Dear OpenXPKI Fellows,

it took some days longer but we finally published our next release 3.34 today.

While the release should again work "drop in" with default configurations you might encounter some issues when you have customized OpenXPKI as some internals have changed!

Most notable change is a major rework of the internal PKCS10/x509 parser and the method to build the configuration for the CA part - any SAN must now match the pattern determined by its type so e.g. putting non-domain names into SAN DNS items is no longer possible!

We do not really expect this to affect anybody but we finally removed the drivers for DB2 and the old "MariaDB" driver based on the legacy mysql libraries as well as the support for the old serialization format used in OpenXPKI versions before 3.x.

Full changelog can be found in the release commit and at the end of this mail, packages and docker images are already available from the known servers.

with best regards from the White Rabbits

Oliver


New Features
- `oxi` CLI major rework: new commands, support for complex payloads
  and much improved error handling
- Cryptographic chain validation added to EvaluateSignerTrust
- Authentication::Base::map_role now accepts an array of roles and uses the
  first one that matches the role_map
- New Moose types for SAN/Email/IP validation, RelativeDate and X509CertObject
- New database TLS option system.database.main.tls
- Complete rewrite of the ReadTheDocs documentation
- New module for metadata managment (EE only)
- New workflow persister mode "inline"
- New status page activities: alias and CRL status, certificate and
  workflow statistics (EE only)
- New activities for inline token generation and alias handling (EE only)

Upgrades, Improvements and Bugfixes
- Client/frontend session rewritten without CGI::Session (JSON
  serialization); fixed DB connection leak causing "Too many connections"
- Logging and audit rework (Log4perl categories, shared client/server
  logger role, reworked audit statements)
- systemd notify used to monitor service startup; socket directory is
  created when not running under systemd
- Datapool condition/validator gained a pki_realm parameter to validate
  items in the _global realm
- OpenSSL v3 / HSM-protected key fixes, RSA-PSS parsing fixes, self-signed
  certificate creation via create_pkcs10, injection prevention in the
  OpenSSL config builder
- numerous EST/SCEP/ACME pickup, cookie/nginx-header and error-handling fixes - NICE::Proxy error handling reworked and chain import improved in the ProxyCA
  backend (EE only)
- Overwrite RHEL9 crypto policy for SHA1 support in openssl calls

Removals, Deprecations, Breaking Changes
- BREAKING: new ASN1 parser for X509 and PKCS#10 replaces Crypt::PKCS10.
  Subject/SAN handling changed: RDN order in dirName/otherName, composed
  RDNs, no more forced RDN uppercasing (O:Crypt:DN)
- BREAKING: Mandatory syntax check on SAN items (e.g. SAN DNS must be a
  legal DNS name)
- BREAKING: validate_certificate API command reworked (changed
  behavior/return); the _void realm was replaced with <undef>
- BREAKING: support for legacy workflow serialization removed;
- BREAKING: removed database drivers DB2 and the legacy DBD::mysql-based MariaDB
- BREAKING: deprecated CTX('log')->log(), ->debug(), ->info() etc. logging
  methods removed
- BREAKING: OpenXPKI::Server::Database renamed to OpenXPKI::Database; legacy
  class OpenXPKI::MooseParams removed
- Removed old/insecure OpenSSL::Config and old OpenSSL Profile classes
- Removed support for the custom X-Forwarded-Host header
- Removed support for a fixed auth stack via config login.stack
- Removed the tokenapi config option

--
White Rabbit Security GmbH, Werner-Heisenberg-Str. 8, 85254 Sulzemoos
Contact: +49 8135 314 000-0, [email protected]
Director: Martin Bartosch, Scott T. Hardin, Dr. Oliver Welter

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Reply via email to