Release Notes 7.0.4
blog and release notes
|
Oct 24, 2019
Improvements
- Made the Zorp compatible with TLS 1.3. It does not mean that Zorp supports TLS
1.3. Earlier Advanced Protocol Recognition (APR) SNI and server certificate
detector components might have failed if the client initiated a TLS 1.3
connection. Now these detectors work well with any version of TLS 1.3
protocols. In case of TLS offloading/interception TLS 1.3 is explicitly
disabled, so it cannot work even if the underlaying library version
(>= OpenSSL 1.1.1) makes it possible to use TLS 1.3 with Zorp. This will be
the behavior until Zorp has explicit TLS 1.3 support to avoid any operational
and interoperability problems.
Usability
- Reloading a non-running Zorp instance now causes error. Earlier this error was
silently suppressed.
Fixes
Moderate
- Fixed kZorp service starting mechanism. Earlier when the service was started
it could return before Zone related configurations were downloaded to
kZorp. This might cause Zorp services fail to start as their configurations
referred to Zones that were not downloaded yet. Now Zorp services wait for
the Zone download to finish.
Low
- Duplicate CA/CRL directory related attributes were removed. Earlier there
were
(ca|crl)(_verify)?_directory
attributes in CertificateVerifier
class
used in EncryptionPolicy
. The usage of (ca|crl)_directory)
attributes was
heavily memory intensive and the CA/CRL files were loaded at the setup time of
the EncryptionPolicy
while (ca|crl)_verify_directory
attributes are
moderately CPU intensive and load the CA/CRL files on demand. Considering the
latter version has much more advantages than disadvantages the former version
was removed and is now automatically converted to the latter version.
- Use DH parameters defined in RFC 3526 instead of generating custom one.
Earlier during the installation of Zorp a DH parameter was generated which
might take a long time in lack of entrophy. Now the 4096-bit DH parameter is
based on RFC 3526.