Zorp GPL

Fixes Moderate Earlier, kZorp daemon refreshed the Zone configuration in the kernel, even when it was not necessary. Now, it works properly and Zone configuration is refreshed if and only if the IP addresses have been changed related to a ... [More] hostname. Consequently only Zone configurations containing hostname entries are affected. The kernel module (kZorp) was not able to load if the ipvlan module had also been loaded earlier and generated an error message to the kernel log. Now, the problem area has been handled properly and any kernel module can be loaded which creates network namespaces, without endangering the functionality of the kZorp kernel module. Earlier, certain types of internet browsers (e.g.: Google Chrome) displayed timeout-related error pages, generated by Zorp, right after the user had tried to visit a website. The reason for this type of operation is that some clients try to initiate a Transmission Control Protocol (TCP) connection to a predicted server, which is likely to be visited by the user in the near future. When the connection is timed out, Zorp sends an error page back, the browser caches it and displays it to the user when the site is actually visited. Now, Zorp sucessfully handles this behaviour of the browsers by closing the transport layer connection instead of sending an error page to the application layer. The certificate verification mechanism was changed unintentionally. Prior to Zorp 7.0.3, when Zorp detected a missing CRL during the certificate verification process, it considered the option permit_missing_crl and if it was set to the value TRUE the certificate was considered trusted. With Zorp 7.0.4, 7.0.5 and 7.0.6 the certificate was considered untrusted independently of the value of permit_missing_crl option. Now the option permit_missing_crl is considered again and the verification process functions as it did prior to Zorp 7.0.3 and according to documentation. [Less]

Fixes Low Fixed a memory leak that appeared only on a Service and/or a Proxy handling TLS connections (encryption policy is used). The scale of memory leak was about some megabytes per hundred thousand connections.

Features Zorp now supports the latest version (1.3) of Transport Layer Security (TLS) protocol both on client and server side of Zorp. TLS 1.3 support is disabled in EncryptionPolicy classes by default so it should be explicitely enabled in ... [More] existing configurations. Fixes Critical Fixed an SNAT issue in Zorp kernel module kZorp, caused that a traffic which source address was translated (SNAT) by Service was translated again if there was a rule which was matched to the traffic translated by the Service and its service is a PFService where use client address as source parameter is set. Fixed a permission handling problem in Zorp Munin plugins which caused the RSS/VSZ memory usage of Zorp instances not being displayed. Fixed a significant memory leak in certificate chain building (10-100 MB per day), both in TLS offloading and interception scenarios. Moderate Fixed kZorp daemon and systemd integration. Earlier kZorp might not responde to systemd if there were no hostname based Zones in the configuration. It resulted in the kZorp daemon being terminated by systemd. [Less]

Improvements Made the Zorp compatible with TLS 1.3. It does not mean that Zorp supports TLS 1.3. Earlier Advanced Protocol Recognition (APR) SNI and server certificate detector components might have failed if the client initiated a TLS 1.3 ... [More] connection. Now these detectors work well with any version of TLS 1.3 protocols. In case of TLS offloading/interception TLS 1.3 is explicitly disabled, so it cannot work even if the underlaying library version (>= OpenSSL 1.1.1) makes it possible to use TLS 1.3 with Zorp. This will be the behavior until Zorp has explicit TLS 1.3 support to avoid any operational and interoperability problems. Usability Reloading a non-running Zorp instance now causes error. Earlier this error was silently suppressed. Fixes Moderate Fixed kZorp service starting mechanism. Earlier when the service was started it could return before Zone related configurations were downloaded to kZorp. This might cause Zorp services fail to start as their configurations referred to Zones that were not downloaded yet. Now Zorp services wait for the Zone download to finish. Low Duplicate CA/CRL directory related attributes were removed. Earlier there were (ca|crl)(_verify)?_directory attributes in CertificateVerifier class used in EncryptionPolicy. The usage of (ca|crl)_directory) attributes was heavily memory intensive and the CA/CRL files were loaded at the setup time of the EncryptionPolicy while (ca|crl)_verify_directory attributes are moderately CPU intensive and load the CA/CRL files on demand. Considering the latter version has much more advantages than disadvantages the former version was removed and is now automatically converted to the latter version. Use DH parameters defined in RFC 3526 instead of generating custom one. Earlier during the installation of Zorp a DH parameter was generated which might take a long time in lack of entrophy. Now the 4096-bit DH parameter is based on RFC 3526. [Less]

Features Zorp now can recognise the target (server) of any TLS encrypted connections analyzing the server name indication (SNI) part of TLS handshake message and different services can be started according to the fact whether a detected server ... [More] name (SNIDetector) matches to a given expression (eg: RegexMatcher). Deprecations Completely removed .*(Listener|Receiver) classes. The change does not affect Zorp installations which are configured and managed by ZMS. The Zorp installations which are managed manually can use .*Dispatcher classes just like in 6.0.x versions. [Less]

Fixes Critical Fixed handling the case when no A/AAAA/CNAME record relates to a domain name. It caused that kZorp daemon is crashed and not started again. It may happen if and only if there is at least one hostname-based zone where the domain ... [More] meets the mentioned criteria. Fixed performance issue in DNS cache update. It caused high CPU usage by kZorp daemon. Configurations with large number (>100) of hostname-based zones may be affected. Fixed handling the case when a hostname is resolved to a IPv4-mapped IPv6 address. It caused that kZorp daemon is crashed and not started again. It may happen if and only if there is at least one hostname-based zone where the domain meets the mentioned criteria. Low Made some generic performance improvement which affect the whole Zorp Gateway product. It cause minor speed-up (1-2%) among other things some proxies (eg: HttpProxy, SmtpProxy, …). [Less]

Improvements Ubuntu 18.04 support Systemd support Automatic debug symbol packages (Debian/Ubuntu) Rewritten zorpctl functionality (in Python) Usability Improved help message readability in case of kzorp-client command line tool’s ... [More] evaluate functionality. The source port parameter is now optional in case of kzorp-client command line tool’s evaluate functionality. Fixes Critical Fixed session id handling. The problem caused that session id is not increased when a new connection is arrived. The only affected service type is DetectorService, any other service types work well. Moderate Fixed a memory leak which occurred when Zorp failed to read on the client-side socket during a TLS connection. Fixed reply code sent by SMTPProxy when a received mail is rejected. Earlier when the proxy wanted to reject an incoming mail (e.g. it contains a virus) it replied with an error code indicating only temporary rejection (421) and the server tried to send the mail to the Zorp several times. Now the error code (550) is sent indicating permanent rejection, so a valid server does not try to resend the mailto Zorp. Fixed Zorp thread count drawing Munin plugin. Due to the problem the plugin did not serve data to the Munin node and the graph was not created at all. Fixed verbosity level of logs generated when Zorp cannot read on a UDP connection. The verbosity level of relevant messages is unchanged, only the verbosity level of messages about temporary failures (EAGAIN) is increased. Fixed information leak when form-based authentication is used in HTTP proxy, now Zorp does not forward anywhere ZorpRealm cookie, which identify the session of logged in user, to the remote peer (server). Fixed authentication cache handling in HTTP proxy when client uses basic authentication. Now Zorp does not send ZorpRealm cookies, which identify the session (potentially sensitive information) to the proxy. Low Give deprecation warning when Zorp starts if either ca_directory or crl_directory parameters are set in any ClientCertificateVerifier which is used in any EncryptionPolicy as these parameters will be removed in next LTS version. Fixed parameter handling in case of kzorp-client command line tool’s evaluate functionality. The problem caused crashed when non-existing interface was given as source interface parameter. Fixed handling of UTF-8 characters in case of username and password entries of form-based authentication page. Deprecations Proxy-based SSL/TLS settings EncryptionPolicy should be used in the following Listener and Receiver classes Dispatcher classes should be used in the following CRL related options setup_[ca|crl]_list proxy ssl callback there is no alternative for this callback [ca|crl]_directory verify_[ca|crl]_directory should be used in the following [client_|server_]?[ca|crl]_directory verify_[ca|crl]_directory should be used in the following it could be use in ZMS 6.x [client|server]_local_[ca|crl]_list verify_[ca|crl]_directory should be used in the following [client|server]_cagroup_directories verify_[ca|crl]_directory should be used in the following OneToOneNat, OneToOneMultiNAT and StaticNAT classes GeneralNAT classes should be used in the following [Less]

Improvements Ubuntu 18.04 support Proxies The Zorp HTTP proxy can now bridge Basic access authentication and Form-based authentication, allowing you to transform form-based authentication on the client side into basic access authentication ... [More] on the server side. Fixes Critical Fixed the handling of SMTP optional extensions when the tls_passthrough attribute is enabled in the SMTP proxy. Earlier Zorp removed the STARTTLS extensions from the extension list if the tls_passthrough attribute was enabled, so the client could never initiate TLS connection. In some cases, expired self-side certificates were treated as valid. This has been corrected. Important Fixed the free mechanism of Python object when DetectorService is used, which caused a crash while detecting the type of the network traffic. Fixed access of Google services (search, calendar, …) with Google Chrome/chromium when TLS is terminated on the firewall TwoSidedEncryption. Now the mentioned services can be accessed without any problem. Moderate The zorpctl szig command, always returned -1 as thread ID. This has been corrected. Low Form-based authentication redirected the client to an invalid URL containing only https instead of the real URL to be redirected to. This has been corrected. [Less]

Improvements Proxies The Zorp HTTP proxy can now bridge Basic access authentication and Form-based authentication, allowing you to transform form-based authentication on the client side into basic access authentication on the server side. ... [More] Fixes Critical Fixed the handling of SMTP optional extensions when the tls_passthrough attribute is enabled in the SMTP proxy. Earlier Zorp removed the STARTTLS extensions from the extension list if the tls_passthrough attribute was enabled, so the client could never initiate TLS connection. In some cases, expired self-side certificates were treated as valid. This has been corrected. Important Fixed the free mechanism of Python object when DetectorService is used, which caused a crash while detecting the type of the network traffic. Fixed access of Google services (search, calendar, …) with Google Chrome/chromium when TLS is terminated on the firewall TwoSidedEncryption. Now the mentioned services can be accessed without any problem. Moderate The zorpctl szig command, always returned -1 as thread ID. This has been corrected. Low Form-based authentication redirected the client to an invalid URL containing only https instead of the real URL to be redirected to. This has been corrected. [Less]

Improvements IPv6 support PFService supports NAT in: NAT policies directed routers forge addresses Proxies You can now set a fallback service in Advanced Protocol Recognition, to use when the protocol used in ... [More] the connection is not recognized. TLS handling You can disable client-initiated renegotiation, which prevents client-initiated renegotiation attacks, and is necessary to achieve grade A+ in Qualys and HTBridge tests. During the TLS handshake, in addition to the certificate, Zorp sends the intermediate CAs as well. This is necessary to achieve grade A+ in Qualys and HTBridge tests. Zorp now supports perfect forward secrecy. This is necessary to achieve grade A+ in Qualys and HTBridge tests. Zorp now supports the elliptic curve Diffie-Hellman protocol used by modern clients and servers. Zorp now supports Diffie-Hellman ephemeral used by older clients and servers. kZorp kZorp now supports kernel version 4.4, the new LTS kernel in Ubuntu 14.04 Monitoring Munin plugins are available for: memory usage of kZorp which shows possible memory leaks statistics of internal hash in kZorp to show possible hash imbalance statistics of internal cache events Fixes Critical Fixed reference counting problems in kZorp which might cause kernel crash Fixed a race condition in kZorp which might make the host inaccessible Moderate Fixed the certificate cache of dynamic certificate generator, which might have sent wrong certificate when private key was changed in certificate generator. Fixed side-stack chaining mechanism, which caused Python tracebacks. Decrased the memory usage of configuration dump from kernel by kZorp client (kzorp-client -dzs), which might exhaust memory in case of extreme large number of configuration items (Service, Rule, Zone). Fixed a zone lookup failure in case of IPv6 (/128 subnets only), which caused Zorp to ignore traffic from/to this Zone. Fixed encrypted data channel creation failure in case of FTP protocol. Low Log level of the kZorp daemon can be set (default is 3). This greatly reduces the number of log messages generated by hostname-based Zones [Less]