================================================================================ Fixes in Sterling Secure Proxy (SSP) 3.4.3.0 iFix1 - July 2016 ================================================================================ This cumulative maintenance archive includes the GA release of SSP Engine 3.4.3.0 and SSP Configuration Manager 3.4.3.0 plus the fixes for the issues mentioned below. Contents: I. HIPER fixes / Fixes requiring Action by iFix II. Summary of Fixes by iFix/APAR (Latest iFix / FixPack first) III. Detailed Description of Fixes =============================================================================== I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action =============================================================================== In iFix1 (July 2016): Action - SFTP Hashmacs hmac-sha256 and hmac-sha512 renamed to hmac-sha2-256 and hmac-sha2-512, respectively. See RTC492052 for details =============================================================================== II. Summary of Fixes by iFix/APAR (Latest iFix / FixPack first) Fixes are marked as Engine and CM (Configuration Manager) =============================================================================== =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 1 Build 29 (July 2016) RTC492052/IT13855 (CM,Engine) - (SFTP) Sha2 connections fail due to mismatched MAC names RTC494013/IT15074 (Engine) - (HTTP) Client is not receiving the 500 Error message from SSO login failure RTC495433/IT14514 (CM) - manageKeyCerts import fails with java.lang.NullPointerException RTC496040/IT15910 (Engine) - SFTP client script causes FIN_WAIT2 on SSP server RTC496133/IT15041 (Engine) - Session starts rejected in PS due to "too many open files", or "max concurrent circuits reached" RTC496371/IT14589 (Engine) - (SFTP) Key-only authentication failing when mapped password not present RTC496962/IT16065 (Engine) - CD Adapter failures causing high CPU on Engine, Max concurrent circuits reached:4096 on PS RTC492949/IT15184 (Engine) - (SFT) Getting DH_GEX group out of range RTC497030/IT14809 (Engine) - (CD) SSP handshake failure with CDSA after upgrading to SI 5.2.6.1. RTC497033/IT14757 (Engine) - Dummy object unmarshalling error for PerimeterServerConfig RTC497092/IT14615 (Engine) - Engine Shutdown issue RTC500069/IT15063 (Engine) - SFTP transfers stalling at 627MB or the sftp_rekeycount limit in the adapter. RTC501172/ (CM) - CM ManagedAccepterService fails to startup causing logins to fail RTC501513/IT15516 (CM) - Vulnerability issues found with SSPcm HTTP Headers RTC501735/IT15517 (Engine) - (SFTP) Key Exchange Exception encountered when FIPS enabled RTC502844/IT15531 (CM) - Unable to import PCKS12 SHA2 certs using configureCmSsl utility Logging Improvement (Engine) - C:D certificate failure logging improvements RTC503126/IT15568 (CM) - (REST API) Unable to create CM user who uses External Authentication RTC503895/IT15606 (CM) - (REST API) Delete Netmap Node entry request returns success but the node still exists RTC504462/IT15808 (PS) - Installation of SSP Perimeter Server package creates a single Windows Service and s starting/shutting down the PS service starts/stops all of them RTC505702/IT16080 (CM) - Enhancements to password policy rules =============================================================================== III. Detailed Description of Fixes (in Defect ascending order) Fixes are marked as Engine, CM (Configuration Manager), and PS (Perimeter) =============================================================================== RTC492052/IT13855 (CM,Engine) - (SFTP) Sha2 connections fail due to mismatched MAC names Customer was attempting to configure their SFTP to use HMACs of 256 or higher. SFTP handshakes were getting a mismatch of the hmac algorithm names. SSP was presenting "hmac-sha256" and "hmac-sha512", but should have been using "hmac-sha2-256" and "hmac-sha2-512". Resolution: Now properly present the "hmac-sha2-256" and "hmac-sha2-512" hmac names. Action: If you have previously selected the "hmac-sha256" or "hmac-sha512" HMacs in the adapter Security tab or the netmap node Security tab, they will be de-selected during this upgrade, and you must reselect the "hmac-sha2-256" and/or "hmac-sha2-512" hmacs. RTC492949/IT15184 (Engine) - (SFTP) Getting DH_GEX group out of range Customer running with newer openSSH command line client getting DH_GEX group out of range during session initialization. Resolution: Updated the SFTP Maverick toolkits to SSHD 1.6.17 (front end server side) and J2SSH 1.6.15 (back end client side) for more advanced Diffie-Hellman Key negotiation. RTC494013/IT15074 (Engine) - (HTTP) Client is not receiving the 500 Error message from SSO login failure HTTP client logging onto the SSO portal and then onto Sterling File Gateway is getting a blank screen instead of a 500 error message when the login fails. Resolution: Added the text "Internal Server Error" to the message body for the 500 error response and pass it back to the user on login failure. RTC495433/IT14514 (CM) - manageKeyCerts import fails with java.lang.NullPointerException The manageKeyCerts.sh utility fails with "Unexpected exception: java.lang.NullPointerException" when attempting to import a PKCS12 keycert into HSM. Resolution: Changed manageKeyTool to persist imported keys by saving off the private key. RTC496040/IT15910 (Engine) - SFTP client script causes FIN_WAIT2 on SSP server When SFTP proxy adapter times out on the client, the socket connection stays in FIN_WAIT2 state. Resolution: Modifed code related to close functionality. RTC496133/IT15041 (Engine) - Session starts rejected in PS due to "too many open files", or "max concurrent circuits reached" After several hours or days of running, the Perimeter Server can get the message, "Too many open files", or "Max concurrent circuits reached: size is:4096", and all incoming connections are rejected. The C:D adapter was not closing the connections from the load balancer heartbeat pings correctly, causing an accumulation of circuits in the PS and leftover file descriptors showing up in a lsof command. Customers with a ulimit of 1024 for max open files per user will get the former message, while others will get the latter. Resolution: Updated the C:D adapter code to better handle a load balancer ping operation which does not do a clean close of the socket after connecting. These connections should get cleaned up by the Java garbage collector over time. The Customer should also set the kernel ulimit max open files value to 4096 or higher to allow time for the normal recycling of the load balancer ping sockets. RTC496371/IT14589 (Engine) - (SFTP) Key-only authentication failing when mapped password not present If an SFTP policy is configured to use a mapped routing key name from SEAS to connect to the backend server, a Null Pointer Exception can occur if the user does not have a mapped password defined.  When attempting to connect to the SSP SFTP adapter, the user will not be able to login, and the following exception will occur in the adapter log: java.lang.NullPointerException at java.lang.String.          at com.sterlingcommerce.cspssh.daemon.SftpAccessManager.registerBackend          at com.sterlingcommerce.cspssh.daemon.SftpAccessManager.logonUserHelper          at com.sterlingcommerce.cspssh.daemon.SftpAccessManager.logonUser          at com.sterlingcommerce.cspssh.daemon.SftpAccessManager.verifyPassword          at com.sterlingcommerce.cspssh.daemon.SftpAccessInstance.verifyPassword Resolution: Now correctly handle the situation where SEAS returns a mapped routing key name, but not a mapped password. RTC496962/IT16065 (Engine) - CD Adapter failures causing high CPU on Engine, Max concurrent circuits reached:4096 on PS When the C:D adapter recovers from a connection failure to the More Secure Perimeter Server, it restarts its listener on the inbound PS but no longer services connections coming in. As the load balancer continues to hit the CD port, it can lead to a "Max concurrent circuits reached: 4096" error on the PS and all inbound traffic turned away. Resolution: Corrected the recovery logic in the CD adapter to ensure that the inbound listener is brought up and the adapter continues to service connections. RTC497030/IT14809 (Engine) - (CD) SSP handshake failure with CDSA after upgrading to SI 5.2.6.1. SI/B2Bi 5.2.6.1 uses the fix provided in the IBM JRE (JSSE) to break up packets when using CBC cipher suites and TLS 1.0. The short packet during the initial FMH 68/72 exchange was causing SSP to issue message CSP900E Logged Exception : Invalid Connect:Direct FMH Resolution. Now handle SSL fragmentation caused by remediation for the CBC BEAST TLS 1.0 PSIRT advisory. Workaround: There are 2 known workarounds to this problem - 1) Switch to using TLS 1.2 between SSP and SI, as the BEAST "fix" only gets used with TLS 1.0 2) Update the SI 5.2.6.1 startup script(s) to add "-Djsse.enableCBCProtection=false" in the Java startup line(s). RTC497033/IT14757 (Engine) - Dummy object unmarshalling error for PerimeterServerConfig During a configuration push from the CM to the engine, getting multiple java.lang.RuntimeException: Problem with reflection based marshalling. Invalid data was being passed to SSP Engine Converter method. Resolution: Added logic to detect when an invalid data is passed into the converter method and handle it properly RTC497092/IT14615 (Engine) - Engine Shutdown issue Customer could not shut down the SSP engine from the command line using either stopEngine.sh mode=auto or the regular ./stopEngine.sh. Resolution: Added logic to SSP code base so that the TLS protocol is no longer hard-coded for SSP engine shutdown module. RTC500038/IT15916 (Engine) - Intermittent failures with concurrent SSL handshakes Customers experiencing intermittent failures during SSL handshaking in CD, FTP, or HTTP sessions. A PEMHelper utility class which feeds certificates to the SSL/TLS handshake process had objects defined in such a way that they were not thread-safe, causing unpredictable outcomes when multiple sessions were attempting to do simultaneous handshakes.  Resolution: Corrected the objects in the PEMHelper class to be thread-safe.   RTC500069/IT15063 (Engine) - SFTP transfers stalling at 627MB or the sftp_rekeycount limit in the adapter. Under certain circumstances, the rekey limit is causing SFTP transfers to stall. The sftp_rekeycount property defaults to 20000 by default, which allows 20k packets to flow before requesting a new key exchange. However, the SSP FTP daemon and the SSH Maverick toolkit are both keeping track of the packet count, which can cause a hang when both request a rekey at the same time. Turned off requesting rekey operations on the back end session to SI within the SFTP adapter. Added a new property, sftp_backend_rekeycount, with a default of zero, to specify the number of packets between rekeys on the backend session to SI, in case a Customer needs to turn it back on. RTC501172/ (CM) - CM ManagedAccepterService fails to startup causing logins to fail There was an internal error during startup of the CM and the internal ManagedAccepterService never came up, which caused logins to fail. Resolution: Added the ManagedAccepterService to the list of global services so it would start sooner in the process. RTC501513/IT15516 (CM) - Vulnerability issues found with SSPcm HTTP Headers The SSP CM is missing the following HTTP security headers: Cache-Control: no-cache,no-store Pragma: no-cache X-Content-Type-Options: nosniff X-XSS-Protection: 1 Resolution: Added the missing HTTP security headers to the SSP CM. RTC502844/IT15531 (CM) - Unable to import PCKS12 SHA2 certs using configureCmSsl utility CmSslConfigTool was unable to successfully import pkcs12 certificates. Resolution: Added logic that allows for the public certificate to be extracted from pkcs12 into SSP CM truststore. Logging Improvement (Engine) - C:D certificate failure logging improvements Trusted certificates that contain comments or too many characters on a line may not be able to be parsed by SSP 3.4.2, even though they worked in SSP 3.4.1. Resolution: Added code so that if SSP fails to parse a trusted certificate, the name of the offending certificate is logged. RTC503126/IT15568 (CM) - (REST API) Unable to create CM user who uses External Authentication When using the SSP REST API to create a new CM user that uses external authentication, an error will occur if a password is not specified.  Since authentication is done externally, a password should not be required in SSP. Resolution: The SSP REST API code has been changed so that passwords are not required for new CM users that use external authentication. RTC503895/IT15606 (CM) - (REST API) Delete Netmap Node entry request returns success but the node still exists When using the SSP REST API to delete a C:D netmap node, and the node being deleted is referenced by another node’s ACL, the REST API will return a successful response, but the node will not be deleted. Resolution: The SSP REST API code has been updated to return a meaningful error message if a node cannot be deleted because it is referenced by another node's ACL. RTC504462/IT15808 (PS) - Installation of SSP Perimeter Server package creates a single Windows Service and s starting/shutting down the PS service starts/stops all of them After installing a more secure perimeter server, it is possible that the Windows service used to start and stop the perimeter server will be named using the wrong port number.  If this new Windows service name overwrites an existing service, the perimeter server corresponding to the old Windows service cannot be started. Resolution: The code has been changed so that the name of the perimeter server always contains the port number that the SSP Engine will listen on. This guarantees that the Windows Service name corresponds to the correct server. RTC501735/IT15517 (Engine) - (SFTP) Key Exchange Exception encountered when FIPS enabled With FIPS mode enabled in SSP, a null pointer exception can occur if the group-exchange-sha256 key exchange algorithm is enabled in the outbound netmap node. Resolution: Code has been added so that SSP can use the group-exchange-sha256 key exchange algorithm, in FIPS mode, for connections to the backend server. RTC505702/IT16080 (CM) - Enhancements to password policy rules Resolution: Now allow the SSP CM admin to specify the allowed special characters and also to specify the number of consecutive repeating characters within a new password string