.
  • Decrased the memory usage of configuration dump from kernel by kZorp client (kzorp-client -dzs), which might exhaust memory in case of extreme large number of configuration items (Service, Rule, Zone).
  • Fixed a zone lookup failure in case of IPv6 (/128 subnets only), which caused Zorp to ignore traffic from/to this Zone.
  • Fixed encrypted data channel creation failure in case of FTP protocol.

Low

  • Log level of the kZorp daemon can be set (default is 3). This greatly reduces the number of log messages generated by hostname-based Zones