Upgrading Cisco SSL Appliance
This section provides instructions for upgrading your appliance. Make sure to follow the instructions for the version you are currently running. Upgrades are supported for:
- 3.7.x up to and including 3.7.4-41
- 3.8.0 up to and including 3.8.0-152
- 3.8.1 up to and including 3.8.1-172
- 3.8.2 up to and including 3.8.2-424
- 3.8.3 up to and including 3.8.3-126
- 3.8.4 up to and including 3.8.4-26
- 3.8.5 up to and including 3.8.5-19
- 3.8.6 up to and including 3.8.6-12
- 3.9.2.1 up to and including 3.9.2.1-18
- 3.9.2.2 up to and including 3.9.2.2-2
- 3.9.3.1 up to and including 3.9.3.1-34
- 3.9.3.2 up to and including 3.9.3.2-7
Terminology
- .p7b: PKCS#7 encoded external certificate file; updates the list of external CA certificates.
- .patch: Updates the main partition; includes only the changes from one version to the next, all data and configurations are retained, applied through the WebUI.
- .nru: Replaces the existing rescue image with the new image; all data and configurations are retained, applied through the WebUI.
- .nsu: System update file; replaces the active image, re-images the rescue partition, triggers restore factory defaults, retains management IP address; all existing data and configurations are wiped, applied through the console.
Files associated with this release:
- sslv-3.9.3.3-6-cisco.iso
- sslv-3.9.3.3-6-cisco.nru
- sslv-3.9.3.3-6-cisco.nsu
- sslv-3.9.3.3-6-cisco.patch
- sslsessions-1.6.3.zip
- ssldiags-1.1.0.zip
- sslv-3.9.3.2-p7b_certificates-and-SNMP_MIBS.zip
– sslv_3.7.0_to_3.8.0_ca_certificates.p7b
– sslv_3.8.0_to_3.8.3_ca_certificates.p7b
– sslv_3.8.3_to_3.9.2.1_ca_certificates.p7b
– sslv_3.9.2.1_to_3.9.3.1_ca_certificates.p7b
– MIBS_SSLV-3.8.3.zip
Upgrade the Appliance
If the appliance is running 3.7.0 or greater, upgrade using the sslv-3.9.3.3-6-cisco.patch, see Upgrade from 3.7.x or Later to 3.9.3.
If the appliance is running 3.6.3, a two step upgrade process is required, as described in Update the BIOS.
The patch mechanism will not update the rescue image in the system. Hence, if you use the Restore factory defaults option, the appliance will be re-imaged with the version of the rescue image. You must re-apply the patch.
Following the patch upgrade, Cisco recommends you upgrade the rescue image to the latest software version by applying the related.nru (for example, sslv-3.9.2-1-cisco.nru).
Upgrade from 3.7.x or Later to 3.9.3
Upgrading the SSL Appliance to a new software version is straightforward. Make sure the appliance is running software version 3.7.x or later; if it is running software version 3.6.3 see Update the BIOS
Apply a Patch
To apply the patch, access the (Platform Management) > Update menu option on the WebUI, select the sslv-3.9.3.3-6-cisco.patch file, and click OK.
The patch upgrade preserves your existing configuration data and existing logs.
Note 3.7.x or Later: The patch mechanism will not update the rescue image in the system. Hence, if you use the Restore factory defaults option, the appliance will be re-imaged with the version of the rescue image. You must re-apply any patches released since the latest rescue image version. Following the patch upgrade, Cisco recommends you upgrade the rescue image to the latest software version by applying the related.nru (for example, sslv-3.9.3.3-6-cisco.nru).
Apply the NRU
To apply the.nru file which will update the rescue image, access the (Platform Management) > Update menu option on the WebUI, select the sslv-3.9.3.3-6-cisco.nru file, and click OK.
The existing rescue image will be replaced with the new image.
Tip As a precaution, back up all configuration and policy data before the upgrade.
Patch Upgrade Procedure
Step 1 Access the (Platform Management) > Update menu.
Step 2 Click Choose File to select the patch upgrade file, then click OK.
Step 3 Reboot the appliance when prompted.
Step 4 Wait for the upgrade to complete. This might take several minutes, and involves the appliance rebooting a number of times.
Step 5 Update the list of external CA certificates.
Note Without the new list of external CA certificates, the X.509 status for some sites (for example, www.google.com) is "Invalid Issuer." The external CA certificate file (sslv_3.9.2.1_to_sslv_3.9.3.1_ca_certificates.p7b) incrementally updates the CA certificates list provided in previous sslv_ 3.x.x_to_3.x.x_ca_certificates.p7b files. Import the CA certificate file to update the external CA certificates list.
3.9.3.x Process : After a 3.9.2.x to 3.9.3.x upgrade, the list of external CA certificates may not include the CA certificates provided with the 3.9.3.x release. Import the sslv_3.8.3_to_3.9.2.1_ca_certificates.p7b file to
update the external CA list with the 3.9.2.1 CA certificates. Then import the sslv_3.9.2.1_to_3.9.3.1_ca_certificates.p7b file. If you have previously imported an external CA certificate file, you do not need to import it again.
To import the PKCS#7 encoded external CA certificate file (such as sslv_3.8.3_to_3.9.2.1_ca_
certificates.p7b), follow this procedure.
– Go to the PKI > External Certificate Authorities Lists window and select the all-external-certificate-authorities list.
– In the External Certificate Authorities panel below, click Add to browse to the file, then click OK. You should see an "Upload Successful" message.
– On the bottom of the External Certificate Authorities Lists window, click Apply next to the PKI Changes message.
– Use the same process to import the 3.9.3.x external CA file ( sslv_3.9.2.1_to_3.9.3.1_ca_certificates.p7b)
3.8.x Process : After a 3.8.x to 3.9.3.x upgrade, the list of external CA certificates may not include the CA certificates provided with the 3.8.x or 3.9.x.x release. If you have not previously done so, import the sslv_3.8.0_to_3.8.3_ca_certificates.p7b file to update the external CA list. Then, import the sslv_3.8.3_to_3.9.2.1_ca_certificates.p7b file and then the sslv_3.9.2.1_to_3.9.3.1_ca_certificates.p7b file. If you have previously imported an external CA certificates file, you do not need to import it again.
To import the PKCS#7 encoded external CA certificate file (such as sslv_3.8.0_to_3.8.3_ca_
certificates.p7b), follow this procedure.
– Go to the PKI > External Certificate Authorities Lists window and select the all-external-certificate-authorities list.
– In the External Certificate Authorities panel below, click Add to browse to the file, then click OK. You should see an "Upload Successful" message.
– On the bottom of the External Certificate Authorities Lists window, click Apply next to the PKI Changes message.
– Use the same process to import the 3.9.2.x external CA file ( sslv_3.8.3_to_3.9.2.1_ca_certificates.p7b)
– Use the same process to import the 3.9.3.x external CA file ( sslv_3.9.2.1_to_3.9.3.1_ca_certificates.p7b)
3.7.x Process : After a 3.7.x to 3.9.3.x upgrade, the list of external CA certificates may not include the CA certificates provided with the 3.8.x or 3.9.x.x release. If you have not previously done so, import the sslv_3.7.0_to_3.8.0_ca_certificates.p7b file to update the external CA list. Then, import the sslv_3.8.0_to_3.8.3_ca_certificates.p7b, sslv_3.8.3_to_3.9.2.1_ca_certificates.p7b, and sslv_3.9.2.1_to_3.9.3.1_ca_certificates.p7b certificate files. If you have previously imported an external CA certificates file, you do not need to import it again.
To import the PKCS#7 encoded external CA certificate file (such as sslv_3.7.0_to_3.8.0_ca_
certificates.p7b), follow this procedure.
– Go to the PKI > External Certificate Authorities Lists window and select the all-external-certificate-authorities list.
– In the External Certificate Authorities panel below, click Add to browse to the file, then click OK. You should see an "Upload Successful" message.
– On the bottom of the External Certificate Authorities Lists window, click Apply next to the PKI Changes message.
– Use the same process to import the 3.8.x external CA file ( sslv_3.8.0_to_3.8.3_ca_certificates.p7b)
– Use the same process to import the 3.9.2.x external CA file ( sslv_3.8.3_to_3.9.2.1_ca_certificates.p7b)
– Use the same process to import the 3.9.3.x external CA file ( sslv_3.9.2.1_to_3.9.3.1_ca_certificates.p7b)
Back up the PKI store after importing the CA certificates. The system log contains many warnings about duplicate entries; these log entries can be safely ignored.
Warning As a precaution, back up all configurations and policy data before the upgrade.
Update the BIOS
After upgrading a Cisco SSL Appliance to 3.9.x.x from any 3.8.x or 3.7.x release, you must update the BIOS. After the upgrade you will see a message indicating that a firmware update is needed. A message is also displayed on the LCD and in the system log.
To update the BIOS, access the Command Line Diagnostics (CLD) interface, and enter the bios update command.
The update will take 15 to 20 minutes (or possibly longer, depending on the appliance) and may include a system reboot. Do not interrupt the process.
When you see the message “SSLV startup stage 3: CONFIRMED” displayed on the serial console, the process is complete.
Each appliance model may have a distinct BIOS and BMC version. While the SSL1500 has a BIOS and BMC version of r3, the SSL2000 and 8200 have version r1.
To view the BIOS and BMC versions, open Information on the Platform Management (system hostname) menu and click the Show Advanced button.
Downgrading the Cisco SSL Appliance
In the unlikely event you want to downgrade the appliance, contact Customer Support for assistance.
Changes
The following sections list the changes in the Version 3.9.3 update.
Changes in Version 3.9.3.3
Cisco SSL Appliance 3.9.3.3
- SSL 3.9.3.3 provides an important bug fix and a security update that addresses Blue Coat Security Advisory SA114..
- After upgrading to SSL Appliance 3.9.3.3 from a 3.8.x or 3.7.x release on an SSL1500, SSL2000, or SSL8200 appliance, you must update the BIOS. See Update the BIOS for information.
- Cisco recommends adding the following web sites to the Unsupported Sites list, if they are not already present:
– cn=abrca.bluecoat.com
– cn=bto-services.es.bluecoat.com
– cn=device-services.es.bluecoat.com
– cn=subscription.es.bluecoat.com
– cn=validation.es.bluecoat.com
– cn=upload.bluecoat.com
– cn=remote-support.bluecoat.com
– cn=courier.sandbox.push.apple.com
If you perform a patch upgrade, you must manually add the sites to the list. If you restore a previous policy configuration that did not include the new entries in the list, the current policy is overwritten, and the sites must be added again.
To view the complete list or to add sites to the list, open Policies > Subject/Domain Names List in the WebUI and select sslng-unsupported-sites in the Subject/Domain Names Lists panel.
Note Blue Coat Management Center 1.4.2.1 or later is required for monitoring appliances running SSL Visibility 3.9.3.2. Management Center 1.4.1.1 or earlier is not sup- ported.
This general release for the Cisco SSL Appliance also provides important vulnerability and bug fixes.
There are no new features in SSL Appliance 3.9.3.3.
Changes in Version 3.9.3.2
Cisco SSL Appliance 3.9.3.2
- SSL Appliance Host Categorization Database Update: The Blue Coat Global Intelligence Network that maintains the Cloud services responsible for servicing the Host Categorization functionality on SSL Visibility appliances will be upgrading their root certificate on February 2, 2016, as the previous certificate is due to expire then. The SSL Appliance 3.9.3.2 release installs the new certificate required to access the Global Intelligence Network services. Following an upgrade to SSL Appliance 3.9.3.2, the Host Categorization functionality on SSL Appliances will continue to operate without issue and upgraded appliances will be able to update the Host Categorization database.
- After upgrading to SSL Appliance 3.9.3.2 from a 3.8.x or 3.7.x release on an SSL1500, SSL2000, or SSL8200 appliance, you must update the BIOS. See Update the BIOS for information.
- Cisco recommends adding the following web sites to the Unsupported Sites list, if they are not already present:
– cn=abrca.bluecoat.com
– cn=bto-services.es.bluecoat.com
– cn=device-services.es.bluecoat.com
– cn=subscription.es.bluecoat.com
– cn=validation.es.bluecoat.com
– cn=upload.bluecoat.com
– cn=remote-support.bluecoat.com
– cn=courier.sandbox.push.apple.com
If you perform a patch upgrade, you must manually add the sites to the list. If you restore a previous policy configuration that did not include the new entries in the list, the current policy is overwritten, and the sites must be added again.
To view the complete list or to add sites to the list, open Policies > Subject/Domain Names List in the WebUI and select sslng-unsupported-sites in the Subject/Domain Names Lists panel.
Note Blue Coat Management Center 1.4.2.1 or later is required for monitoring appliances running SSL Visibility 3.9.3.2. Management Center 1.4.1.1 or earlier is not sup- ported.
This general release for the Cisco SSL Appliance also provides important vulnerability and bug fixes.
There are no new features in SSL Appliance 3.9.3.2.
The following sections list the changes in the Version 3.9.3.1 update.
Changes in Version 3.9.3.1
SSL Visibility 3.9.3.1 includes new features:
- Increased security for user session management
- TLS 1.2 support for HSM connections
- Updated SSL Sessions tool available
Failure Mode Options Change: In SSL Appliance 3.9.3.1, the Failure Action (formerly Software Failure Action) configured in the Failure Mode Options for a segment also applies to application port failures for segments configured in Active- Inline Fail-to-Network (AI-FTN) mode. For segments configured in AI-FTN mode, with the Failure Action set to Fail- to-Wire (the default), traffic will be allowed to pass on all network ports in a segment when an application port in that segment goes down (i.e., link-down is detected). When the link has been restored for all application ports, all network ports in the segment will be restored according to the configured Failure Mode Options.
Warning If Fail-to-Wire is configured as the Failure Action, all traffic is allowed to pass while the application port is down. To restore the pre-3.9.3.1 behavior and prevent traffic passing on the network while an application port is down, choose a non- default Failure Action, for example, Drop Packets or Disable Interfaces.
System log enhancement: SSL Appliance 3.9.3.1 provides bracketed alphabetic severity indicators at the beginning of exported system log entries. These characters replace the symbols used in previous releases. If you have scripts that rely on the old prefixes, please update to use the new prefixes. There is no change to the color coding of system log entries in the WebUI.
|
|
|
FATAL |
[F] |
! |
ERROR |
[E] |
* |
WARN |
[W] |
# |
INFO |
[I] |
? |
DEBUG |
[D] |
- |
EXTRA |
[X] |
: |
VERBOSE |
[V] |
> |
- After upgrading to SSL Appliance 3.9.3.1 from a 3.8.x or 3.7.x release on an SSL1500, SSL2000, or SSL8200 appliance, you must update the BIOS.
- Cisco recommends adding the following web sites to the Unsupported Sites list, if they are not already present:
– cn=abrca.bluecoat.com
– cn=bto-services.es.bluecoat.com
– cn=device-services.es.bluecoat.com
– cn=subscription.es.bluecoat.com
– cn=validation.es.bluecoat.com
– cn=upload.bluecoat.com
– cn=remote-support.bluecoat.com
– cn=courier.sandbox.push.apple.com
If you perform a patch upgrade, you must manually add the sites to the list. If you restore a previous policy con- figuration that did not include the new entries in the list, the current policy is overwritten, and the sites must be added again.
To view the complete list or to add sites to the list, open Policies > Subject/Domain Names List in the WebUI and select sslng-unsupported-sites in the Subject/Domain Names Lists panel.
Note Blue Coat Management Center 1.4.2.1 or later is required for monitoring appliances running SSL Visibility 3.9.3.1. Management Center 1.4.1.1 or earlier is not sup- ported.
This release for the Cisco SSL Appliance also provides important vulnerability and bug fixes.
The following sections list the changes in the Version 3.9.3.2 update.
Changes in Version 3.9.3.2
- SSL Visibility no longer caches Invalid certificate validation results for reused sessions.
- Security update to correct vulnerabilities in OpenSSL. This update also extends the "Logjam" vulnerability mitigation for TLS clients by increasing the Diffie-Hellman parameter handshake requirement to 1024 bits.
Tip The SSL Appliance3.9.3.2 Open Source Attributions file does not list the updated version of OpenSSL. However, the OpenSSL version used in SSL Visibility 3.9.3.2 does include these updates.
- Enhanced the ability for SSL Visibility to restart flows in which multiple packets are lost between endpoints.
- Original Time to Live (TTL) value is now used when generating Early Acknowledgements.
The following sections list the changes in the Version 3.9.3.1 update.
Changes in Version 3.9.3.1
- SSL Appliance 3.9.3.1 terminates an active user session if the user is deleted or the user's roles are changed.
- A user session is not terminated if the user changes his/her own roles.
- SSL Appliance 3.9.3.1 adds TLS 1.2 support for connections to versions of the SafeNet Java HSM (formerly Luna SP) that use TLS 1.2.
- Version 1.6.4 of the off-box Python SSL Sessions tool is available. Version 1.6.4 fixes an issue with data export from the user interface. Use the SSL Sessions tool to parse SSL session log information within an exported session log generated by a SSL Appliance. The tool and tool documentation (sslsessions.pdf) are available on BlueTouchOnline (https://bto.bluecoat.com/) in Downloads. A Getting Started Guide is available on BTO Documentation
The following sections list the changes in the Version 3.9.2.2 update.
Changes in Version 3.9.2.2
- The SSL Appliance 3.9.2.2 patch release adds TLS 1.2 support for connections to versions of the SafeNet Java HSM (formerly Luna SP) that use TLS 1.2.
- Cisco recommends adding the following web sites to the Unsupported Sites list, if they are not already present:
– cn=abrca.bluecoat.com
– cn=bto-services.es.bluecoat.com
– cn=device-services.es.bluecoat.com
– cn=subscription.es.bluecoat.com
– cn=validation.es.bluecoat.com
If you perform a patch upgrade, you must manually add the sites to the list. If you restore a previous policy con- figuration that did not include the new entries in the list, the current policy is overwritten, and the sites must be added again.
To view the complete list or to add sites to the list, open Policies > Subject/Domain Names List in the WebUI and select sslng-unsupported-sites in the Subject/Domain Names Lists panel.
Note Blue Coat Management Center 1.4.2.1 or later is required for monitoring appliances running SSL Appliance 3.9.2.2. Management Center 1.4.1.1 or earlier is not supported.
The following sections list the changes in the Version 3.9.2 update.
Changes in Version 3.9.2.1
- Cisco recommends adding the following web sites to the Unsupported Sites list, if they are not already present:
– cn=abrca.bluecoat.com
– cn=bto-services.es.bluecoat.com
– cn=device-services.es.bluecoat.com
– cn=subscription.es.bluecoat.com
– cn=validation.es.bluecoat.com
If you perform a patch upgrade, you must manually add the sites to the list. If you restore a previous policy configuration that did not include the new entries in the list, the current policy is overwritten, and the sites must be added again.
To view the complete list or to add sites to the list, open Policies > Subject/Domain Names List in the WebUI and select sslng-unsupported-sites in the Subject/Domain Names Lists panel.
Note Blue Coat Management Center 1.4.2.1 or later is required for monitoring appliances running SSL Visibility 3.9.2.1. Management Center 1.4.1.1 or earlier is not sup- ported.
This general release for the Cisco SSL Appliance also provides important vulnerability and bug fixes.
The following sections list the changes in the Version 3.9.2 update.
Changes in Version 3.9.2
Cisco SSL Appliance 3.9.2
- After upgrading to 3.9.2 on a Cisco SSL Appliance, you must update the BIOS. See Update the BIOS for information.
- SSL 3.9.2 adds the following web sites to the Unsupported Sites list:abrca.bluecoat.com
– bto-services.es.bluecoat.com
– device-services.es.bluecoat.com
– subscription.es.bluecoat.com
– validation.es.bluecoat.com
To view the complete list, open Policies > Subject/Domain Names List in the WebUI and select sslng-unsupported-sites in the Subject/Domain Names Lists panel.
Note Blue Coat Management Center 1.4.2.1 or later is required for monitoring appliances running SSL 3.9.2. Management Center 1.4.1.1 or earlier is not supported.
This general release for the Cisco SSL Appliance also provides important vulnerability and bug fixes.
The following sections list the changes in the Version 3.8.6 update.
Changes in Version 3.8.6
- Cisco SSL Appliance 3.8.6 implements IF-MIB ifXTable support for 64-bit SNMP interface octet and packet counters. The following new counters are supported.
– 64-bit Counter=
– ifHCInOctets
– ifHCInUcastPkts
– ifHCInMulticastPkts
– ifHCInBroadcastPkts
– ifHCOutOctets
– ifHCOutUcastPkts
– ifHCOutMulticastPkts
– ifHCOutBroadcastPkts
- Version 1.6.2 of the off-box Python SSL Sessions tool is available. Version 1.6.2 supports data export in space-delimited format, for use with Blue Coat Reporter. Use the SSL Sessions tool to parse SSL session log information within an exported session log generated by a Cisco SSL Appliance. The tool and tool documentation (
sslsessions.pdf
) are available on cisco.com
. A Getting Started Guide is also available.
- Version 1.1.0 of the off-box Python SSL Diagnostics tool is available. Version 1.1.0 supports data export in space-delimited format, for use with Blue Coat Reporter. Use the SSL Diagnostics tool to parse statistics within a diagnostic package collected by a Cisco SSL Appliance. The tool and tool documentation (
ssldiags.pdf
) are available on cisco.com/
. A Getting Started Guide is also available.
Changes in Version 3.8.5
There are no new features in 3.8.5.
Changes in Version 3.8.4
- Enable/Disable Rule Setting : You can now disable a rule within a ruleset. When creating or editing a rule, the new Enabled option is selected by default; the rule is active (and its location in the ruleset matters as usual). When cleared, the rule is not processed.
The setting is also shown per rule in the Rulesets > Rules panel, as True (enabled) or False (disabled) in the new Enabled column.
In most situations, all rules should be set to True. If you are debugging a ruleset, you might use the False setting (that is, deselect Enabled for that rule), applying it to one rule at a time.
Two new tools display in the Rules panel, as part of the disable rules feature:
Click Enable Rule to enable a highlighted disabled rule.
Click Disable Rule to disable the highlighted rule.
When a rule is disabled, its background display is yellow:
Click Apply at the Policy Changes message in the footer after enabling or disabling a rule.
- Feedback Timeout Setting: SSL Appliance 3.8.4 supports a new loopback feedback timer. The new Appliance Feedback Options panel replaces the Plaintext Marker panel on the Segments window. Feedback Timeout is a new setting in that panel, which determines how long the SSL Appliance waits for a response before canceling a request and interrupting the SSL flow. Selecting the Extended timeout allows a more time-consuming request, such as one to the cloud, to complete. The Default is 1 second. The Extended period is 5 seconds.
The Plaintext Marker Type and Marker MAC Address settings are unchanged.
- Resigning CA Certificate Chain : SSL Appliance 3.8.4 provides support for including the resigning CA certificate chain in resigned SSL sessions. This allows SSL clients to validate resigned certificates without auto-downloading the resigning CA certificate chain. Here is the basic procedure:
– On the Segment > System Options panel, check the new Append Resigning CA Chains to Resigned Certificates option. The SSL Appliance will include the resigning CA certificate chain (configured in the PKI store) in the SSL session.
– On the PKI > External Certificate Authorities window, add all CAs from the resigning certificate chain to the External Certificate Authorities list.
Once certificates have been added to the default External Certificate Authorities List, optionally create a new External Certificate Authorities List, and add the intermediate CAs which are included in the chain.
– On the PKI > Resigning Certificate Authorities window, add or edit a resigning certificate, Local or HSM. Select the required Certificate Chain External CAs.
Local CA example
HSM CA example
Click OK (on an Edit window) or Add (on an Add window), then Apply the changes.
– Verify the CA chain. On the PKI > Resigning Certificate Authorities window, highlight the resigning CA, then click the Test Certificate Chain icon (chain link).
If the CA chain is complete, you will see a "Complete certificate chain is present" message.
If the CA chain in incomplete, you will see a "Incomplete certificate chain, first missing CA: <name>" message. Add the missing CA to the External Certificate Authorities List.
– Configure a new segment with a ruleset using the appended resigning CA.
– Notes:
During policy activation, the appliance will load the certificate chain for each active resigning CA from the External CAs.
If a full certificate chain is not found for a resigning CA, a message will appear in the System Log, which identifies the first missing CA. The SSL Appliance will load the partial CA chain and include it with resigned certificates in inspected SSL sessions.
Changes in Version 3.8.3
- The power-off Fail-to-Wire mode is now configurable. On the Segments > Systems Options panel, Enable Power-off Fail-To-Wire is selected by default; on power-off, traffic is directed from the incoming port to the paired port. When deselected, traffic is redirected into the SSL Appliance rather than the paired port. No traffic gets through.
- The SNMP configuration is now configurable under a new SNMP Access tab in the Platform Management menu. SNMP v3 is now supported. You can configure, enable, or disable SNMP management access; v1/2c and v3 may be enabled or disabled independently. The MIBs are available in a separate zip file (MIBS_SSLV- 3.8.3.zip).
All SNMP access is disabled be default. SNMP v1/v2c access is disabled by default until a Community String is configured. SNMP v3 access is disabled until a SNMP User account is created. Separate, unique Trap User accounts are required for generating traps.
- VLAN tags may be translated between ports on the new VLAN Mappings panel on the Segments screen.
- A new off-box Python SSL Diagnostics tool is available. Use it to parse statistics within a diagnostic package collected by a SSL Appliance. The tool and tool documentation (ssldiags.pdf) are available in a ssldiags-n.n.n.zip file (where n.n.n is the version number) on BTO.
- A new off-box Python SSL Sessions tool is available. Use it to parse SSL session log information within an exported session log generated by a SSL Appliance. The tool and tool documentation (sslsessions.pdf) are available in a sslsessions-n.n.n.zip file (where n.n.n is the version number) on BTO.
- The new default RSA key size for generating client certificates and keys is 2048-bit. The default RSA key size for generating a local resigning CA remains 1024-bit.
- Support has been added for identifying additional Camellia, ARIA, and AES CCM cipher suites in the SSL Session Log.
- The SSL Appliance now supports inspecting SSL sessions with the following cipher suites:
– TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
– TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
– TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
– TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
- A new CLD command for exporting SSL Session Logs is available: session log export.
- If an appliance receives a VLAN tagged packet of less than 68 bytes, the appliance will pad it to 68 bytes before forwarding the packet.
- Each appliance model may have a distinct BIOS and BMC version. The BIOS and BMC versions are now displayed on the LCD screen. The following table presents the correct version for each model, as well as the BMC software version.
|
|
|
|
SSL1500 |
AQNIS100 |
4.00 |
|
SSL2000 |
S5500.86B.01.00.0061.030920121535 |
0.60 |
BIOS: Only the four unique digits display on the LCD. For example, "0061." |
SSL8200 |
S5500.86B.01.00.0061.030920121535 |
0.60 |
BIOS: Only the four unique digits display on the LCD. For example, "0061." |
Note If you are getting a "Firmware Mismatch" message on the LCD, run the bios update Command Line Diagnostic (CLD) command in order to upgrade the BMC. The BIOS upgrade may take up to an hour; do not interrupt the process.
- The SSL Appliance has a new root OID based on the prefix.1.3.6.1.4.1.3417. The SSL Appliance models are now represented by this root OID plus the following OID extensions:
– 1.5.2 = SSL1500
– 1.5.3 = SSL2000
– 1.5.4 = SSL8200
Changes in Version 3.8.2
There are no new features in 3.8.2.
Changes in Version 3.8.1
- The Dashboard panel graphic for the SSL1500 now reflects the -C or -F connectors appropriate for the appliance in use.
- An Uptime indicator now appears on the Dashboard, indicating the length of time since the appliance was last restarted or reset.The supporting CLD command uptime is also available.
- The Change Selected Categories window in the Host Categorization feature now includes an Invert button; use it to quickly select or deselect all categories
- The SSL Appliance license may now be exported from the License window.
- The SSL Appliance now has a root OID:
– 14501.12 = Cisco SSL Appliance Product Family
– 14501.12.2 = SSL1500
– 14501.12.3 = SSL2000
– 14501.12.4 = SSL8200
- Luna SP HSM support enables the SSL Appliance to use the networked Luna SP HSM to store resigning CA keys and to perform digital signature operations.
- IPv6 is now supported for use on the management network port. IPv4 and IPv6 may be configured con- currently on the management network. IPv6 is supported in the following configuration modes: SLAAC, SLAAC + Stateless DHCP, and Static.
- Meeting the STIG V-3013 requirements, a notice and consent login banner may be configured. The banner is presented to the user before login, and must be accepted in order for the login to proceed.
- Access Control Lists (ACL) may be configured to authorize or restrict access to incoming connections on the management network. Independent ACLs are available for IPv4 and IPv6 traffic. This feature meets STIG V-19076 requirements.
- Traffic Class Lists may be used to construct policy which decides whether or not to intercept an SSL flow based on QoS bytes, including but not limited to DiffServ values.
Resolved Issues
The following issues have been resolved in Version 3.9.3.2:
- E-mail alerts are now correctly triggered by events in the system log.
- Early ACK responses for partial certificates sent to the SSL Visibility appliance are now sent to the correct interface in asymmetric topologies.
- Security update to address a vulnerability in DNS resolution routines in the GNU C Library (glibc). (CVE-2015-7547) See Blue Coat Security Advisory SA114 for more information.
- The following Common Vulnerabilities and Exposures (CVE) have been addressed in 3.9.3.3:
– CVE-2015-7547
The following issues have been resolved in Version 3.9.3.2:
- SSL Appliance no longer caches Invalid certificate validation results for reused sessions.
- Security update to correct vulnerabilities in OpenSSL. This update also extends the "Logjam" vulnerability mitigation for TLS clients by increasing the Diffie-Hellman parameter handshake requirement to 1024 bits.
Note The SSL Appliance 3.9.3.2 Open Source Attributions file does not list the updated version of OpenSSL. However, the OpenSSL version used in SSL Appliance 3.9.3.2 does include these updates.
- Enhanced the ability for SSL Appliance to restart flows in which multiple packets are lost between endpoints.
- Original Time to Live (TTL) value is now used when generating Early Acknowledgements
The following issues have been resolved in Version 3.9.3.2:
- The following Common Vulnerabilities and Exposures (CVE) have been addressed in 3.9.3.2:
– CVE-2016-0701
– CVE-2015-3197
– CVE-2015-4000 (updated)
The following issues have been resolved in Version 3.9.3.1
- Security update to correct vulnerabilities in Portable Network Graphics file library (libpng).
- Security update to correct vulnerabilities in use of MD5 in TLS 1.2 connections in Secure Socket Layer (SSL) cryptographic library and tools.
- Security update to correct vulnerabilities in use of MD5 in TLS 1.2 connections in GNU TLS.
- Security update to correct vulnerabilities in DHCP server, client, and relay.
- Security update to correct vulnerabilities in OpenSSH client experimental support for resuming connections.
- Fixed an issue in which the debug ping CLD command could cause high CPU usage.
- Security update to correct vulnerabilities in libxml2.
- Security updates to correct vulnerabilities in OpenSSH authentication routines.
- Security update to correct vulnerabilities in Secure Socket Layer (SSL) cryptographic library and tools.
- Security update to correct vulnerabilities in GNU TLS library.
- Fixed an issue in which the SSL Visibility appliance could generate an ACK packet with an incorrect MAC during handling of network error conditions, if it had not seen both sides of a connection.
- Security update to correct vulnerabilities in Portable Network Graphics file library (libpng).
- The ssldebug.log file is correctly rotated and replaced after it reaches 200 MB.
- The following Common Vulnerabilities and Exposures (CVE) have been addressed in 3.9.3.1:
– CVE-2012-3425
– CVE-2015-1794
– CVE-2015-3193
– CVE-2015-3194
– CVE-2015-3195
– CVE-2015-3196
– CVE-2015-5312
– CVE-2015-5352
– CVE-2015-5600
– CVE-2015-6563
– CVE-2015-6564
– CVE-2015-7497
– CVE-2015-7498
– CVE-2015-7499
– CVE-2015-7500
– CVE-2015-7575
– CVE-2015-7981
– CVE-2015-8126
– CVE-2015-8241
– CVE-2015-8242
– CVE-2015-8317
– CVE-2015-8472
– CVE-2015-8540
– CVE-2015-8605
– CVE-2016-0777
– CVE-2016-0778
The following issues have been resolved in Version 3.9.2.2:
- Security update to correct vulnerabilities in libxml2.
- Security update to correct vulnerabilities in the Network Time Protocol (NTP) and its utility programs.
- Security update to correct vulnerabilities in Kerberos.
- The following Common Vulnerabilities and Exposures (CVE) have been addressed in 3.9.2.2:
– CVE-2002-2443
– CVE-2014-5355
– CVE-2015-1819
– CVE-2015-2694
– CVE-2015-2695
– CVE-2015-2696
– CVE-2015-2697
– CVE-2015-2698
– CVE-2015-5146
– CVE-2015-5194
– CVE-2015-5195
– CVE-2015-5196
– CVE-2015-5219
– CVE-2015-5300
– CVE-2015-7691
– CVE-2015-7692
– CVE-2015-7701
– CVE-2015-7702
– CVE-2015-7703
– CVE-2015-7704
– CVE-2015-7705
– CVE-2015-7850
– CVE-2015-7852
– CVE-2015-7853
– CVE-2015-7855
– CVE-2015-7871
– CVE-2015-7941
– CVE-2015-7942
– CVE-2015-8035
The following issues have been resolved in Version 3.9.2.1:
- TLS 1.2 is now correctly detected as SSL when searching in SSLv2 records.
- SSL Visibility VLAN translation now correctly translates SNAP encapsulated packets.
- Increased the flow table size.
- Corrected an issue in which running a packet capture could interrupt VLAN translated traffic.
- Corrected an issue in which IPv4 Access Control Lists did not take effect for several minutes.
- Corrected an issue that caused certificate verification errors with ECDSA resigned flows.
- The User Management screens in the WebUI now correctly show more than ten users.
- Corrected an issue in which the High Availability Manual Reset option behaved inconsistently in Passive-Inline deployments.
- Corrected an issue in which power-off fail-to-wire (FTW) did not work on the SSL1500 fiber interface.
- Corrected an issue in which the appliance became unmanageable from the WebUI if the Hostname was set to localhost.localdomain and the configured DNS server became unreachable.
The following issues have been resolved in Version 3.8.6:
- Fixed an issue that prevented connections to Google Chrome services (such as Gmail) when SSL Visibility was decrypting the traffic.
- Fixed an issue in which use of a debug CLD command resulted in a failure in daemon communication, causing the Host Categorization license to be listed as
Unknown
.
- Fixed potential memory leaks in PKI handling routines.
- Fixed an issue in which SNMP traps could be sent for unused interfaces.
- Security update to correct vulnerabilities in the SQLite v3 library.
- Security updates to correct vulnerabilities in Perl 5 Compatible Regular Expression Library (PCRE).
- Security updates to correct vulnerabilities in Python 2.7.x.
- Fixed a certificate validation timeout issue that could produce
Invalid Issuer
errors.
- Fixed a memory leak in a statistics collection routine.
- Fixed a condition that produced a
CSRF tokens required
or CSRF token mismatch
error when logging in after a WebUI session had expired.
- The following Common Vulnerabilities and Exposures (CVE) have been addressed in 3.8.6:
– CVE-2013-1752
– CVE-2013-1753
– CVE-2013-7443
– CVE-2014-4616
– CVE-2014-4650
– CVE-2014-7185
– CVE-2014-8964
– CVE-2015-2325
– CVE-2015-2326
– CVE-2015-3210
– CVE-2015-3414
– CVE-2015-3415
– CVE-2015-3416
– CVE-2015-5073
The following issues have been resolved in Version 3.8.5:
- The Cisco SSL Appliancee's session cache lookup logic has been redesigned in order to reduce the frequency of cache miss errors.
Note If SSL traffic traverses the Cisco SSL Appliance more than once, a Layer3/Layer4 cut-through rule to be applied at the Client Hello packet must be created as the first rule in the security policy for one direction of the flow (see below).
- Rulesets now allow Layer3/Layer4 rules to be applied at the Client Hello packet. To be applied at the Client Hello packet, rules must use Layer3/Layer4 match fields exclusively, and occur before any non- Layer3/Layer4 rules in the ruleset. Valid fields are:
– Source IP address (or list of addresses)
– Destination IP address (or list of addresses)
– Destination Port
– Traffic Class
– An Action of Drop, Cut Through or Reject
Note All Layer3/Layer4 rules that you want to be applied at the Client Hello packet must occur before any non-Layer3/Layer4 rules in the ruleset. Once the policy reaches a rule that includes non- Layer3/Layer4 match fields, all subsequent rules will be applied at the Server Hello/Server Certificate level.
- In order to enhance security, TLS v1.0 is no longer supported in the SSL Appliance WebUI. The SSL Appliance WebUI supports TLS v1.1 and TLS v1.2. As a result, Management Center 1.4.1.1 or earlier is not supported for monitoring appliances running SSL Appliance 3.8.5. Contact Customer Support for more information.
- Improved inter-process communication to reduce the frequency of "No such file or directory" error messages.
- This general release for the SSL1500, SSL2000, and SSL8200 systems includes no new features. It provides a number of important vulnerability and bug fixes.
- Users logged in under Terminal Access Controller Access-Control System (TACACS) can add licenses if the user has the appropriate roles.
- Reduced the frequency of "Alert 86 (invalid_fallback)" error messages error messages when using a web browser.
- Security improvement to address the "Logjam" vulnerability. The SSL Appliance WebUI now rejects Diffie-Hellman keys smaller than 768 bits.
- Security improvement to enable TLS v1.2 by default in the SSL Appliance WebUI.
- Fixed an issue in which the SSL Appliance could forward a packet dropped by an IPS if the stream is out of order.
- Fixed an issue in which a TCP flow could stall when an upstream server missed client acknowledgments.
- The bootstrap process no longer reverts to local storage if a USB drive is not inserted into the SSL appliance when USB is selected as the Master Key Storage Location. The appliance waits until a USB has been inserted to create the master key.
- The following Common Vulnerabilities and Exposures (CVE) have been addressed in 3.8.5:
– CVE-2011-3389
– CVE-2014-8176
– CVE-2015-1788
– CVE-2015-1789
– CVE-2015-1790
– CVE-2015-1791
– CVE-2015-1792
– CVE-2015-4000
– CVE-2015-3143
– CVE-2015-3144
– CVE-2015-3145
– CVE-2015-3148
– CVE-2015-3153
– CVE-2015-3622
The following issues have been resolved in Version 3.8.4:
- Legacy browser versions now correctly display the declared content type and sets the X-Con tent-Type-Options to nosniff.
- The web browser's cross-site scripting prevention filter is now correctly enabled.
- Javacript code which sets HTML elements is no longer at risk of attack due to HTML misinterpretation. The risk was eliminated by replacing code that sets HTML elements with code that sets innerText (which is not interpreted), or with code that directly manipulates the Document Object Model (DOM).
- Resolved an issue where MAC or Windows users browsing with Chrome encountered bad- record-mac messages when contacting sites such as Facebook.com and Panera.com.
- Sensitive system error messages are no longer seen on the SSL Appliance.
- Added cross-site request forgery (CSRF) protection. Cookies used in user requests to sites are protected transparently.
- Sensitive cookies are now marked as such, so they may not be modified by client-side script- ing languages. This reduces users' susceptibility to web-based attack vectors.
- Sensitive cookies are marked as secure, so they may no longer be transmitted over unen- crypted connections, potentially exposing their values to attackers.
- The SSL Appliance now includes protections against certain frame-based attacks such as clickjacking and cross-frame scripting.
- A user's session ID is now renewed after login, reducing the vulnerability of a session to hijacking.
- When configuring IPv6 DHCP, the appliance now allows a default gateway to be set.
- When an appliance is rebooted only once after applying several management network changes at the same time, the appliance no longer stops responding.
- The following Common Vulnerabilities and Exposures (CVE) have been addressed in 3.8.4:
– CVE-2013-0211
– CVE-2014-3591
– CVE-2014-5270
– CVE-2014-8155
– CVE-2014-9680
– CVE-2015-0282
– CVE-2015-0294
– CVE-2015-1799
– CVE-2015-0837
– CVE-2015-1606
– CVE-2015-1607
– CVE-2015-1798
– CVE-2015-1799
– CVE-2015-2304
– CVE-2015-2806
The following issues have been resolved in Version 3.8.3:
- When running a packet capture on an SSL2000 or SSL8200, existing flows are cut-through, so traffic is no longer dropped.
- The SSL Appliance no longer intermittently forwards packets dropped by the attached appliance.
- TCP packets are no longer received at the client out of order.
- Recent SSL1500 hardware no longer report a firmware version mismatch message on the LCD screen or in the System Log. If you see a mismatch message on the LCD screen after upgrading to SSL Appliance 3.8.3, run the BIOS update CLD command. The upgrade may take up to an hour; do not interrupt the process.
- When performing a manual test, or if an HSM resigning failure occurs, the corresponding System Log message now correctly appears in red text.
- After upgrading to SSL Appliance-3.8.3, you will no longer see the message mount: special device /dev/dom2 does not exist during the boot process.
- When running packet captures, the SSL_CAPTURE_ERROR is no longer seen, and captures occur correctly.
- Cut through, reject, and drop rules matching Anonymous Diffie-Hellman flows are no longer bypassed.
- Appliances no longer experience intermittent disruption to new flows when a new Host Categorization database is loaded.
- The following Common Vulnerabilities and Exposures (CVE) have been addressed in 3.8.3:
– CVE-2009-4135
– CVE-2010-0624
– CVE-2012-3509
– CVE-2012-6656
– CVE-2013-1569
– CVE-2013-2383
– CVE-2013-2384
– CVE-2013-2419
– CVE-2013-7423
– CVE-2014-5351
– CVE-2014-5352
– CVE-2014-5353
– CVE-2014-5354
– CVE-2014-6040
– CVE-2014-6272
– CVE-2014-6585
– CVE-2014-6591
– CVE-2014-7817
– CVE-2014-7824
– CVE-2014-7923
– CVE-2014-7926
– CVE-2014-7940
– CVE-2014-8150
– CVE-2014-8484
– CVE-2014-8485
– CVE-2014-8501
– CVE-2014-8502
– CVE-2014-8503
– CVE-2014-8504
– CVE-2014-8737
– CVE-2014-8738
– CVE-2014-9112
– CVE-2014-9130
– CVE-2014-9297
– CVE-2014-9298
– CVE-2014-9402
– CVE-2014-9421
– CVE-2014-9422
– CVE-2014-9423
– CVE-2014-9447
– CVE-2014-9471
– CVE-2014-9654
– CVE-2014-9656
– CVE-2014-9657
– CVE-2014-9658
– CVE-2014-9659
– CVE-2014-9660
– CVE-2014-9661
– CVE-2014-9662
– CVE-2014-9663
– CVE-2014-9664
– CVE-2014-9665
– CVE-2014-9666
– CVE-2014-9667
– CVE-2014-9668
– CVE-2014-9669
– CVE-2014-9670
– CVE-2014-9671
– CVE-2014-9672
– CVE-2014-9673
– CVE-2014-9674
– CVE-2014-9675
– CVE-2015-0235
– CVE-2015-0247
– CVE-2015-1472
– CVE-2015-1473
– CVE-2015-1572
– CVE-2015-0293
– CVE-2015-0292
– CVE-2015-0289
– CVE-2015-0288
– CVE-2015-0287
– CVE-2015-0286
– CVE-2015-0209
– CVE-2015-0206
– CVE-2015-0205
– CVE-2015-0204
– CVE-2014-8275
– CVE-2014-3707
– CVE-2014-3572
– CVE-2014-3571
– CVE-2014-3570
– CVE-2014-3569
– CVE-2014-3567
– CVE-2014-3513
The following issues have been resolved in Version 3.8.2:
- Resolved a memory leak issue associated with Host Categorization policy.
- SSL8200s in an Active-Inline Fail to Appliance deployment with a Cut Through rule now correctly forward server hellos.
- The Active-Inline attached appliance correctly receives the SSL ServerHello message for cut- through SSL sessions using 4096-bit RSA keys.
- Fixed the Ghost Vulnerability (CVE-2015-0235).
- The SSL Appliance no longer forwards invalid Hello messages, consuming resources, due to a certificate chain issue.
- Resolved an issue where Invalid issuer was incorrectly displayed in a Passive-Inline deployment.
- HSM CA status now shows the validity of the signatures returned on a connection.
- Addressed the OpenSSH Denial of Service vulnerability (CVE-2010-5107).
- The SSL Appliance no longer experiences slow down and high memory utilization.
- The SSL Appliance no longer allows SSLv3 connections to an HSM device. This is related to changes made to mitigate the Shell Shock vulnerability (CVE-2014-6271 and CVE- 2014-7169).
- Resolved an issue where due to a proprietary TLS extension, the appliance was unable to inspect traffic to some Google sites from Chrome on Windows.
- Fixed an issue in which SSL2000 and SSL8200 systems might fail to boot with software versions 3.7.x, 3.8.0, and 3.8.1.
- Multiple VLAN tags in QinQ Ethernet headers are now handled correctly.
- TCP flows no longer stall due to advertising a window larger than the previously seen receive window.
- Fixed an issue in which SSL packet capture would not work on some ports on the SSL8200 appliance.
- The following Common Vulnerabilities and Exposures (CVE) have been addressed in 3.8.1:
– CVE-2010-5107
– CVE-2014-3566
– CVE-2015-0235
The following issues have been resolved in Version 3.8.1:
- Resolved the "Shell Shock" vulnerability to specially-crafted environment variables (CVE- 2014-6271 and CVE-2014-7169) in the Red Hat Enterprise Linux Bourne Again shell (Bash).
- Loss of management network connectivity no longer occurs when IPv6 address mode is configured for DHCP.
- The following Common Vulnerabilities and Exposures (CVE) have been addressed in 3.8.1:
– CVE-2014-3635
– CVE-2014-3636
– CVE-2014-3637
– CVE-2014-3638
– CVE-2014-3639
– CVE-2014-6273
– CVE-2014-6271
– CVE-2014-7169
– CVE-2014-7186
– CVE-2014-7187
– CVE-2014-0487
– CVE-2014-0488
– CVE-2014-0489
– CVE-2014-0490
The following issues have been resolved in Version 3.8.0:
- Resolved the issue where following an upgrade an additional manual reboot was needed for the fix to be applied. A user no longer needs to perform the additional reboot.
- Resolved an issue that resulted in a fault when activating policy.
- Resolved a case where a segment did not recover on software failure.
- First-time boot no longer takes up to 5 additional minutes if no network cable is plugged into the management network port.
- Resolved an issue where all platform configuration changes required rebooting the appliance in order to take effect.
- System log files are rotated once per-day regardless of the size of the file, and only removed when the log disk space threshold of 3GB is reached.
- The following characters are now allowed in alert e-mail addresses: !, #, $, %, &, ', *, +, /, =, ?, ^, `, {, }, |, ~
- The following Common Vulnerabilities and Exposures (CVE) have been addressed in 3.8.0:
– CVE-2012-1016
– CVE-2013-1415
– CVE-2013-1416
– CVE-2013-1418
– CVE-2013-6800
– CVE-2014-4341
– CVE-2014-4342
– CVE-2014-4343
– CVE-2014-4344
– CVE-2014-4345
– CVE-2014-3477
– CVE-2014-3532
– CVE-2014-3533
– CVE-2014-3467
– CVE-2014-3468
– CVE-2014-3469
– CVE-2013-4357
– CVE-2013-4458
– CVE-2014-0475
– CVE-2014-4043
– CVE-2014-5119
– CVE-2014-5270
– CVE-2014-0191
– CVE-2014-0224
– CVE-2014-0195
– CVE-2014-0221
– CVE-2014-0224
– CVE-2014-3470
– CVE-2014-3466
– CVE-2014-0195
– CVE-2014-0221
– CVE-2014-0224
– CVE-2014-3470
– CVE-2014-0195
– CVE-2014-0221
– CVE-2014-0224
– CVE-2014-3470
– CVE-2014-4617
– CVE-2014-0478
– CVE-2014-3505
– CVE-2014-3506
– CVE-2014-3507
– CVE-2014-3508
– CVE-2014-3509
– CVE-2014-3510
– CVE-2014-3511
– CVE-2014-3512
– CVE-2014-5139
– CVE-2014-3613
– CVE-2014-3620
– CVE-2014-0487
– CVE-2014-0488
– CVE-2014-0489
– CVE-2014-0490
– CVE-2012-6151
– CVE-2014-2284
– CVE-2014-2285
– CVE-2014-2310
– CVE-2014-2525
– CVE-2014-2532
– CVE-2014-1912
The following issues have been resolved in Version 3.7.4:
- When an SSL Appliance recovers from an overload condition it no longer flags some SSL sessions with the "Invalid cryptographic response" error code.
- Corrected an issue that exposed the following ports on the management interface: 9001, 9002, 9003, 9009 and 9010.
- In Passive Inline mode, copy ports now correctly see Server Hello packets with a "cut- through" rule.
- Corrected handling of dates in OCSP Response fields.
- Fixed an issue in which duplicate client/server hello packets were issued in passive-inline deployment for certain cut-through SSL flows.
- Fixed an issue in which certificate resigning of traffic with an Online Certificate Status Protocol (OCSP) stapled response with a key larger than the originating key caused the system to fail.
- Corrected several memory allocation issues.
- Corrected an issue where a segment did not recover on software failure.
- The command line diagnostic interface can now be used during the bootstrap phase to set IP configuration on the management network interface.
- The following Common Vulnerabilities and Exposures (CVE) have been addressed in 3.7.4:
– CVE-2014-3477
– CVE-2014-3532
– CVE-2014-3533
– CVE-2014-3467
– CVE-2014-3468
– CVE-2014-3469
– CVE-2013-4357
– CVE-2013-4458
– CVE-2013-0475
– CVE-2013-4043
– CVE-2014-3505
– CVE-2014-3506
– CVE-2014-3506
– CVE-2014-3507
– CVE-2014-3508
– CVE-2014-3509
– CVE-2014-3510
– CVE-2014-3511
– CVE-2014-3512
– CVE-2014-5139
The following issues have been resolved in Version 3.7.3:
- Resolved an issue in which the SSL Appliance became unusable and GUI timeouts occurred when navigating screens, requiring a manual reboot of the appliance to recover.
- Resolved a memory leak in the SSL intercept engine, when processing SSL flows with a large numbers of unique X.509 certificates. The issue resulted in no SSL sessions being inspected, and sometimes caused a restart.
- Resolved an issue where IP fragments would not pass successfully through the SSL Appliance.
- Resolved an issue where incorrect processing of IP fragments sometimes lead to a crash requiring a manual restart.
- Resolved an issue that resulted in NFE 0 overload messages and caused the SSL Appliance to stop decrypting.
- The SSL Debug log now rotates correctly. Previously, debug logs could fill up the internal disk.
- Resolved an issue that prevented proper startup of the appliance after a patch upgrade.
- The following Common Vulnerabilities and Exposures (CVE) have been addressed in 3.7.4:
– CVE-2014-0224
The following issues have been resolved in Version 3.7.1:
- Addressed the HeartBleed exploit, protecting against it for SSL traffic passing through and inspected by the SSL Appliance. This patch allows you to protect internal servers and prevent vulnerable client systems from attack even if they visit a malicious SSL server.
- Resolved a memory leak in the SSL intercept engine. The main symptom was lockup in one or more processing threads, resulting in no SSL sessions being inspected. In the worst case scenario, the data-plane process would crash and restart. The symptoms manifested in scenarios where large number of unique X.509 certificates were seen on the wire.
- Fixed a crash in generating the platform diagnostics archive (archive process did not exclude the sparse file /var/log/lastlog).
- Fixed processing of out-of-order TCP packets as well as processing of large TCP headers in Passive-Tap mode.
- TCP FIN packets were not processed in the correct order in inline modes, resulting in TCP queue processing timeouts.
- When displaying SSL session log entry details the UI now checks for the availability of certificate information; previous releases would have triggered an exception in the UI. The same updated logic is also applied to the fingerprint calculation on unsupported certificate key types.
- The in-memory X.509 caches are now limited in size to prevent the OOM killer from terminating the data-plane. The issue used to manifest itself when a large number of unique X.509 certificates were detected by the SSL Appliance.
- Wild cards ('*' character) in X.509 subject fields are now treated as characters rather than wild cards in the policy engine. The rules in the policy may still use wild card characters. As an example: this fix allows the user to set up a rule to match the following CN: "cdn.*.live- filestore.com"
- TLS sessions with unsupported TLS extensions are now classified as undecryptable. Refer to the Important Information section for more details.
- The UI now allows the user to reset the hostname by entering an empty value, which then translates into "localhost.localdomain" in the configuration.
- The UI webserver would sporadically reject file uploads with a "502" error because of the size of the HTTP header; the allowed header size was increased to resolve the issue.
- Fixed handling of TCP retransmits while decrypting certain cipher-suites (using block ciphers, for example, AES-CBC, 3DES-CBC), in the process fixing various types of TCP queue processing timeouts. The issue was especially prevalent when deploying the SSL Appliance downstream from a F5 load-balance appliance.
- Process TLS CertificateStatus handshake messages; not processing those messages resulted in breaking certain browser page elements (such as twimg.com when connecting to Twitter).
- Allow setting the "Catch All Action" on rulesets; this was broken in version 3.6.3.
- Remove the X.509 Subject Key Identifier when applying "Decrypt (Resign Certificate)" and "Replace Key Only" actions to prevent invalid certificate errors in browsers.
- Empty user-defined policy lists used in rulesets no longer invalidate the rule referencing the list.
- Self-signed X.509 certificates seen on the wire had an erroneous validation status of both "Self-signed" and "Invalid Issuer".
- The IP header check logic was changed to allow fragments with the don't fragment (DF) bit set; those packets used to be discarded.
- Fixed issue when loading the UI in recent versions of the Chrome browser.
- When using user-defined PKI lists in rules and the list name has a specific length then the list would be ignored and would default to all entries of that specific type of PKI item.