Release Notes for Tectia ConnectSecure 6.3.10 --------------------------------------------- 28 February 2014 (C) 2014 SSH Communications Security Corporation This software is protected by international copyright laws. All Rights Reserved. Table of Contents 1. About This Release 2. New Features 3. Bug Fixes and Minor Features 4. Known Issues 5. Further Information 1. About This Release ----------------------- The 6.3 release for ConnectSecure is declared feature complete but is not declared Long Term Supported (LTS). Therefore, it is supported for 2 years from the release date of 6.3.0 (25 June 2012). There will be 6.3 maintenance releases which will fix critical bugs, but no new features will be added to any 6.3 release. Items addressed in this release are listed under the section "New Features in 6.3.10" and "Bug Fixes in 6.3.10". Special items for this release are: - Added support for Windows 2012 R2 for Tectia Client and Server. - Fixed critical bugs. We recommend uninstalling any SSH Secure Shell and SSH Tectia 4.x products before installing Tectia 6.3. For the installation instructions, refer to the Tectia Server Administrator Manual. 2. New Features ----------------- The following new features have been implemented in Tectia ConnectSecure: New Features in 6.3.9 --------------------- - Windows: Updated the certificate used for signing the Windows packages. Note that the new certificate uses SHA-2 to verify its signature. Microsoft XP with Service Pack 2 does not support SHA-2 and therefore cannot guarantee the integrity of the certificate (KB968730). For Microsoft Windows Server 2003 with Service Pack 2, to validate the certificate, apply the hotfix to KB968730. New Features in 6.3.5 --------------------- - Solaris 11 SPARC: New installation packages available for Oracle Solaris 11 (SPARC). - Solaris 11 x86-64: New installation packages available for Oracle Solaris 11 (x86-64). New Features in 6.3.4 --------------------- - All platforms: ssh-keygen-g3 is now able to export private keys in OpenSSH format. New Features in 6.3.2 --------------------- - Solaris: SSH Tectia Client, Server and ConnectSecure support now Oracle Solaris 11 (x86-64). New Features in 6.3.0 --------------------- - All Platforms: Added remote FTP Tunnel IPv6 support. - All Platforms: SSH Tectia Client and Server now support IPv6 ZoneIDs. 3. Bug Fixes -------------- The following fixes have been implemented in Tectia ConnectSecure: Bug Fixes in 6.3.10 ------------------- - Windows: GSSAPI authentication no longer fails in certain conditions when the security authentication package is too large. - Windows: Users are now able to authenticate via GSSAPI when using the host name, the fully qualified domain name or an IP address to define the destination server. - Documentation: Documented audit messages 3000-3018 that are generated by the Tectia secure file transfer clients. - All Platforms: Authentication no longer fails when using CAC cards from a manufacturer whose name contains an "&". - Windows: The C runtime libraries and MFC libraries in the Tectia Client, Server, ConnectSecure and MFT Events MSI package have been updated to version 9.00.30729.6161. - Windows: Tectia ConnectSecure no longer fails to transparently tunnel applications that try to connect using IPv4-mapped IPv6 addresses. - Windows: Fixed a bug in sshg3 which caused occasional hangs when run on Windows 8. Bug Fixes in 6.3.9 ------------------ - Documentation: Documented the sshg3 option "--hostkey-policy". - Documentation: Documented the sshg3 option "--kip". - Documentation: Fixed some inconsistencies in the site commands and in the file advice strings. - All Platforms: Newline conversions in Tectia file transfer clients no longer fail to work when transferring files to a VShell Server (VanDyke). - All Platforms: Defining "summary-format" to print the file transfer progress percentage no longer fails when connected to an OpenSSH server. - All Platforms: File transfers from Tectia Clients no longer crash when transferring files in ASCII mode to a VShell Server (VanDyke). Bug Fixes in 6.3.8 ------------------ - All Platforms: Fixed the ssh-keygen-g3 option -m/--generate-moduli-file. - All Platforms: Fixed a problem that blocked FTP-SFTP conversion connections. If an FTP-SFTP conversion connection got stuck at a certain stage while establishing the session, all consecutive FTP-SFTP conversion connections were blocked. - All platforms: Fixed a problem that caused Tectia Client applications (e.g. sshg3/sftpg3/scpg3) to fail intermittently when ssh-broker-g3 was used in the run-on-demand mode. - All Platforms: Fixed a problem in agent forwarding with certificates. When multiple sessions were open to a remote server and in those sessions connections to other remote server(s) were initiated, agent forwarding would forward certificates only for one of the connections. - Windows: Fixed Tectia command-line clients to assume default window size if they cannot obtain a proper value from the system. - Windows: Fixed Tectia command-line clients to properly show authentication prompts in nested connections. Previously, when a user had a terminal session to Tectia Server on Windows running in terminal mode "Stream" and within that session the user started a new Tectia Client connection (from the host running Tectia Server), the authentication prompts were not shown properly. Bug Fixes in 6.3.7 ------------------ - Windows: Enabled compatibility against third-party, non-standard implementations of GSSAPI authentication. Bug Fixes in 6.3.6 ------------------ - All Platforms: Now it is possible to set the remote newline convention in FTP-SFTP conversion when performing ASCII file transfers. - Solaris 11: Java SFT API is no longer missing from Solaris 11 SDK package. Bug Fixes in 6.3.5 ------------------ - All Platforms: SSH_SFTP_CMD_GETPUT_MODE environment variable works again. - All Platforms: The End-user license agreement (EULA) has been updated to reflect the new company name. - All Platforms: Tectia Client, Server and ConnectSecure executables no longer fail to start when using relative path ./. - All Platforms: scpg3 option "-a" no longer fails to do ascii conversion. - All Platforms: Broker acting as socks proxy no longer leaves connections in close_wait state. Bug Fixes in 6.3.4 ------------------ - All Platforms: Files no longer fail to be transferred to local destinations by using UNC paths. - All Platforms: SSH Tectia Broker no longer crashes when connection to the socks listener gets disconnected right after establishing the connection. - All Platforms: SSH Tectia Broker is now able to read the newly OpenSSH keys using the new AES encryption format. - Documentation: Tectia Client/Server Product Description has corrections in sections Tectia Solution Components, Secure File Transfer Protocol (SFTP), and in chapter Authentication. - Documentation: The company name changed from Tectia Corporation to SSH Communications Security Corporation. This has been updated to the documentation. - Documentation: Specified that ssh-keygen-g3, when generating keys in FIPS mode, the RSA key length should be between 1024 and 16384 bits. - Documentation: Added the requirement that for being able to compile and use SFT Java API on the supported 64-bit operating systems, the Java installation should be 32-bit. - All platforms: Sftpg3 no longer stops executing if reading ssh_sftp_batch_file fails in some situations. - All platforms: Rewrote the way the real path is found for a given relative path. Previously, if the user did not have permissions to access the current directory it was not possible to start the Tectia applications. - All Platforms: Tectia server no longer busyloops when trying to access a certificate via pkcs#11 version 2.30 interface. - All platforms: Fixed the -i option from ssh-keygen-g3. Now, when the key specified by the -i option does not exist, the command reports the error properly. Bug Fixes in 6.3.2 ------------------ - Documentation: Added the requirement that for being able to compile and use SFT Java API on the supported 64-bit operating systems, the Java installation should be 32-bit. - All Platforms: Fixed a deadlock when tunneling multiple requests in transparent FTP tunnel, static tunnels, and running Broker as a socks proxy. - All Platforms: The option hostname from application of Transparent TCP Tunneling has been fixed. - All Platforms: The usage of the %DESTINATION_HOSTNAME% environment variable when doing a Transparent TCP Tunneling has been fixed. - All Platforms: SSH Tectia Broker no longer crashes when it operates in 'socks-proxy' mode and the FTP client disconnects while falling back to plain. - All Platforms: SSH Tectia Broker no longer crashes when an application uses FTP Transparent Tunneling and an error occurs while establishing a connection that needs to be reported. - All Platforms: Broker stability improved in cases where the client disconnects due to connecting to a host whose name does not resolve. Bug Fixes in 6.3.1 ------------------ - Documentation: Instructions to rename a folders in SSH Tectia Connections Configuration GUI have been updated. - Documentation: Tectia Client and ConnectSecure troubleshooting instructions have been improved in the User's Manual. - Documentation: In FIPS mode, the RSA key length is at least 1024 bits. - All platforms: X11 forwarding no longer fails to work on SSH Tectia Client and ConnectSecure. - Windows: Broker no longer busyloops under certain conditions when TCP connect timeout is reached. - All platforms: During file transfer, when streaming is supported, but fails, the client will now try to do the file transfer using traditional SFTP protocol. - All platforms: Tectia file transfer clients will no longer send type and streaming proves if the file transfer server is not from Tectia. That was causing dropping of the connection on some 3th party file transfer servers. - All platforms: Added the existing option in sshg3 --user=USERNAME to scpg3 and sftpg3. Bug Fixes in 6.3.0 ------------------ - Windows: Local and transparent TCP tunneling no longer fail to work on hosts with IPv4 addresses only enabled. - Windows: Broker will no longer deadlock when trying to connect to an unresponsive server. - Windows: Upgrading SSH Tectia ConnectSecure to 6.3.0 will no longer ask you to uninstall SSH Tectia Client, but it will ask you to uninstall SSH Tectia ConnectSecure. - All Platforms: Transparent TCP Tunnels no longer leak TCP listeners for the lifetime of the tunneled application. - All Platforms: Both IPv4 and IPv6 listeners are no longer created when transparently tunneling applications. - Windows: SSH GUI Client will no longer crash when closing the window. - Windows: The option "Use Alt as meta key (send Escape)" no longer fails to work. - Windows: Persistent network resource connections are no longer leaked in some cases when logging in to SSH Tectia Server. 4. Known Issues ----------------- The following issues are currently known to exist in Tectia ConnectSecure: - Solaris 11 x86-64: Dropped support for installing the product on Solaris 11 (x86-64) using Solaris 10 (x86-64) installation packages. Installation packages for Solaris 11 (x86-64) must be used instead. - Unix/Linux: When logged to the SSH Tectia Server, an executable will fail to start if any parent of the current working directory is not readable and relative paths are used to refer to the executable. - All Platforms: The usage of IPv6 addresses in certificates is not yet supported. - All Platforms: The usage of IPv6 addresses in Radius authentication is not yet supported. - All Platforms: The usage of IPv6 addresses in Transparent Tunnels is not yet supported in ConnectSecure. - Unix: if OpenSSL 0.9.8 is installed in the host where Tectia Server is installed, it may fail when using PAM with software that uses that OpenSSL library. Workaround if FIPS is not used: to rename the libcrypto.so.0.9.8 existent under /opt/tectia/sshlib to another name (note that this will make FIPS mode unusable). - Solaris: On some Solaris configurations the ssh-capture tool does not function without configuring the operating system. The runtime linking environment must be adjusted to honor the LD_PRELOAD environment variable. See the manual page of crle(1) for details. - Windows: If the installation fails with error message "An error occurred during the installation of assembly component {B708EB72-AA82-3EB7-8BB0- D845BAB35C93D}. HRESULT: 0x80070BC9" use Windows Update to install required operating system updates. - All platforms: The interactive key/certificate chooser will incorrectly prompt the user for PIN/passphrase for each instance of tokens, smartcards, PCKS#12 blobs and encrypted private keys without the matching public key before displaying the key selection dialog. - Windows: Upgrade of ConnectSecure or Client with Transparent TCP Tunneling will fail to install the capture component. Workaround: To uninstall the previous version, reboot, install the new version and reboot. - All platforms: In FIPS mode, the speed in handling the connections is slower than in standard mode, specially in slow hosts. - AIX: Executables are now compiled in 64 bit. For PAM to work, the operating system should point to the 64-bit versions of PAM libraries instead of the 32-bit version. - AIX: Entrust certificates are no longer supported on AIX platforms. - Solaris: To compile Java API, the following environment variable must be set: "LD_LIBRARY_PATH=/opt/tectia/lib/shlib" - All platforms: Extra checks are done when starting the Tectia Server and Connection Broker in the FIPS mode due to the OpenSSL FIPS crypto library health check. This will lead to a noticeable delay in the start of the process on slow machines. - Windows: --summary-format newline option '\n' does not work on Windows. - All platforms: The Tectia Configuration Editor and the Terminal GUI on Windows always use the default location of the UserConfigDirectory for loading the .ssh2 files (containing the color and other Windows GUI specific parameters). - All platforms: The ssh-keygen will always use the default location of the UserConfigDirectory, if no path is specified. - Linux SE: If the common package is installed with SElinux disabled, the following warning message will be given during the installation: /usr/bin/chcon: can't apply partial context to unlabeled file /opt/tectia/lib/shlib/libicudata.so.40 /usr/bin/chcon: can't apply partial context to unlabeled file /opt/tectia/lib/shlib/libicuuc.so.40 This can be safely ignored. However, if the SElinux enforcing is enabled after the installation, the following command needs to be executed: /usr/bin/chcon -t textrel_shlib_t /opt/tectia/lib/shlib/*.so - Windows: Password cannot be specified in a file with --password command-line option. - Windows: Uploading files from "Upload Dialog" of the GUI file transfer tool does not work when "Hide extensions for known file types" of Windows Explorer is set to 'yes'. Workaround: Enable file extentions. This issue will be fixed in an upcoming maintenance release. - Linux on IBM System z: FIPS 140-2 compliant cryptographic library is not included in the installation package. For FIPS compliant AES, 3DES and SHA encryption algorithms, use the cryptographic hardware provided by the System z architecture. Cryptographic acceleration is enabled on Tectia by default. - Windows Vista: When using an evaluation version of Tectia Client and trying to import a commercial license on Windows Vista, the operation will fail. Workaround: Manually copy the license file to the licenses directory under "%ProgramFiles%\SSH Communications Security\SSH Tectia\SSH Tectia AUX\licenses" - All platforms: In scpg3 and sftpg3, the command line options +C and -C for enabling/disabling compression do not work. Compression must be enabled/disabled globally or on a profile basis. The command line options work with sshg3. - Linux on IBM System z: Due to a system problem in older s390 Linux kernels, probing for the cryptographic hardware produces the "Illegal instruction" signal, if no crypto-HW is present. In that case, the servant or Connection Broker is not able to start. Workaround: Remove the cryptographic HW plugins (*cpacf.so) from the plugin directory. - Windows: When upgrading from a 4.x client, the connection profiles that were migrated did not show up in the profile's dropdown menu on the terminal client. However, after restarting the Connection Broker the migrated profiles will be shown on the client. - Unix: All installed Tectia products must be upgraded to 6.0.2 at the same time. If some packages are left to 6.0.1 or older version, they will stop working when the 6.0.2 common package is installed. - All platforms: When creating a filter for transparent tunneling or FTP Conversion based on a hostname, applications that connect with an IP address will not be tunneled and vice versa. - Linux: mget* cannot be used with the default FTP client included in RedHat Linux releases when there are hidden directories are in the specified tree. - Windows: If the "Transparent tunneling" component of Tectia Client or Tectia ConnectSecure is installed on a Windows XP computer in a domain where firewall exceptions are managed by a group policy, the exceptions get changed so that the computer becomes inaccessible from the network. Workaround: Edit the exceptions manually so that, for example, the server port becomes accessible. - Windows: SFTP GUI might cause the existing local copy of a file to be partially overwritten in ASCII mode, when downloading of the file from the remote server fails due to missing file permissions. - All platforms: The scpg3 command shows the transfer time wrong if "--statistics=simple" is set. - Windows: FTP-SFTP conversion against localhost is currently not supported on Windows. - All platforms: When trying to connect to an SSH server that is not available (i.e. the server is not running), the error message returned by sshg3 is "Unable to connect to Broker". It should return "Unable to connect to Server". - Windows, FTP tunneling or FTP-SFTP conversion: Wrong host information is printed to the FTP client if the FTP tunneling or FTP-SFTP conversion filter rule uses a profile which specifies a host name. When FTP tunneling or FTP-SFTP conversion uses a predefined profile, but a different host is specified for ftp.exe on the command line, the connection is done correctly to the host specified in the profile, but the host given to ftp.exe is printed instead of the real host obtained from the profile. - Windows: Reconnecting to the previously used Connection Profile by pressing Enter in the Tectia Terminal or File Transfer GUI may fail in some cases. Workaround: Select the profile from the menu. - Windows: The FTP client on Windows may display a "failed to unlink workfile" message when using FTP-SFTP conversion. This message can be safely ignored. Please refer to: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/ w2000Msgs/3606.mspx?mfr=true - Windows: Removing a token while it is being read could in some cases result in Tectia Connection Broker failure. - Windows: Opening multiple remote tunnels in a profile against OpenSSH servers can cause Tectia Connection Broker to fail. - Solaris: Installation packages do not detect the underlying Solaris architecture to prevent installation of the x86-64 packages on x86 architecture. The packages can be installed but they will not work. - Windows: SFTP chmod command is not supported against Tectia Server running on Windows. - Unix: Scripts that execute sftpg3 in batch mode get stopped when put into background (Stopped (tty output)). - Some HP-UX platforms: Transparent FTP tunneling or FTP-SFTP conversion may fail to get the proper FTP client name. Workaround: Change the filter rule to match all applications or have an empty value. - Unix: If scpg3 is used to copy a file to itself, the file will be truncated and the scpg3 command hangs. - Windows 2003: When using FTP-SFTP conversion on Windows 2003 server, fallback to plain FTP is not working. - Unix: The 'finger' command does not show the idle time correctly when logged in using SFTP. - All platforms: When FTP-SFTP conversion falls back to plain mode, it gives a confusing message: Login successful. *** FALLBACK TO PLAIN FTP: Unable to connect to server *** - Windows: In FTP-SFTP conversion, when using a filter based on the host name, the FTP client will fail to connect to the FTP server if using an IP address. Workaround: Use the same host name or IP address in the filter rules that is used on the command line with the FTP client. - Windows: When using FTP-SFTP conversion with the "fallback to plain" option enabled, active mode FTP will not work. - Windows: When creating FTP-SFTP conversion filter rules, always specify the port unambiguously if fallback mode is set. Filter only the port that your application is listening to. - Solaris 10: Tectia Server and the FTP-SFTP conversion component of Tectia ConnectSecure need to be uninstalled separately from each local zone, if they got installed to all zones by installing into the global zone. - HP-UX: Starting sshg3, scpg3, and sftpg3 fails if getting the current working directory fails. - Windows: When running sftpg3 in batch mode, the Connection Broker may log the Broker_channel_process_exit_failed messages with status "Operation failed". These are system internal events and do not indicate any failure in the file transfer operation. - Windows: The exit values for scpg3 do not match the values mentioned in the documentation in these error situations: connection lost, interrupting a file transfer using Ctrl+C, trying to copy to a directory, but the destination is not a directory. Nevertheless, in all these cases the return value is non-zero. - All platforms: The FTP-SFTP conversion does not show the Tectia Server banner message. - All platforms: scpg3 does not warn about the existence of directories when shell globbing is used, for example: scpg3 "/tmp/testdir/*" user@server:/tmp However, the correct warning is displayed if the scpg3 command is used without globbing: scpg3 /tmp/testdir/* user@server:/tmp - All platforms: The certificate validation path construction from LDAP fails, if the LDAP server requires suffix ';binary' for the PKI binary blob attribute names. - Windows: If the Connection Broker is started for another userID using the 'runas' command, the user dialogs are shown for the user who started the process. - All platforms: The server creates empty files if a user tries to transfer files without correct server-side permissions. The correct error message is displayed. - Windows: Local TCP tunneling using listener port 0 does not work. - Windows: Tectia API for Windows currently contains dynamic libraries without any debugging information. - Windows: When trying to remotely access Unix files that contain illegal Windows characters (for example: *, ? and ~) those files cannot be transferred or accessed if using relative paths. Workaround: Use absolute paths for accessing the files on the remote server after escaping the illegal characters. - Windows: If trying to connect from a Windows GUI client to an OpenSSH server with a public key and option command="ls", the client hangs. When performed with the Windows command-line client (sshg3) it works properly. - Windows: When using regular expressions in filter rules the dot character '.' does not work as expected. For example, when using a filter rule for tunneling of telnet.exe using regular expression: '.*.ssh.com' the connection will not be tunneled even if the regular expression matched the host address. Workaround: Add a '\' in front of the '.' For example, the previous regular expression should be: '.*\.ssh\.com' - All platforms: If a wrong passphrase is provided several times for a key, the Connection Broker skips it and proceeds to the next key. If it is an OpenSSH key, once it has been skipped because of a decoding failure, the Connection Broker makes no further attempts to use the key on next login attempts. The Connection Broker must be reloaded or restarted in order to use that OpenSSH key for authentication. - Windows: Secure file transfer speed may be slower against Tectia Server on Windows than against Tectia Server on Linux. - Windows: If multiple concurrent terminal services sessions are opened for the same user, the services sessions share the same Connection Broker session. This can cause that the user banner and dialog boxes may be displayed to the wrong session. Opening several concurrent terminal services sessions for the same user does not provide secure separation of sessions. - All platforms: After changing the password on a Secure Shell server, but before logging in with the new password, the Connection Broker must be restarted to close the previous connection, or the user must wait for the connection to time out (by default 5 seconds). If this is not done, login with the new password will not succeed. 5. Further Information ------------------------ More information can be found on the man pages and in the Tectia manuals that are also available at http://www.ssh.com/index.php/support-overview/product-documentation.html Additional licenses can be purchased from our online store at http://www.ssh.com/.