Update cryptographic strength of key exchange to 128bits on communication between Security Servers, and operational monitoring daemon and client. Introduce whitelist setting to configure accepted cipher suites on Security Server. The change is backwards compatible - when Security Server version >= 6.19.0 communicates with a version <= 6.18.0, the old cryptographic strength of key exchange (< 128 bits) is used.
After the improvement Security Server meets Finnish Communications Regulatory Authority's (FICORA) technical requirements for transferring ST IV classified information (on Finnish data classification system).
N.B.! Red Hat Enterprise Linux 7 (RHEL7) supports the new configuration starting from RHEL 7.3 - support for the new configuration requires RHEL 7.3 or newer.
Log a warning in Security Server's proxy.log when the amount of timestamped records reaches 70% of timestamp-records-limit. The warning indicates to Security Server administrator that the value of timestamp-records-limit should be increased.
Store X-Road version information in a platform independent way. Version information is available for X-Road components even if installation packages have not been installed, e.g. running Security Server in a Docker container.
Fix error causing global configuration returning outdated data on a federation setup. The error is rare and can occur in a situation where two federated instances are started up after they have been both shut down long enough for global configuration to expire.
Fix error in operational monitoring regarding measuring the processing time of requests - time that is consumed between sending out a request and receiving a response. The previous logic might have caused operational monitoring to return incorrect and even negative values.
Improve messagelog time-stamping so that messagelog records are always verifiable regardless of the number of processed messages and Security Server’s load. When the number of messages to time-stamp reaches the maximum value, batch time-stamping cycle is repeated until the number of time-stamped records is lower than timestamp-records-limit.
Add support for extracting a message from ASiC container when verification of the container fails. The improvement enables extraction of messages from ASiC containers when SOAP payload is not logged in messagelog database.
Set a timeout value for the SSL handshake when establishing a connection between Security Servers. Previously, the Security Server could wait forever for the SSL handshake to complete after the TCP connection was set up.
Asicverifier's version number follows the Security Server's version number. Until now asicverifier's version number has been 1.0 and it has not changed even if the component has been updated. Starting from v6.20.0 asicverifier officially supports the matching Security Server version number. In addition, the version number is dropped from the jar filename, and a new command line option (--version) is introduced.
Remove NTP dependency from X-Road packaging. NTP is no longer automatically installed together with Central Server, Security Server and Configuration Proxy packages. Administrators are free to choose the time syncing mechanism they want to use.
Issue types: fix (bug fix or technical debt), improvement (improvement to an existing feature), new (a new feature).
deb https://artifactory.niis.org/xroad-release-deb bionic-<version> main
deb https://artifactory.niis.org/xroad-release-deb trusty-<version> main