Release Notes 6.0.10
blog and release notes
|
Dec 7, 2016
Improvements
IPv6 support
- PFService supports NAT in:
- NAT policies
- directed routers
- forge addresses
Proxies
- You can now set a fallback service in Advanced Protocol Recognition,
to use when the protocol used in the connection is not recognized.
TLS handling
- You can disable client-initiated renegotiation, which prevents
client-initiated renegotiation attacks, and is necessary to achieve
grade A+ in Qualys and
HTBridge tests.
- During the TLS handshake, in addition to the certificate, Zorp sends
the intermediate CAs as well. This is necessary to achieve grade A+ in
Qualys and HTBridge tests.
- Zorp now supports perfect forward secrecy. This is necessary to
achieve grade A+ in Qualys and HTBridge tests.
- Zorp now supports the elliptic curve Diffie-Hellman protocol used
by modern clients and servers.
- Zorp now supports Diffie-Hellman ephemeral used by older clients
and servers.
kZorp
- kZorp now supports kernel version 4.4, the new LTS kernel in Ubuntu
14.04
Monitoring
- Munin plugins are available for:
- memory usage of kZorp which shows possible memory leaks
- statistics of internal hash in kZorp to show possible hash imbalance
- statistics of internal cache events
Fixes
Critical
- Fixed reference counting problems in kZorp which might cause kernel
crash
- Fixed a race condition in kZorp which might make the host inaccessible
Moderate
- Fixed the certificate cache of dynamic certificate generator, which
might have sent wrong certificate when private key was changed in
certificate generator.
- Fixed side-stack chaining mechanism, which caused Python tracebacks.
- Decrased the memory usage of configuration dump from kernel by kZorp
client (kzorp-client -dzs), which might exhaust memory in case of
extreme large number of configuration items (Service, Rule, Zone).
- Fixed a zone lookup failure in case of IPv6 (/128 subnets only), which
caused Zorp to ignore traffic from/to this Zone.
- Fixed encrypted data channel creation failure in case of FTP protocol.
Low
- Log level of the kZorp daemon can be set (default is 3). This greatly
reduces the number of log messages generated by hostname-based Zones