EJBCA 6.15.2 Release Notes
This is the intended EOL release of EJBCA 6.15, and should fix all final issues remaining in the 6.15 branch for those of you not yet ready to move on to EJBCA 7. A major feature that we have backported to this release from EJBCA 7.0.1 is the SN issue highlighted recently in the Mozilla Security Policy forum regarding how EJBCA handles certificate serial numbers out of the box. We gave an official reply in that thread here, but would like to take this chance to iterate the issue for any of your who don't follow the Mozilla forums or may have missed the mention in the release notes for EJBCA 7.0.1.
To give some background, we'd like to talk a bit about the issue at hand. EJBCA has since time immemorial used random serial numbers. Back then we chose 8 octets (64 bits) as a good size (largely arbitrarily), which has until now been the default setting out of the box. There are two main advantages to using randomized serial numbers as opposed to sequential: it makes it difficult for an attacker to guess the number of certificates issued and the ability to issue certificates from a cluster of CAs without the risk of collision. We have since a very long time allowed the manual configuration (through cesecore.properties, earlier through ejbca.properties) of serial number entropy to higher values.
The issue at hand being faced by some customers is that in 2016 CABForum passed a ballot which required 64 bits of entropy for certificate serial numbers. We hadn't begun attending CABForum at the time or following the proceedings closely, but instead checked requirements from our customers who did. As such, we weren't aware of the discussion (we are an Interested Party since 2018, and today follow the proceedings closely), so were unaware of the underlying issue. That problem is that as serial numbers have to be positive integers, 64 bit serial numbers actually gives 63 bits of true entropy, as we have to discard half of the values. Many of our customers have long since been aware of this issue and have since a long time modified their configurations, but we suspect that not all are.
It is important to note that we see this as a compliance issue and not a security issue. 63 bits of entropy as opposed to 64 provides little to no advantage in guarding against a pre-image attack against SHA256 or greater.
EJBCA 6.15.2 provides the tools for fixing this issue easily. We have raised the default entropy value to 20 octets (if nothing else was explicitly stated in the configuration) for all new CAs. All CA instances have been given a new field for specifying the entropy size specifically per CA, allowing our users to raise that entropy size as they see fit.
If you are required to adhere to any standard which requires 64 bits of entropy in serial numbers, we would urge you to examine your CA's settings and take the appropriate actions to resolve that issue with those who maintain that standard.
Upgrade Information
As a minor release, the upgrade steps to EJBCA 6.15.2 are the same as to EJBCA 6.15. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA
Change Log: Resolved Issues
The following lists fixed bugs and implemented features in EJBCA 6.15.2.
Issues Resolved in 6.15.2
Released on 7th of March 2019
New Features
ECA-7539 - Add subcommand to clientToolBox to interact with database over pure JDBC
ECA-7779 - Implement test function in SCP Publisher
ECA-7894 - Backporting "ECA-4991 Allow configuration of serial number octet size per CA" to EJBCA 6.15.2
Improvements
ECA-5804 - Make ApprovalSessionTest less timing sensetive
ECA-7367 - Acme must be in status unavailable under System Configuration (community edition)
ECA-7421 - configdump module's unit tests are not collected by Jenkins unit tests job 'EJBCA_TRUNK_UNIT_PUPPET'
ECA-7423 - Failing tests of org.ejbca.configdump.core.ConfigdumpCoreUnitTest
ECA-7491 - Use relative URLs in AdminGUI
ECA-7520 - Make CertSafePublisherTest locale independent
ECA-7522 - Add proper configuration to jenkins-files/*/conf/
ECA-7537 - Simplify and improve configuration of CMP tests
ECA-7555 - Acme SystemTest(s) failure for 6.15X EJBCA_TRUNK_DB2V105_UBUNTU1204_JBOSSEAP61_PUPPET jenkins job
ECA-7576 - Clarifications in the Multi Group Publisher documentation
ECA-7609 - Clear hibernate cache in ejbca-db-cli to avoid high memory usage
ECA-7612 - VendorAuthenticationTest test case fail in Jenkins
ECA-7625 - Stop using System.lineSeparator, except for writing to files or pipes
ECA-7642 - WebEjbcaClearCacheTest should be skipped if not running on localhost
ECA-7643 - EjbcaWSTest should not use hardcoded "superadmin" user
ECA-7644 - EJBCA ziprelease should not include scripts from jenkins-files
ECA-7645 - CrmfRAPbeRequestTest fails on community edition
ECA-7648 - EE_COS7_OpenJDK8_WF10_NOHSM_DB2 job failure
ECA-7656 - Backport improvements for peer connector tests to 6.15.x
ECA-7658 - Use white-list instead of black-list of allowed HTTP methods in web.xml
ECA-7679 - PeerConnectionsTest uses TLSv1, but should use TLSv1.2
ECA-7680 - PatternLoggers should check if log level is enabled before doing work
ECA-7682 - PeerConnectionsTest.testPublishCertificate should inform about prerequisite in failure message
ECA-7707 - HttpMethodsTest.testDocs should not fail if internal docs are not used
ECA-7744 - Backport: Avoid defining clover ant task when unused
ECA-7755 - The copyright year should be updated to include 2019
ECA-7761 - Minor security improvement
ECA-7843 - EJBCA startup does full table analysis on Oracle causing timeout issue during startup
ECA-7878 - Disable Admin GUI -> View Log menu item when logging to database is disabled
Bug Fixes
ECA-7523 - Test failures in ProtocolOcspHttpTest due do missing cleanup
ECA-7525 - Domestic / Non-external CVCA/DVCA do not have the expiration field set
ECA-7529 - OcspExtensionsTest fails on community edition
ECA-7533 - Fix WS documentation for isApproved and getRemainingNumberOfApprovals
ECA-7535 - Regression: Upgrade of customcertextensions.properties fails
ECA-7536 - CertificateCrlReaderSystemTest fails on Windows
ECA-7540 - Importing a CVCA certificate with error triggers CSRF error
ECA-7542 - CertSafePublisher sends incorrect revocation date
ECA-7543 - CertSafePublisherTest fails on Windows due to line endings
ECA-7544 - Fix UpgradePublisherTest
ECA-7548 - Cannot create a crypto token with token label as slot reference
ECA-7552 - StatedumpTest should use systemtests.properties
ECA-7558 - Admin Web returns redundant security headers
ECA-7584 - USERAUTH fail when publishing with the SCP Publisher
ECA-7595 - UpgradeSessionBeanTest.testUpgradeOcspExtensions6120 fails intermittently
ECA-7599 - AcmeConfigurationAndValidationSystemTest.leaveRevocationReasonUnchanged fails intermittently
ECA-7601 - UNID-FNR fails to deploy on JBoss AS 7.1.1
ECA-7613 - CertificateCrlReaderSystemTest fails intermittently
ECA-7621 - Fix CMP tests on 6.15.x branch on new Jenkins server
ECA-7624 - Fix ConfigdumpValidatorUnitTest and YamlWriterUnitTest
ECA-7628 - configdump change causes test build failure in CE
ECA-7662 - SecurityEvents*SessionBeanTest fails on H2 dues to use of ORDER in DELETE
ECA-7663 - CertificateRetrievalTest.test09FindWithMissingCertData assumes database.useSeparateCertificateTable=false
ECA-7665 - OutgoingPeerConnectionTest fails intermittently
ECA-7676 - Nullcheck would have been NPE in BlacklistEntry
ECA-7677 - PeerConnectionsTest is missing slf4j runtime dependency
ECA-7698 - Update example URL for external documentation
ECA-7742 - CAA Validator fails DNSSEC validation for CH domains
ECA-7760 - ScpPublisher: Destination URL for certificates saved as crl.scp.destination and vice versa
ECA-7794 - SCP Publisher does not store/load the password properly
Tasks
ECA-7641 - Transform CE job that used to be trunk to 6.15
ECA-7848 - Investigate 6.15 WS test failures