Anypoint Security Edge Release Notes
March 9, 2020
Changes
-
The Runtime Manager > Inbound Messaging configuration user interface has been simplified by removing the option to specify the number of replicas. The number of replicas is now set to equal the number of controller nodes.
If the number of replicas is currently set to fewer than the number of controllers, the next time you click the Deploy button for Runtime Manager > Inbound Messaging, the number of replicas is automatically changed to equal of the number of controller nodes. It is not necessary to issue a
kubectl scale
command. -
The Inbound Traffic software for Anypoint Runtime Fabric 1.5.0 and later will be updated only after the Runtime Fabric version is upgraded. The Inbound Traffic deployment that follows the Runtime Fabric version upgrade will trigger the new version of the Inbound Traffic software to run.
Runtime Fabric versions earlier than 1.5.0 will still trigger Inbound Traffic software version updates upon deployment, independently of Runtime Fabric version upgrades.
February 8, 2020
New Feature
Simplified TLS Configuration
When you configure inbound traffic for Anypoint Runtime Fabric, you can now upload a PEM or JKS file or import a TLS context from the secrets manager.
Fixed Issue
Fixed the issue that caused the Runtime Manager > Runtime Fabrics > Inbound Traffic page to erroneously display inbound traffic as disabled for users who were in a business group that inherited a Runtime Fabric instance.
Known Issue
If you try to change the TLS configuration on the Runtime Manager > Runtime Fabrics > Inbound Traffic page from using a PEM or JKS file to using a secrets manager, an error is returned.
Workaround
Follow these steps to make the update:
-
In the Runtime Manager > Runtime Fabrics > Inbound Traffic page, use the Enable inbound traffic slider to disable traffic.
-
After the deployment is complete, use the slider to reenable inbound traffic.
-
In TLS Configuration, select Import from Secrets Manager.
November 22, 2019
Fixed Issues
This release contains the following fixed issues:
-
Anypoint Runtime Fabric inbound load balancer now allows a maximum of 100 inbound headers and trailers in an HTTP request message by default.
-
The issue where streaming with a slow network caused a
connection reset by peer
error is fixed. -
Runtime Fabric inbound load balancer no longer character encodes URI-reserved characters (per RFC-3986). An exception is that two forward slashes (/) are converted to one forward slash (/). Previously, the double forward slashes were retained.
This change might require you to update applications that rely on the special character-to-character encoding behavior of previous releases.
Known Issues
Anypoint Runtime Fabric load balancer ignores client side cipher preferences and uses server side cipher preferences, which is not based on cipher strength.
Runtime Fabric load balancer does not allow you to order preferences; it only allows opting in and out of ciphers.
The preference order for Runtime Fabric load balancer cipher connections is:
-
TLS 1.3
-
TLS_AES_128_GCM_SHA256
-
TLS_AES_256_GCM_SHA384
-
TLS_CHACHA20_POLY1305_SHA256
-
-
TLS 1.2
-
ECDHE-RSA-AES128-GCM-SHA256
-
ECDHE-ECDSA-AES128-GCM-SHA256
-
ECDHE-RSA-AES256-GCM-SHA384
-
ECDHE-ECDSA-AES256-GCM-SHA384
-
ECDHE-RSA-AES256-SHA1
-
ECDHE-ECDSA-AES256-SHA1
-
DHE-RSA-AES256-GCM-SHA384
-
DHE-RSA-AES256-SHA256
-
AES256-GCM-SHA384
-
AES256-SHA256
-
ECDHE-RSA-AES128-SHA1
-
ECDHE-RSA-CHACHA20-POLY1305
-
ECDHE-ECDSA-AES128-SHA1
-
ECDHE-ECDSA-CHACHA20-POLY1305
-
DHE-RSA-AES128-GCM-SHA256
-
DHE-RSA-CHACHA20-POLY1305
-
DHE-RSA-AES128-SHA256
-
AES128-GCM-SHA256
-
AES128-SHA256
-
November 9, 2019
This release includes the following updates and deprecations.
Updates
-
The internal load balancer in Anypoint Runtime Fabric is now powered by OpenSSL 1.1.1 and supports TLS 1.3, which provides:
-
2x or greater TLS 1.2 connection performance throughput boost versus prior versions of Runtime Fabric internal load balancer running on OpenSSL 1.0.2.
-
Reduction of one round trip in full handshake for TLS 1.3 vs. TLS 1.2
-
TLS 1.3 protection against downgrade attacks
-
-
Support for the following ciphers, some of which are enabled by default when the applicable protocol is selected:
-
TLS 1.1
-
ECDHE RSA AES256 SHA1 (Default)
-
ECDHE ECDSA AES256 SHA1 (Default)
-
ECDHE RSA AES128 SHA1
-
ECDHE ECDSA AES128 SHA1
-
-
TLS 1.2
-
DHE RSA AES256 GCM SHA384
-
ECDHE RSA AES256 GCM SHA384 (Default)
-
ECDHE ECDSA AES256 GCM SHA384 (Default)
-
DHE RSA AES128 GCM SHA256
-
ECDHE RSA AES128 GCM SHA256 (Default)
-
ECDHE ECDSA AES128 GCM SHA256 (Default)
-
ECDHE ECDSA CHACHA20 POLY1305
-
ECDHE RSA CHACHA20 POLY1305
-
DHE RSA CHACHA20 POLY1305
-
AES256 GCM SHA384
-
AES128 GCM SHA256
-
DHE RSA AES256 SHA256
-
DHE RSA AES128 SHA256
-
ECDHE RSA AES256 SHA1
-
ECDHE ECDSA AES256 SHA1
-
ECDHE RSA AES128 SHA1
-
ECDHE ECDSA AES128 SHA1
-
AES256 SHA256
-
AES128 SHA256
-
-
TLS 1.3
-
TLS AES 256 GCM SHA384 (Default)
-
TLS CHACHA20 POLY1305 SHA256 (Default)
-
TLS AES 128 GCM SHA256 (Default)
-
-
TLS 1.2 and TLS 1.3 ChaCha20-Poly1305 ciphers provide better mobile and IoT device support. |
Deprecated
The following features are removed in the TLS 1.3 and OpenSSL 1.1.1 offering:
-
Static RSA handshake (nonperfect forward secrecy)
-
CBC MtE modes
-
RC4
-
SHA1, MD5
-
Compression
-
Renegotiation
-
DSA key support (TLS signature scheme) DSS
The following ciphers are deprecated for Runtime Fabric default ingress and CSM after the introduction of OpenSSL 1.1.1.
-
Deprecated DSS ciphers and support for DSS keystores:
-
DHE DSS AES256 GCM SHA384
-
DHE DSS AES128 GCM SHA256
-
DHE DSS AES256 SHA256
-
DHE DSS AES256 SHA1
-
DHE DSS CAMELLIA256 SHA1
-
DHE DSS CAMELLIA128 SHA1
-
DHE DSS AES128 SHA256
-
DHE DSS AES128 SHA1
-
-
Deprecated TLS v1.2 ciphers
-
AES128 SHA1
-
AES256 SHA1
-
DES CBC3 SHA1
-
CAMELLIA256 SHA1
-
CAMELLIA128 SHA1
-
ECDHE RSA DES CBC3 SHA1
-
ECDHE ECDSA DES CBC3 SHA1
-
DHE RSA AES256 SHA1
-
DHE RSA AES128 SHA1
-
-
Deprecated TLS v1.1 ciphers
-
ECDHE RSA DES CBC3 SHA1
-
DHE RSA AES128 SHA1
-
DHE RSA AES256 SHA1
-
ECDHE ECDSA DES CBC3 SHA1
-
AES128 SHA1
-
AES256 SHA1
-
You cannot deploy Runtime Fabric default ingress with a DSS keystore. If a deprecated cipher is included in a configuration or deployment call, the deprecated cipher is ignored (assuming there is at least one nondeprecated cipher in the request), and the following deprecation header warning is returned in the response:
|
Fixed Issues
This release contains the following fixed issue:
Issue:
Previously users could not configure longer or shorter response timeouts for API requests (default 300 seconds); and longer or shorter write acknowledgements for data (default 10 seconds) received in API requests.
Fix:
To allow configuration of longer or shorter response times, new fields (Read Request Timeout
and Write Request Timeout
) have been added to Runtime Manager inbound traffic configuration in the Advanced Options section.
October 17, 2019
This release contains the following fixed issues:
-
When the DNS became unavailable, the internal load balancer in Anypoint Runtime Fabric failed to route messages to Mule apps or API gateways in some circumstances (for example, when a Runtime Fabric controller node was restarted).
Updated DNS caching for entries stored in the Runtime Fabric internal load balancer or Edge gateway to not expire in the event DNS is unavailable. -
Fixed an issue where the Runtime Fabric internal load balancer / Edge gateway pod would restart in certain cases when DNS was unavailable.
-
Fixed an issue with error message
coresMax is greater than max value
that occurred when enabling inbound traffic on Runtime Fabric. -
The special characters
$
and{
in a URI were not accepted by the Runtime Fabric internal load balancer or Edge gateway as valid characters.
These characters are now accepted.
September 4, 2019
This release contains the following fixed issue:
The OpenSSL 1.0.2s library used for inbound traffic processing for Runtime Fabric incoming messages has a known performance issue, which degrades TLS connection throughput. [SE-12030]
Solution:
The OpenSSL library used for inbound traffic processing is reverted to OpenSSL 1.0.2p to recover performance.
June 25, 2019
This release contains the following fixed issue:
Runtime Fabric inbound traffic service did not accept spaces in the private key passphrase and failed to properly serve inbound traffic. [SE-12071]
Solution:
The Runtime Fabric inbound traffic service now accepts a passphrase containing spaces and serves inbound traffic with such keys as expected.