EJBCA 6.15.2 Release Notes

This is the intended EOL release of EJBCA 6.15, and should fix all final issues remaining in the 6.15 branch for those of you not yet ready to move on to EJBCA 7. A major feature that we have backported to this release from EJBCA 7.0.1 is the SN issue highlighted recently in the Mozilla Security Policy forum regarding how EJBCA handles certificate serial numbers out of the box. We gave an official reply in that thread here, but would like to take this chance to iterate the issue for any of your who don't follow the Mozilla forums or may have missed the mention in the release notes for EJBCA 7.0.1. 

To give some background, we'd like to talk a bit about the issue at hand. EJBCA has since time immemorial used random serial numbers. Back then we chose 8 octets (64 bits) as a good size (largely arbitrarily), which has until now been the default setting out of the box. There are two main advantages to using randomized serial numbers as opposed to sequential: it makes it difficult for an attacker to guess the number of certificates issued and the ability to issue certificates from a cluster of CAs without the risk of collision. We have since a very long time allowed the manual configuration (through cesecore.properties, earlier through ejbca.properties) of serial number entropy to higher values. 

The issue at hand being faced by some customers is that in 2016 CABForum passed a ballot which required 64 bits of entropy for certificate serial numbers. We hadn't begun attending CABForum at the time or following the proceedings closely, but instead checked requirements from our customers who did. As such, we weren't aware of the discussion (we are an Interested Party since 2018, and today follow the proceedings closely), so were unaware of the underlying issue. That problem is that as serial numbers have to be positive integers, 64 bit serial numbers actually gives 63 bits of true entropy, as we have to discard half of the values. Many of our customers have long since been aware of this issue and have since a long time modified their configurations, but we suspect that not all are.

It is important to note that we see this as a compliance issue and not a security issue63 bits of entropy as opposed to 64 provides little to no advantage in guarding against a pre-image attack against SHA256 or greater. 

EJBCA 6.15.2 provides the tools for fixing this issue easily. We have raised the default entropy value to 20 octets (if nothing else was explicitly stated in the configuration) for all new CAs. All CA instances have been given a new field for specifying the entropy size specifically per CA, allowing our users to raise that entropy size as they see fit. 

If you are required to adhere to any standard which requires 64 bits of entropy in serial numbers, we would urge you to examine your CA's settings and take the appropriate actions to resolve that issue with those who maintain that standard. 

Upgrade Information

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 6.15.2, refer to our JIRA Issue Tracker.

Issues Resolved in 6.15.2

Released on 7th of March 2019

New Features

ECA-7539 - Add subcommand to clientToolBox to interact with database over pure JDBC

ECA-7779 - Implement test function in SCP Publisher

ECA-7894 - Backporting "ECA-4991 Allow configuration of serial number octet size per CA" to EJBCA 6.15.2

Improvements

ECA-5804 - Make ApprovalSessionTest less timing sensetive

ECA-7367 - Acme must be in status unavailable under System Configuration (community edition)

ECA-7421 - configdump module's unit tests are not collected by Jenkins unit tests job 'EJBCA_TRUNK_UNIT_PUPPET'

ECA-7423 - Failing tests of org.ejbca.configdump.core.ConfigdumpCoreUnitTest

ECA-7491 - Use relative URLs in AdminGUI

ECA-7520 - Make CertSafePublisherTest locale independent

ECA-7522 - Add proper configuration to jenkins-files/*/conf/

ECA-7537 - Simplify and improve configuration of CMP tests

ECA-7555 - Acme SystemTest(s) failure for 6.15X EJBCA_TRUNK_DB2V105_UBUNTU1204_JBOSSEAP61_PUPPET jenkins job

ECA-7576 - Clarifications in the Multi Group Publisher documentation

ECA-7609 - Clear hibernate cache in ejbca-db-cli to avoid high memory usage

ECA-7612 - VendorAuthenticationTest test case fail in Jenkins

ECA-7625 - Stop using System.lineSeparator, except for writing to files or pipes

ECA-7642 - WebEjbcaClearCacheTest should be skipped if not running on localhost

ECA-7643 - EjbcaWSTest should not use hardcoded "superadmin" user

ECA-7644 - EJBCA ziprelease should not include scripts from jenkins-files

ECA-7645 - CrmfRAPbeRequestTest fails on community edition

ECA-7648 - EE_COS7_OpenJDK8_WF10_NOHSM_DB2 job failure

ECA-7656 - Backport improvements for peer connector tests to 6.15.x

ECA-7658 - Use white-list instead of black-list of allowed HTTP methods in web.xml

ECA-7679 - PeerConnectionsTest uses TLSv1, but should use TLSv1.2

ECA-7680 - PatternLoggers should check if log level is enabled before doing work

ECA-7682 - PeerConnectionsTest.testPublishCertificate should inform about prerequisite in failure message

ECA-7707 - HttpMethodsTest.testDocs should not fail if internal docs are not used

ECA-7744 - Backport: Avoid defining clover ant task when unused

ECA-7755 - The copyright year should be updated to include 2019

ECA-7761 - Minor security improvement

ECA-7843 - EJBCA startup does full table analysis on Oracle causing timeout issue during startup

ECA-7878 - Disable Admin GUI -> View Log menu item when logging to database is disabled

Bug Fixes

ECA-7523 - Test failures in ProtocolOcspHttpTest due do missing cleanup

ECA-7525 - Domestic / Non-external CVCA/DVCA do not have the expiration field set

ECA-7529 - OcspExtensionsTest fails on community edition

ECA-7533 - Fix WS documentation for isApproved and getRemainingNumberOfApprovals

ECA-7535 - Regression: Upgrade of customcertextensions.properties fails

ECA-7536 - CertificateCrlReaderSystemTest fails on Windows

ECA-7540 - Importing a CVCA certificate with error triggers CSRF error

ECA-7542 - CertSafePublisher sends incorrect revocation date

ECA-7543 - CertSafePublisherTest fails on Windows due to line endings

ECA-7544 - Fix UpgradePublisherTest

ECA-7548 - Cannot create a crypto token with token label as slot reference

ECA-7552 - StatedumpTest should use systemtests.properties

ECA-7558 - Admin Web returns redundant security headers

ECA-7584 - USERAUTH fail when publishing with the SCP Publisher

ECA-7595 - UpgradeSessionBeanTest.testUpgradeOcspExtensions6120 fails intermittently

ECA-7599 - AcmeConfigurationAndValidationSystemTest.leaveRevocationReasonUnchanged fails intermittently

ECA-7601 - UNID-FNR fails to deploy on JBoss AS 7.1.1

ECA-7613 - CertificateCrlReaderSystemTest fails intermittently

ECA-7621 - Fix CMP tests on 6.15.x branch on new Jenkins server

ECA-7624 - Fix ConfigdumpValidatorUnitTest and YamlWriterUnitTest

ECA-7628 - configdump change causes test build failure in CE

ECA-7662 - SecurityEvents*SessionBeanTest fails on H2 dues to use of ORDER in DELETE

ECA-7663 - CertificateRetrievalTest.test09FindWithMissingCertData assumes database.useSeparateCertificateTable=false

ECA-7665 - OutgoingPeerConnectionTest fails intermittently

ECA-7676 - Nullcheck would have been NPE in BlacklistEntry

ECA-7677 - PeerConnectionsTest is missing slf4j runtime dependency

ECA-7698 - Update example URL for external documentation

ECA-7742 - CAA Validator fails DNSSEC validation for CH domains

ECA-7760 - ScpPublisher: Destination URL for certificates saved as crl.scp.destination and vice versa

ECA-7794 - SCP Publisher does not store/load the password properly

Tasks

ECA-7641 - Transform CE job that used to be trunk to 6.15

ECA-7848 - Investigate 6.15 WS test failures