Release Notes for Tectia ConnectSecure 6.4.3 --------------------------------------------- 12 June 2013 (C) 2013 SSH Communications Security Corporation This software is protected by international copyright laws. All Rights Reserved. Table of Contents 1. About This Release 2. New Features 3. Bug Fixes and Minor Features 4. Known Issues 5. Further Information 1. About This Release ----------------------- The 6.4 release for ConnectSecure is declared Feature Release and it is, supported for 2 years from the release date of 6.4.0. The final goal of the Feature Release is to become the next Long Term Supported release (LTS), by adding all required features during the multiple maintenance releases. Once this version is considered feature complete, the second digit from its version will change and it will be declared as LTS. Once the version is tagged as LTS, its maintenance releases will only contain fixes to critical bugs, and for the case of ConnectSecure, it will be supported for 2 more years. This release is based on Tectia ConnectSecure 6.4.0. Items addressed in this release are listed under the "6.4.3" section. Special items for this release are: . Fixed critical bugs. We recommend uninstalling any SSH Secure Shell and SSH Tectia 4.x products before installing Tectia 6.4 products. For the installation instructions, refer to the Tectia Server Administrator Manual. 2. New Features ----------------- The following new features have been implemented in Tectia ConnectSecure: New Features in 6.4.2 --------------------- - All Platforms: Added the possibility to show the SFTP server banner to the FTP client when connecting using FTP-to-SFTP Conversion. - All Platforms: Added to Server authentication CA Certificate an option "endpoint identity check". Moreover, included options to ask, deny or accept a certificate if the hostname does not match the certificate’s hostname. - Solaris 11 SPARC: New installation packages available for Oracle Solaris 11 (SPARC). - Solaris 11 x86-64: New installation packages available for Oracle Solaris 11 (x86-64). New Features in 6.4.0 --------------------- - All platforms: Added support for agent protocol versions 1 and 2 in client side - server side already supported it. - All Platforms: Added TCP and FTP Transparent Tunneling support for IPv6. Note that FTP-SFTP Conversion still does not work with IPv6 addresses. - All Platforms: scpg3, sftpg3 and FTP Conversion will now notify the JOBID when dealing with SITE Filetype=JES. Please, refer to documentation to obtain those JOBID with older Tectia clients or with 3rd party clients. 3. Bug Fixes -------------- The following fixes have been implemented in Tectia ConnectSecure: Bug Fixes in 6.4.3 ------------------ - Windows: Enabled compatibility against third-party, non-standard implementations of GSSAPI authentication. - All Platforms: IPv4 listener will no longer be created when opening IPv6 Transparent FTP tunnels. - Unix: Fixed Transparent FTP tunneling and FTP-SFTP conversion. They will no longer fail on certain FTP clients when using IPv4 and IPv6 addresses. Bug Fixes in 6.4.2 ------------------ - All Platforms: In file transfer clients, ascii and character set conversion related site commands to Tectia SSH Server for IBM z/OS now work against all versions of Tectia SSH Server for IBM z/OS. - Windows: In Tectia Connections Configuration, transparent tunnel filter rules are now saved when the start address for public to private network connections is not defined. - All Platforms: Fixed a memory leak in ssh-broker-g3 and in ssh-servant-g3. The memory leak occurred in certain cases when GSSAPI authentication was used. - Windows: In Tectia Connections Configuration, when managing CA Certificates, we have added a new field in the CA certificates table to display the certificate name. - All Platforms: Now it is possible to set the remote newline convention in FTP-SFTP conversion when performing ASCII file transfers. - All Platforms: SSH_SFTP_CMD_GETPUT_MODE environment variable works again. - All Platforms: The End-user license agreement (EULA) has been updated to reflect the new company name. - All Platforms: Tectia Client, Server and ConnectSecure executables no longer fail to start when using relative path ./. - All Platforms: scpg3 option "-a" no longer fails to do ascii conversion. - All Platforms: Broker acting as socks proxy no longer leaves connections in close_wait state. Bug Fixes in 6.4.1 ------------------ - All Platforms: In file transfer clients, ascii and character set conversion related site commands to Tectia SSH Server for IBM z/OS now work against all versions of Tectia SSH Server for IBM z/OS. - Windows: In Tectia Connections Configuration, transparent tunnel filter rules are now saved when the start address for public to private network connections is not defined. Bug Fixes in 6.4.0 ------------------ - Windows: When executing remote commands and external programs, the standard error of the command is no longer redirected to standard output. - All platforms: Broker no longer crashes when running in SOCKS proxy mode and falling back to plain. - Windows: Tectia Client on Windows Command Prompt no longer ignores errors when sending terminal data to the server. Therefore, characters will no longer be lost for this reason. - Windows: Improved the efficiency of typing commands to the Tectia Client on Windows Command Prompt. - Windows: The option "Connection made from public to private network" from Transparent Tunnels no longer fails. - All Platforms: SSH_SFTP_CMD_GETPUT_MODE environment variable works again. - All Platforms: The End-user license agreement (EULA) has been updated to reflect the new company name. - All Platforms: Tectia Client, Server and ConnectSecure executables no longer fail to be started by relative path ./. 4. Known Issues ----------------- The following issues are currently known to exist in Tectia ConnectSecure: - Unix/Linux: When logged to the SSH Tectia Server, an executable will fail to start if any parent of the current working directory is not readable and relative paths are used to refer to the executable. - All Platforms: FTP-SFTP Conversion does not support IPv6. - All Platforms: The usage of IPv6 addresses in certificates is not yet supported. - Unix: if OpenSSL 0.9.8 is installed in the host where Tectia Server is installed, it may fail when using PAM with software that uses that OpenSSL library. Workaround if FIPS is not used: to rename the libcrypto.so.0.9.8 existent under /opt/tectia/sshlib to another name (note that this will make FIPS mode unusable). - Solaris: On some Solaris configurations the ssh-capture tool does not function without configuring the operating system. The runtime linking environment must be adjusted to honor the LD_PRELOAD environment variable. See the manual page of crle(1) for details. - Windows: If the installation fails with error message "An error occurred during the installation of assembly component {B708EB72-AA82-3EB7-8BB0- D845BAB35C93D}. HRESULT: 0x80070BC9" use Windows Update to install required operating system updates. - AIX: Executables are now compiled in 64 bit. For PAM to work, the operating system should point to the 64-bit versions of PAM libraries instead of the 32-bit version. - AIX: Entrust certificates are no longer supported on AIX platforms. - Solaris: To compile Java API, the following environment variable must be set: "LD_LIBRARY_PATH=/opt/tectia/lib/shlib" - All platforms: Extra checks are done when starting the Tectia Server and Connection Broker in the FIPS mode due to the OpenSSL FIPS crypto library health check. This will lead to a noticeable delay in the start of the process on slow machines. - Windows: --summary-format newline option '\n' does not work on Windows. - All platforms: The ssh-keygen will always use the default location of the UserConfigDirectory, if no path is specified. - Linux SE: If the common package is installed with SElinux disabled, the following warning message will be given during the installation: /usr/bin/chcon: can't apply partial context to unlabeled file /opt/tectia/lib/shlib/libicudata.so.40 /usr/bin/chcon: can't apply partial context to unlabeled file /opt/tectia/lib/shlib/libicuuc.so.40 This can be safely ignored. However, if the SElinux enforcing is enabled after the installation, the following command needs to be executed: /usr/bin/chcon -t textrel_shlib_t /opt/tectia/lib/shlib/*.so - Windows: Password cannot be specified in a file with --password command-line option. - Windows: Uploading files from "Upload Dialog" of the GUI file transfer tool does not work when "Hide extensions for known file types" of Windows Explorer is set to 'yes'. Workaround: Enable file extentions. This issue will be fixed in an upcoming maintenance release. - Linux on IBM System z: FIPS 140-2 compliant cryptographic library is not included in the installation package. For FIPS compliant AES, 3DES and SHA encryption algorithms, use the cryptographic hardware provided by the System z architecture. Cryptographic acceleration is enabled on Tectia by default. - Windows Vista: When using an evaluation version of Tectia Client and trying to import a commercial license on Windows Vista, the operation will fail. Workaround: Manually copy the license file to the licenses directory under "%ProgramFiles%\SSH Communications Security\SSH Tectia\SSH Tectia AUX\licenses" - All platforms: In scpg3 and sftpg3, the command line options +C and -C for enabling/disabling compression do not work. Compression must be enabled/disabled globally or on a profile basis. The command line options work with sshg3. - Linux on IBM System z: Due to a system problem in older s390 Linux kernels, probing for the cryptographic hardware produces the "Illegal instruction" signal, if no crypto-HW is present. In that case, the servant or Connection Broker is not able to start. Workaround: Remove the cryptographic HW plugins (*cpacf.so) from the plugin directory. - Windows: When upgrading from a 4.x client, the connection profiles that were migrated did not show up in the profile's dropdown menu on the terminal client. However, after restarting the Connection Broker the migrated profiles will be shown on the client. - Unix: All installed Tectia products must be upgraded to 6.0.2 at the same time. If some packages are left to 6.0.1 or older version, they will stop working when the 6.0.2 common package is installed. - All platforms: When creating a filter for transparent tunneling or FTP Conversion based on a hostname, applications that connect with an IP address will not be tunneled and vice versa. - Linux: mget* cannot be used with the default FTP client included in RedHat Linux releases when there are hidden directories are in the specified tree. - Windows: If the "Transparent tunneling" component of Tectia Client or Tectia ConnectSecure is installed on a Windows XP computer in a domain where firewall exceptions are managed by a group policy, the exceptions get changed so that the computer becomes inaccessible from the network. Workaround: Edit the exceptions manually so that, for example, the server port becomes accessible. - Windows: SFTP GUI might cause the existing local copy of a file to be partially overwritten in ASCII mode, when downloading of the file from the remote server fails due to missing file permissions. - All platforms: The scpg3 command shows the transfer time wrong if "--statistics=simple" is set. - Windows: FTP-SFTP conversion against localhost is currently not supported on Windows. - All platforms: When trying to connect to an SSH server that is not available (i.e. the server is not running), the error message returned by sshg3 is "Unable to connect to Broker". It should return "Unable to connect to Server". - Windows, FTP tunneling or FTP-SFTP conversion: Wrong host information is printed to the FTP client if the FTP tunneling or FTP-SFTP conversion filter rule uses a profile which specifies a host name. When FTP tunneling or FTP-SFTP conversion uses a predefined profile, but a different host is specified for ftp.exe on the command line, the connection is done correctly to the host specified in the profile, but the host given to ftp.exe is printed instead of the real host obtained from the profile. - Windows: Reconnecting to the previously used Connection Profile by pressing Enter in the Tectia Terminal or File Transfer GUI may fail in some cases. Workaround: Select the profile from the menu. - Windows: The FTP client on Windows may display a "failed to unlink workfile" message when using FTP-SFTP conversion. This message can be safely ignored. Please refer to: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/ w2000Msgs/3606.mspx?mfr=true - Windows: Removing a token while it is being read could in some cases result in Tectia Connection Broker failure. - Windows: Opening multiple remote tunnels in a profile against OpenSSH servers can cause Tectia Connection Broker to fail. - Solaris: Installation packages do not detect the underlying Solaris architecture to prevent installation of the x86-64 packages on x86 architecture. The packages can be installed but they will not work. - Windows: SFTP chmod command is not supported against Tectia Server running on Windows. - Unix: Scripts that execute sftpg3 in batch mode get stopped when put into background (Stopped (tty output)). - Some HP-UX platforms: Transparent FTP tunneling or FTP-SFTP conversion may fail to get the proper FTP client name. Workaround: Change the filter rule to match all applications or have an empty value. - Unix: If scpg3 is used to copy a file to itself, the file will be truncated and the scpg3 command hangs. - Windows 2003: When using FTP-SFTP conversion on Windows 2003 server, fallback to plain FTP is not working. - Unix: The 'finger' command does not show the idle time correctly when logged in using SFTP. - All platforms: When FTP-SFTP conversion falls back to plain mode, it gives a confusing message: Login successful. *** FALLBACK TO PLAIN FTP: Unable to connect to server *** - Windows: In FTP-SFTP conversion, when using a filter based on the host name, the FTP client will fail to connect to the FTP server if using an IP address. Workaround: Use the same host name or IP address in the filter rules that is used on the command line with the FTP client. - Windows: When using FTP-SFTP conversion with the "fallback to plain" option enabled, active mode FTP will not work. - Windows: When creating FTP-SFTP conversion filter rules, always specify the port unambiguously if fallback mode is set. Filter only the port that your application is listening to. - Solaris 10: Tectia Server and the FTP-SFTP conversion component of Tectia ConnectSecure need to be uninstalled separately from each local zone, if they got installed to all zones by installing into the global zone. - HP-UX: Starting sshg3, scpg3, and sftpg3 fails if getting the current working directory fails. - Windows: When running sftpg3 in batch mode, the Connection Broker may log the Broker_channel_process_exit_failed messages with status "Operation failed". These are system internal events and do not indicate any failure in the file transfer operation. - Windows: The exit values for scpg3 do not match the values mentioned in the documentation in these error situations: connection lost, interrupting a file transfer using Ctrl+C, trying to copy to a directory, but the destination is not a directory. Nevertheless, in all these cases the return value is non-zero. - All platforms: The FTP-SFTP conversion does not show the Tectia Server banner message. - All platforms: scpg3 does not warn about the existence of directories when shell globbing is used, for example: scpg3 "/tmp/testdir/*" user@server:/tmp However, the correct warning is displayed if the scpg3 command is used without globbing: scpg3 /tmp/testdir/* user@server:/tmp - All platforms: The certificate validation path construction from LDAP fails, if the LDAP server requires suffix ';binary' for the PKI binary blob attribute names. - Windows: If the Connection Broker is started for another userID using the 'runas' command, the user dialogs are shown for the user who started the process. - All platforms: The server creates empty files if a user tries to transfer files without correct server-side permissions. The correct error message is displayed. - Windows: Local TCP tunneling using listener port 0 does not work. - Windows: Tectia API for Windows currently contains dynamic libraries without any debugging information. - Windows: When trying to remotely access Unix files that contain illegal Windows characters (for example: *, ? and ~) those files cannot be transferred or accessed if using relative paths. Workaround: Use absolute paths for accessing the files on the remote server after escaping the illegal characters. - Windows: If trying to connect from a Windows GUI client to an OpenSSH server with a public key and option command="ls", the client hangs. When performed with the Windows command-line client (sshg3) it works properly. - Windows: When using regular expressions in filter rules the dot character '.' does not work as expected. For example, when using a filter rule for tunneling of telnet.exe using regular expression: '.*.ssh.com' the connection will not be tunneled even if the regular expression matched the host address. Workaround: Add a '\' in front of the '.' For example, the previous regular expression should be: '.*\.ssh\.com' - All platforms: If a wrong passphrase is provided several times for a key, the Connection Broker skips it and proceeds to the next key. If it is an OpenSSH key, once it has been skipped because of a decoding failure, the Connection Broker makes no further attempts to use the key on next login attempts. The Connection Broker must be reloaded or restarted in order to use that OpenSSH key for authentication. - Windows: Secure file transfer speed may be slower against Tectia Server on Windows than against Tectia Server on Linux. - Windows: If multiple concurrent terminal services sessions are opened for the same user, the services sessions share the same Connection Broker session. This can cause that the user banner and dialog boxes may be displayed to the wrong session. Opening several concurrent terminal services sessions for the same user does not provide secure separation of sessions. - All platforms: After changing the password on a Secure Shell server, but before logging in with the new password, the Connection Broker must be restarted to close the previous connection, or the user must wait for the connection to time out (by default 5 seconds). If this is not done, login with the new password will not succeed. 5. Further Information ------------------------ More information can be found from the man pages and from the Tectia manuals that are also available at http://www.ssh.com/index.php/support-overview/product-documentation.html Additional licenses can be purchased from our online store at: http://www.ssh.com/.