Contact Free trial Login

Anypoint Security Edge Release Notes

November 9, 2019

This release includes the following updates and deprecations.

Updates

  • The internal load balancer in Anypoint Runtime Fabric is now powered by OpenSSL 1.1.1 and supports TLS 1.3, which provides:

    • 2x or greater TLS 1.2 connection performance throughput boost versus prior versions of Runtime Fabric internal load balancer running on OpenSSL 1.0.2.

    • Reduction of one round trip in full handshake for TLS 1.3 vs. TLS 1.2

    • TLS 1.3 protection against downgrade attacks

  • Support for the following ciphers, some of which are enabled by default when the applicable protocol is selected:

    • TLS 1.1

      • ECDHE RSA AES256 SHA1 (Default)

      • ECDHE ECDSA AES256 SHA1 (Default)

      • ECDHE RSA AES128 SHA1

      • ECDHE ECDSA AES128 SHA1

    • TLS 1.2

      • DHE RSA AES256 GCM SHA384

      • ECDHE RSA AES256 GCM SHA384 (Default)

      • ECDHE ECDSA AES256 GCM SHA384 (Default)

      • DHE RSA AES128 GCM SHA256

      • ECDHE RSA AES128 GCM SHA256 (Default)

      • ECDHE ECDSA AES128 GCM SHA256 (Default)

      • ECDHE ECDSA CHACHA20 POLY1305

      • ECDHE RSA CHACHA20 POLY1305

      • DHE RSA CHACHA20 POLY1305

      • AES256 GCM SHA384

      • AES128 GCM SHA256

      • DHE RSA AES256 SHA256

      • DHE RSA AES128 SHA256

      • ECDHE RSA AES256 SHA1

      • ECDHE ECDSA AES256 SHA1

      • ECDHE RSA AES128 SHA1

      • ECDHE ECDSA AES128 SHA1

      • AES256 SHA256

      • AES128 SHA256

    • TLS 1.3

      • TLS AES 256 GCM SHA384 (Default)

      • TLS CHACHA20 POLY1305 SHA256 (Default)

      • TLS AES 128 GCM SHA256 (Default)

TLS 1.2 and TLS 1.3 ChaCha20-Poly1305 ciphers provide better mobile and IoT device support.

Deprecated

The following features are removed in the TLS 1.3 and OpenSSL 1.1.1 offering:

  • Static RSA handshake (nonperfect forward secrecy)

  • CBC MtE modes

  • RC4

  • SHA1, MD5

  • Compression

  • Renegotiation

  • DSA key support (TLS signature scheme) DSS

The following ciphers are deprecated for Runtime Fabric default ingress and CSM after the introduction of OpenSSL 1.1.1.

  • Deprecated DSS ciphers and support for DSS keystores:

    • DHE DSS AES256 GCM SHA384

    • DHE DSS AES128 GCM SHA256

    • DHE DSS AES256 SHA256

    • DHE DSS AES256 SHA1

    • DHE DSS CAMELLIA256 SHA1

    • DHE DSS CAMELLIA128 SHA1

    • DHE DSS AES128 SHA256

    • DHE DSS AES128 SHA1

  • Deprecated TLS v1.2 ciphers

    • AES128 SHA1

    • AES256 SHA1

    • DES CBC3 SHA1

    • CAMELLIA256 SHA1

    • CAMELLIA128 SHA1

    • ECDHE RSA DES CBC3 SHA1

    • ECDHE ECDSA DES CBC3 SHA1

    • DHE RSA AES256 SHA1

    • DHE RSA AES128 SHA1

  • Deprecated TLS v1.1 ciphers

    • ECDHE RSA DES CBC3 SHA1

    • DHE RSA AES128 SHA1

    • DHE RSA AES256 SHA1

    • ECDHE ECDSA DES CBC3 SHA1

    • AES128 SHA1

    • AES256 SHA1

You cannot deploy Runtime Fabric default ingress with a DSS keystore. If a deprecated cipher is included in a configuration or deployment call, the deprecated cipher is ignored (assuming there is at least one nondeprecated cipher in the request), and the following deprecation header warning is returned in the response:

X-ANYPOINT-WARNING TlsContext for target 'Anypoint security' contains deprecated ciphers which are ignored.

Fixed Issues

This release contains the following fixed issue:

Issue:

Previously users could not configure longer or shorter response timeouts for API requests (default 300 seconds); and longer or shorter write acknowledgements for data (default 10 seconds) received in API requests.

Fix:

To allow configuration of longer or shorter response times, new fields (Read Request Timeout and Write Request Timeout) have been added to Runtime Manager inbound traffic configuration in the Advanced Options section.

October 17, 2019

This release contains the following fixed issues:

  • When the DNS became unavailable, the internal load balancer in Anypoint Runtime Fabric failed to route messages to Mule apps or API gateways in some circumstances (for example, when a Runtime Fabric controller node was restarted).
    Updated DNS caching for entries stored in the Runtime Fabric internal load balancer or Edge gateway to not expire in the event DNS is unavailable.

  • Fixed an issue where the Runtime Fabric internal load balancer / Edge gateway pod would restart in certain cases when DNS was unavailable.

  • Fixed an issue with error message coresMax is greater than max value that occurred when enabling inbound traffic on Runtime Fabric.

  • The special characters $ and { in a URI were not accepted by the Runtime Fabric internal load balancer or Edge gateway as valid characters.
    These characters are now accepted.

September 4, 2019

This release contains the following fixed issue:

The OpenSSL 1.0.2s library used for inbound traffic processing for Runtime Fabric incoming messages has a known performance issue, which degrades TLS connection throughput. [SE-12030]

Solution:

The OpenSSL library used for inbound traffic processing is reverted to OpenSSL 1.0.2p to recover performance.

June 25, 2019

This release contains the following fixed issue:

Runtime Fabric inbound traffic service did not accept spaces in the private key passphrase and failed to properly serve inbound traffic. [SE-12071]

Solution:

The Runtime Fabric inbound traffic service now accepts a passphrase containing spaces and serves inbound traffic with such keys as expected.

June 18, 2019

This release contains the following fixed issue:

Client failed when the value of the connection header was neither keep-alive nor close. [SE-12165]

Was this article helpful?

💙 Thanks for your feedback!

Leave feedback…

We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used and to tailor advertising. You can read more and make your cookie choices here. By continuing to use this site you are giving us your consent to do this.