What's new in Tectia Client/Server/ConnectSecure and Server for IBM z/OS 6.4.7?

The 6.4.7 releases contain the following new features:

Tectia Client, Server and ConnectSecure: the OpenSSL cryptographic library used in FIPS mode was upgraded to version 1.0.1e for Windows, Linux, Solaris and HP-UX (IA-64). Tectia Client, Server and ConnectSecure use only the fipscannister object of the OpenSSL library, and therefore do not contain the Heartbleed vulnerability.

Tectia Server on Windows: It is now possible to export/import the password cache to/from an external encrypted file.

Tectia Server for IBM z/OS: "Load control" (a connection flood DoS attack mitigation feature); and new operations in the JES interface (deleting jobs and displaying the status of all the user's jobs).

All released products also include bug fixes and minor features.

The following includes a summary of the release notes for each product.

Tectia Client/ConnectSecure

New Features:

• Windows, Linux, Solaris, HP-UX(IA-64): Upgraded the OpenSSL cryptographic library used in FIPS mode to version 1.0.1e. The OpenSSL library version 1.0.1e was compiled with -DOPENSSL_NO_HEARTBEATS. Tectia Client, Server and ConnectSecure use only the fipscannister object of the OpenSSL library, and therefore do not contain the Heartbleed vulnerability. HP-UX (PA-RISC) and IBM AIX will continue to use the OpenSSL cryptographic library version 0.9.8. This does not affect Tectia Server for Linux on IBM System z, as the OpenSSL library is not provided.
  

Bug Fixes:

• All Platforms: Active mode for static FTP tunneling no longer fails to work when using IPv4 addresses.
  

• All Platforms: Removed sshg3 options +w/--try-empty-password and -w from the manuals and help, as the feature is no longer supported.

• All Platforms: IPv6-wrapped IPv4 addresses are now rendered correctly in the logs.
  

• Windows: In Tectia Connections Configuration GUI, added an input check to all fields that accept numbers. The accepted range is 1-65535 for port numbers, and 0-2147483647 (0x7fffffff) for other fields.
  

• All Platforms: With ssh-keygen-g3 in FIPS mode, it is now possible to generate DSA keys larger than 1024 bits.
  

• All Platforms: sftpg3 and scpg3 no longer fail to get the current user name when using the option (user=%username%) in a connection profile.
  

• Windows: In Tectia Connections Configuration GUI it is now possible to clear previously added values of "Endpoint domain", "HTTP proxy URL" and "SOCKS server URL".

• Windows: In Tectia Connections Configuration GUI, fixed inconsistent behavior that occurred when adding new LDAP servers.

• Windows: The "Enable endpoint identity check" option in Tectia Connections Configuration GUI had a wrong default value (Ask). It now has the correct default value (Yes).
  

• All Platforms: In scpg3, when transferring a file, if the character code set conversion of the file name fails for some characters, the conversion of the file name is no longer aborted.

• Documentation: References to MFT Events have been removed from the documentation, as this version of the product does not support it.

• Documentation: Minor modifications to the documents.

Bug fixes in Tectia ConnectSecure only:

• All Platforms: IPv6-wrapped IPv4 addresses no longer fail to be tunneled when made via a dual layer socket.

• Windows: In Tectia Connections Configuration GUI, "Connections from public network to private network" for transparent tunneling, the default "IPv4 start address" has been changed from 188.1.1.1 to 198.18.0.1.
  

Tectia Server

New Features:

• Windows: Added the possibility of exporting and importing the Tectia Server's password cache.

• Windows, Linux, Solaris, HP-UX(IA-64): Upgraded the OpenSSL cryptographic library used in FIPS mode to version 1.0.1e. The OpenSSL library version 1.0.1e was compiled with -DOPENSSL_NO_HEARTBEATS. Tectia Client, Server and ConnectSecure use only the fipscannister object of the OpenSSL library, and therefore do not contain the Heartbleed vulnerability. HP-UX (PA-RISC) and IBM AIX will continue to use the OpenSSL cryptographic library version 0.9.8. This does not affect Tectia Server for Linux on IBM System z, as the OpenSSL library is not provided.
  

Bug Fixes:

• All Platforms: Fixed a crash in the Tectia Server when using keyboard interactive with radius authentication when under stress.

• All Platforms: Fixed a race condition that was causing public key authentication to occasionally fail under stress.
  

• All Platforms: Fixed a crash that occurred when Tectia Server was under stress.
  

• All Platforms: Tectia Server under heavy stress will no longer hang when performing public key authentication.

• Windows: In Tectia Server Configuration GUI, added an input check to all fields that accept numbers. The accepted range is 1-65535 for port numbers, and 0-2147483647 (0x7fffffff) for other fields that do not have specific restrictions.

• All Platforms: With ssh-keygen-g3 in FIPS mode, it is now possible to generate DSA keys larger than 1024 bits.

• All Platforms: fixed a memory leak that occurred in Tectia Server when performing public key authentication under certain circumstances.
  

• All Platforms: When Sft_server_fxp_request log messages are enabled, the server will no longer audit unrequested log events.
  

• Documentation: Minor modifications to the documents.

Tectia Server for IBM z/OS

New Features:

• z/OS: Implemented "load control", a connection flood DoS attack mitigation feature that uses a white list of IP addresses. The feature attempts to keep Tectia Server up and running in the face of a Denial of Service attack that tries to use so much of the server's resources that normal service would be disrupted.

• z/OS: Added the following operations to the JES interface of Tectia Server for IBM z/OS: 1) Deleting jobs, 2) Displaying the status of all the user's jobs

Bug Fixes:

• z/OS: Fixed a situation in which under certain conditions, some sshd2 processes were not being shut down after a third-party SSH client was disconnecting.

• All Platforms: Active mode for static FTP tunneling no longer fails to work when using IPv4 addresses.
  

• z/OS: File transfers with an ftadv profile no longer fail with an "invalid code reached" message.

• z/OS: The environment variable _CEE_RUNOPTS is no longer needed when running Tectia client tools for z/OS programs.

• z/OS: When handling JES spool files from a Windows client with sftpg3 or scpg3, the commands "ascii" and "get jobid" no longer fail to convert to ASCII.

• All Platforms: Removed sshg3 options +w/--try-empty-password and -w from the manuals and help, as the feature is no longer supported.

• All Platforms: IPv6-wrapped IPv4 addresses are now rendered correctly in the logs.
  

• All Platforms: sftpg3 and scpg3 no longer fail to get the current user name when using the option (user=%username%) in a connection profile.
  

• All Platforms: IPv6-wrapped IPv4 addresses no longer fail to be tunneled when made via a dual layer socket.
  

• z/OS: Removed an obsolete file (ssh-broker-config-example-ftp-sftp.xml) from the packages.
  

• All Platforms: In scpg3, when transferring a file, if the character code set conversion of the file name fails for some characters, the conversion of the file name is no longer aborted.

• z/OS: When configuring the IPv6 listener of Tectia Server with zones and within brackets, Tectia Server will no longer refuse to start.
  

• Documentation: Minor modifications to the documents.

For further information about the products and changes between the different versions, and instructions on how to update the product, see the customer documentation and release notes at the SSH product documentation site.