... | ... | @@ -4,6 +4,23 @@ Welcome to Kea 1.9.6, the seventh monthly release of the 1.9 development branch. |
|
|
|
|
|
This release adds new features, improves existing features, clarifies documentation, and fixes a few bugs. The most notable changes introduced in this version are:
|
|
|
|
|
|
**Experimental TLS support**. This release introduces support for TLS in CA (Control Agent). The CA can now be configured to accept incoming https connections. Right now three modes of operation. First is a plain HTTP with TLS completely disabled. This mode what the only mode available. The second mode is encryption, where the CA accepts TLS connections. You need to provide CA (Certificate Authority) and server public certificate and private key. This is the typical mode when securing a website, where clients and servers are not under the control of the same organization. The third mode is mutual authentication between connecting clients and the CA server. In this mode, clients are required to identify themselves using TLS certificates.
|
|
|
|
|
|
The TLS support is considered experimental and currently has a number of limitations:
|
|
|
|
|
|
- It is reasonably well tested with OpenSSL and boost. Kea uses boost ASIO wrapper around OpenSSL. If your boost or OpenSSL are too old, you may encounter problems. See new Section 23. Kea Security section in Kea ARM for details.
|
|
|
|
|
|
- Kea supports two cryptographic libraries: OpenSSL and Botan. The Kea code for Botan is not finished yet. The code will compile and unit tests will pass, but the TLS support may not work.
|
|
|
|
|
|
- The kea-shell tool is written in python. The primary implementation is using python 3, but we do have legacy code for python 2. However, since python 2 is now EOL, we are not going to update that legacy code with TLS support. This may affect CentOS 7 users. The recommendation is to install python 3 on your system or use any alternative clients, such as curl, to connect to CA.
|
|
|
|
|
|
- The TLS is not yet tested for HA and is likely broken.
|
|
|
|
|
|
The work on TLS will continue in the upcoming releases.
|
|
|
|
|
|
We do encourage people to test this and report your experience. We're particularly interested in which OS was used, which OpenSSL and boost versions are present in your system.
|
|
|
|
|
|
|
|
|
**Database connection recovery rework** A new parameter "on-fail" now dictates what to do on
|
|
|
database connection loss. It has three possible values: "stop-retry-exit", "serve-retry-exit",
|
|
|
"serve-retry-continue" which govern if the DHCP service should be disabled and if Kea should shut
|
... | ... | |