... | ... | @@ -4,23 +4,23 @@ Welcome to Kea 1.9.6, the seventh monthly release of the 1.9 development branch. |
|
|
|
|
|
This release adds new features, improves existing features, clarifies documentation, and fixes a few bugs. The most notable changes introduced in this version are:
|
|
|
|
|
|
**Experimental TLS support**. This release introduces support for TLS in CA (Control Agent). The CA can now be configured to accept incoming HTTPS connections. Three modes of operation are available. First is a plain HTTP with TLS completely disabled (this was the only mode available so far). The second mode is encryption, where the CA accepts TLS connections. This is the typical mode when securing a website, where clients and servers are not under the control of the same organization. The third mode is mutual authentication between connecting clients and the CA server. In this mode, clients are required to identify themselves using TLS certificates, clients verify server's certificate and server verify client's. This work was done in #1661, #1662, #1663, #1664, #1726, #1748, #1758.
|
|
|
**Experimental TLS support**. This release introduces support for TLS in CA (Control Agent). The CA can now be configured to accept incoming HTTPS connections. Three modes of operation are available. First is a plain HTTP with TLS completely disabled (this was the only mode available so far). The second mode is encryption, where the CA accepts TLS connections. This is the typical mode when securing a website, where clients and servers are not under the control of the same organization. The third (and default when TLS support is enabled) mode is mutual authentication between connecting clients and the CA server. In this mode, clients are required to identify themselves using TLS certificates, clients verify server's certificate and server verifies client's. This work was done in #1661, #1662, #1663, #1664, #1726, #1748, #1758.
|
|
|
|
|
|
The TLS support is considered experimental and currently has a number of limitations:
|
|
|
|
|
|
- It is reasonably well tested with some versions of OpenSSL and Boost. Kea uses Boost ASIO wrapper around OpenSSL. If your Boost or OpenSSL is too old, you may encounter problems. See new Section 23. Kea Security section in Kea ARM for details.
|
|
|
- It is reasonably well tested with some versions of OpenSSL and Boost. Kea uses Boost ASIO SSL wrapper around OpenSSL. If your Boost or OpenSSL is too old, you may encounter problems and/or get a lower security level. See new Section 23. Kea Security section in Kea ARM for details.
|
|
|
|
|
|
- Kea supports two cryptographic libraries: OpenSSL and Botan. The Kea code for Botan is not finished yet. The code will compile and unit tests will pass, but the TLS support may not work.
|
|
|
- Kea supports two cryptographic libraries: OpenSSL and Botan. The TLS support for Botan in the Kea code is not released yet. The Kea code configured with Botan compiles and unit tests pass, but the TLS support may not be enabled.
|
|
|
|
|
|
- The kea-shell tool is written in Python. The primary implementation is using Python 3, but we do have legacy code for Python 2. However, since Python 2 is now EOL, we are not going to update that legacy code with TLS support. This may affect CentOS 7 users. The recommendation is to install Python 3 on your system or use any alternative clients, such as curl, to connect to CA.
|
|
|
|
|
|
- The TLS is not yet tested for HA and is likely broken.
|
|
|
- The TLS support for the High Availability (HA) hook will be available in a future version.
|
|
|
|
|
|
- The documentation is somewhat lacking, especially in the new Kea ARM section about security. There's a good tutorial available [in the src/lib/asiolink/testutils/ca](https://gitlab.isc.org/isc-projects/kea/-/blob/master/src/lib/asiolink/testutils/ca/doc.txt).
|
|
|
- The documentation is somewhat lacking, especially in the new Kea ARM section about security. There's a good tutorial available [in the src/lib/asiolink/testutils/ca] about how the create your own certificates and associated files (https://gitlab.isc.org/isc-projects/kea/-/blob/master/src/lib/asiolink/testutils/ca/doc.txt).
|
|
|
|
|
|
The TLS work will continue in the upcoming releases.
|
|
|
|
|
|
We do encourage people to test this and report their experience. We're particularly interested in which OS, OpenSSL or Botan, and Boost versions were used.
|
|
|
We do encourage people to test this and report their experience. We're particularly interested in which Operating System, OpenSSL or Botan, and Boost versions were used.
|
|
|
|
|
|
**Database connection recovery rework**. A new parameter `on-fail` now controls what to do on database connection loss. It has three possible values which govern if the DHCP service should be disabled and if Kea should shutdown or continue DHCP service after all the configured tries were exhausted: `stop-retry-exit` (stop DHCP service, attempt to reconnect and terminate if unable to reconnect), `serve-retry-exit` (continue serving DHCP traffic, attempt to reconnect and terminate if unable to reconnect), and `serve-retry-continue` (continue serving DHCP traffic, try to reconnect, and continue serving even if reconnection fails). This is particularly useful for forensic logging and config backend services. Depending on your specific deployment, you may prefer one strategy or another #1621.
|
|
|
|
... | ... | |