SignServer Software Appliance 2.7 Release Notes

NOVEMBER 2024

We are pleased to announce the release of SignServer Software Appliance 2.7.0.

This release brings an updated version of SignServer Enterprise and introduces the TimeMonitor container. The release also features enhanced TLS certificate configuration and activation of TLS 1.3 with updated cipher configurations. Additionally, this release brings support for custom JDBC connection string, Microsoft SQL Databases, and uploading larger files (adjustable between 1 MB and 4 GB).

Highlights

New version of SignServer Enterprise

SignServer Enterprise has been updated to version 7.1.1. For more information, see the SignServer 7.1 Release Notes.

Support for Microsoft SQL Databases

This release brings support for Microsoft SQL Databases in SignServer.

Support to upload larger files (adjustable between 1 MB and 4 GB)

This release introduces the ability to configure the maximum allowed upload size for SignServer, now adjustable between 1 MB and 4 GB, providing greater flexibility for large file uploads.

Implementation of TimeMonitor Container

The TimeMonitor provides accurate time synchronization and monitoring capabilities for SignServer. It ensures the system's time remains consistent by integrating with an NTP server. This release introduces the TimeMonitor container, enabling its setup and use with the Software Appliance 2.7.0.

Support balanced Oracle DB hosts from Webconf (Custom JDBC Connection String Support)

A new feature allows users to add a custom JDBC connection string override, providing greater flexibility for database setups that may not align with the standard configuration options. This ensures smoother integration with unique customer environments.

OCSP Validation for Client Certificates per Network Interface

We’ve introduced a new feature that allows the configuration of OCSP client certificate validation for each NIC (Network Interface Card). This enhancement applies exclusively to our HTTPS endpoints and provides greater flexibility for certificate validation.

Key Details:

• To prevent accidental lockouts, OCSP client certificate validation cannot be enabled on the default interface.

• If you change the default interface, any existing OCSP client certificate validation settings on the previous default interface will be automatically cleared.

Enhanced TLS Certificate Configuration and Performance Improvements

We’ve introduced a new feature that allows precise control over which Network Interface Card (NIC) is associated with a specific TLS certificate. Additionally, improvements have been made to boost performance during web configuration page rendering.

Key Details:

• You can now assign a specific TLS certificate to an individual NIC, ensuring flexibility in certificate management.

• Only one active TLS certificate is permitted per NIC, but the same certificate can be applied across multiple NICs if desired.

• Configuration details, such as which TLS certificate is tied to each NIC, are stored directly in the NIC configuration for better clarity and organization.

• To maintain compatibility, API changes were kept minimal to ensure existing network configuration clients (e.g., terminal UI and front-display) function without disruption.

• The initial rendering of web configuration pages has been optimized by switching from sequential to concurrent resolution of requests, significantly speeding up load times.

Support for Microsoft SQL Databases

This release brings support for Microsoft SQL Databases in SignServer.

Support to upload larger files (adjustable between 1 MB and 4 GB)

This release introduces the ability to configure the maximum allowed upload size for SignServer, now adjustable between 1 MB and 4 GB, providing greater flexibility for large file uploads.

Implementation of TimeMonitor Container

The TimeMonitor provides accurate time synchronization and monitoring capabilities for SignServer. It ensures the system's time remains consistent by integrating with an NTP server. This release introduces the TimeMonitor container, enabling its setup and use with the Software Appliance 2.7.0.

Support balanced Oracle DB hosts from Webconf (Custom JDBC Connection String Support)

A new feature allows users to add a custom JDBC connection string override, providing greater flexibility for database setups that may not align with the standard configuration options. This ensures smoother integration with unique customer environments.

Adding support for TLS 1.3 and Updated TLS Cipher Support

• The list of supported TLS ciphers has been streamlined, removing CBC mode and SHA-1-based ciphers for enhanced security.

• TLS 1.3 is now enabled, resolving previous Post-Handshake Authentication issues caused by misconfigurations.

• Optimized Apache directives, such as ThreadsPerChild and MaxRequestWorkers, to better align with system requirements and improve performance.

Improvements and Corrections

• New driver added for Trustway Proteccio firmware 3.06.05 with client version 3.17 support, selectable under the Trustway Proteccio tile.

• Improved system reliability by ensuring unused data from certain services is automatically cleaned up after a restart. This prevents unnecessary storage use and enhances overall performance.

• The base operating system has been upgraded from AlmaLinux 8.8 to AlmaLinux 9.4, ensuring continued support, improved security, and access to the latest features.

• A recent CVE (CVE-2024-21096) affecting MariaDB has been addressed in our latest update. While the Software Appliance is unlikely to be directly impacted due to no external access to the DB CLI, we’ve taken proactive measures by upgrading the MariaDB container to version 10.6.18, which includes the necessary security fixes.

Upgrade Information

For important information on the required steps to update the Software Appliance, see Update Software Appliance.