[Sblim-devel] New Release: SFCB 1.3.18

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Folks,

We have a new release today of the SFCB 1.3 branch: SFCB 1.3.18.  The 
1.3 branch is in maintenance mode and we strongly encourage users to 
migrate to SFCB 1.4.  But we do have some bugfixes and a handful of new 
features to bring 1.3 somewhat in sync with 1.4

For new features: There are a few new sfcb.cfg properties pertaining to 
SSL/TLS: sslDhParamsFilePath supports the use of an external Diffie 
Hellman (DH) parameters file, and sslEcDhCurveName allows the user to 
set the "curve name" for Elliptic Curve Diffie Hellman (ECDH) key 
generation.  These options can be used with openssl cipher suites 
supporting "ephemeral" Diffie Hellman (DHE) key exchange algorithms. 
Ephemeral key exchange enhances security by decoupling the private key 
used to generate the session key, from the private key associated with 
the server certificate.  This provides "forward secrecy" while 
maintaining a key exchange algorithm compatible with a conventional 
RSA-based server certificate.  See the .cfg file comments for more info.

Also there is new config property enableSslCipherServerPref, which 
allows a fine adjustment in the selection of cipher suite on the 
connection, by enforcing the server's order of preference instead of the 
client's (as is the case by default).  In general, the selection of 
cipher suite is determined by the openssl library based on the "cipher 
list" provided to the client and the server.  SFCB's cipher list is set 
using the "sslCiphers" config property.  Remember, you can use the 
openssl "s_client" tool to check the actual cipher used on the 
connection, for a given configuration at client and server.

Also added is the feature to reload SSL context without restarting any 
SFCB process, whereas previously it was necessary to restart the HTTP 
daemon.  Any SSL related config property can be updated on the fly by 
sending a SIGUSR2 signal to the HTTP adapter process.  In SFCB 1.4 you 
can determine the pid of the adapter(s) precisely using the new 
SFCB_LABELPROCS feature.  In v1.3 you can use the sfcbproc utility to 
find the pid (although this is not guaranteed!) like this:

$ kill -USR2 $(sfcbproc | grep Daemon | sed 's/^ *//' | cut -d' ' -f1)

For bug fixes: There are a few patches to fix memory leaks with long 
running SFCC clients running in localconnect mode, so we recommend users 
upgrade to the latest SFCC and SFCB if this pertains to your 
environment.  There are also some fixes for some mostly-benign core 
dumps that occur only in unusual cases.  There is also a bugfix for 
indicationDeliveryThreadLimit.

See the NEWS file for full list of changes.  The new release is tagged 
(SFCB_1_3_18) in git and the tarball is posted to the SourceForge 
download page.

https://sourceforge.net/projects/sblim/files/sblim-sfcb/1.3%20branch%20%28maintenance%29/

Enjoy!

-Dave H.

SBLIM Team