MultiNet 5.6 release notes *PTPv2* PTPv2 is available on Alpha (V7 & V8) and ia64 systems. PTP works with time sources on a local network to synchronize when the clock ticks. MultiNet timestamps received packets so that transit time inside MultiNet can be measured. The PTP implementation does NOT manage day light saving time on the system. If your system uses day light saving time then you need to continue to use NTP. PTP and NTP can be used on a system concurrently. PTP also will be notified when the system changes the time zone if AUTO_DLIGHT_SAV is used on VMS V8. *OpenSSL* OpenSSL 1.0.2T on Alpha and ia64 is now used with FTP, NTP, NAMED and for SSH2 Suite B support. *SSH2* Suite B support on Alpha and ia64 (RFC 6329, 5656, 5647, 6668), Group Exchange Key Exchange (RFC 4419), Support for X509v3-rsa2048-sha256 certificates for host key exchange (RFC 6187), key exchange update to support diffie-hellman-group14-sha256 (RFC 8268) Suite B includes: - Elliptic curve Diffie-Hellman (ECDH) key agreement [RFC 5656] Curves: nistp256, nistp384, nistp521 The curve chosen will be sufficient to support the hash for the host keys involved. This means that if the host key is ECDSA-nistp521, only the nistp521 curve will be available, an ECDSA-nistp384 key will have nistp384 and nistp521 available, and ECDSA-nistp256 will have nistp256, nistp384 and nistp521 available. - Elliptic curve digital signature algorithm (ECDSA) [RFC 5656]. Public keys are written in a format close to what is used by OpenSSH and OpenSSH public keys can be read as is. The "Subject" and "Comment" lines in the key may need to be removed to make the keys readable by OpenSSH. The curves supported are: nistp256, nistp384, nistp521 - Advanced Encryption Standard running in Galois/Counter Mode (AES-GCM) [RFC 5647], as modified by OpenSSH to resolve a potential ambiguity as the encryption and message authentication are both provided by a single algorithm. In this case the ciphers are named: aes128-gcm@openssh.com, aes256-gcm@openssh.com - New MACs: SHA-256, SHA-384 and SHA-512 [RFC 6668]. These can be used with any ciphers, except the gcm ciphers, which provide both encryption and MAC functionality. - Modifications to SSHD2 such that it can read unencrypted certificate keys for system authentication with certificates without having to process the keys & certificates with the certificate utilities. SSH2 bug fixes - Recognize that WS_FTP-12.7 does not like IGNORE messages while doing Group Exchange Key Exchange. - Correct an error in the input sensing code that could cause delays. - If the logical SSH_STEP_THROUGH_RADIUS_ADDRESSES is defined to True/Yes/1 then each attempt to do authentication via the radius server will use a different returned address when the DNS lookup returns multiple addresses, instead of just trying the first address. This provides additional failover capability if the DNS lookup of the radius host always returns the addresses in the same order. If the DNS lookup does a round-robin of the addresses, then the traditional behavior will provide failover capability. - Added configuration variable RadiusTimeout to allow site configuration of Radius Timeout value. The default value is 3 seconds. - When the logical MULTINET_SSH_RADIUS_TRUNCATE_USERNAME is defined in the system logical name table, usernames will be truncated before any underscore (_) present in the name before attempting RADIUS password authentication. - Add connection timeout routine to SSH-AGENT2 to deal with dangling connections that lead to consumption of bytlm and correct some memory leaks which could cause problems with heavy usage. - Correct a problem with passwords that are 32 characters long. - Correct a data structure alignment issue in the I/O module to improve performance. - Correct attempts to open /dev/random and /dev/urandom that can cause problems on systems that have a logical for dev defined. - Modification of SSHD2 to support of LOAD_PWD_POLICY and VMS$PASSWORD_POLICY callouts with PWDMIX on systems that support PWDMIX. Note that the VMS$PASSWORD_POLICY callouts must NOT write to SYS$OUTPUT or attempt to read from SYS$INPUT as these channels are used for network communication and doing so will cause problems. Writes to SYS$ERROR will appear in the SSH_LOG:SSHD.LOG for the session. - Modification of SSHD2 to prevent CAPTIVE or RESTRICTED usernames from creating tunnels. - Modification of SSHD_MASTER to allow for control of the timeout of the connection id with the logical MULTINET_SSH_CONNECT_ID_TIMEOUT. This logical should be defined to a VMS delta time before SSH is started. Modification requires restarting of SSH to take effect. If the logical is not defined, or not a VMS delta time, then the default value of 1 minute (0 00:01:00.0) is used. - Fix a channel leak in SSHD_MASTER. *Kernel* Performance improvements that reduce data structure scanning and eliminate periodic TCP socket scanning. Bug fixes: - Change check for binding to a specific port with a wild card address when multiple requests have been made. - Change a section of code that can sometimes fail to get memory from MultiNet's pool on VMS V8 systems (ia64 and Alpha) to allocate directly from VMS non-paged pool. - Correct an error in calculating the size of TCP packets that could lead to packets larger than the destination can accept in certain cases. - Correct the interpretation of KEEPINVTL and KEEPINIT when coming from an application. The code was assuming that they were in half seconds, but the documentation says that they are expressed in seconds. - Correct a problem that can cause a crash when manipulating interface filters. - Correct a problem with retransmits that are resulted in a full sized packet followed by a short packet. - Correct a problem with writes to the BG device when the socket buffer becomes full. - On ia64 systems let the VMS driver decide if the packet is less than the minimum size and should be padded. The adjustment that was being made in MultiNet was causing problems on some configurations. - Do not allow the TCP maximum segment size to be set to less than the minimum path mtu size as it can cause a crash. - Correct a length calculation problem with TCP packets that can cause too large packets to be sent, which are then not received or ignored by the destination. - Correct a potential memory corruption that can result in a crash. Add code to the routine that frees the socket data structure to clear the pointer from the device UCB to the socket data structure. *NTP* Updated to 4.2.8p15 from NTP.ORG, this includes corrections for all CVEs as of June 23, 2020. Informs PTP if there is a day light saving time change. Bug fixes: - Correct a problem where NTPD running on a system that does not observe day light saving time goes compute bound. - Add some messages when the system is unable to synchronize the time with any servers and servers are reachable stating that the accuracy is poor and displaying variables. Note that these messages may occasionally occur in configurations that eventually select a good clock. Currently there is nothing to limit messages so the log file could grow. The minimum time between polling (and hence messages) is typically about 1 minute. - More work on name resolution, particularly for when the name is a CNAME that does not specify the address family in the configuration file. - Correct a potential page fault with high IPL that can cause a system crash. - Correct an error in handling the WAYTOOBIG configuration parameter that can cause NTPD to always step the clock and not be useful as a server. - Correct a problem with using system specific time zone rules that can cause problems when entering day light saving time. - This implementation of NTPD has not had sufficient testing of the SLEW_ALWAYS configuration addition. - Reduce "Unexpected origin timestamp" messages. - Restore message about SLEW_ALWAYS being used. - Correct a few more instances where address values could overflow the space available. - Restore parsing of DISABLE OPCOM. - Correct an error that can cause stack corruption when servers with IPv6 addresses are used. On Alpha systems this can cause NTPD to be compute bound. - Correct an error in the computation of the completion time for the "fall back" change from day light saving time to standard time. The error may cause the time to "fall back" more than once resulting in the wrong time. - Provide the NTPDATE image, which was not included in MultiNet 5.5. NTPDATE is available for all architectures and observes the system time zone. - Improve recognition of ; as comment character. *NAMED updated to BIND 9.11.21 from isc.org; this is the current extended support version and includes corrections for CVEs through July 2020. Bug fixes: - Modifications to DNS cluster management: If two (or more) systems attempt to advertise at the same time then at least one of them will not recognize the other's attempt. Since systems tend to keep accurate time (due to NTP) these systems will tend to stay synchronized and continue to not notice each other. To reduce the chance that systems will stay synchronized some "salt" is now added to the advertising interval. This problem can also be avoided by defining MULTINET_CLUSTER_SERVICE_ADVERTISEMENT_INTERVAL to slightly different values on each system and defining MULTINET_CLUSTER_SERVICE_TIMER_INTERVAL to a smaller interval so that multiple systems don't continue to attempt to advertise at the same time. Each of these logicals take a VMS delta time as their value. Multicast communication is now disabled by default. - Modifications to DNS cluster member notification to delay if another member is currently in the notification process. - Additional error checking and reporting in DNS cluster code to help investigate missing nodes. - Added exit handler to make sure that DNS cluster locks are released upon exit. Added logical MULTINET_CLUSTER_WAIT_COUNT that can reduce the amount of time for the first member of the cluster spends in the discovery loop. Other improvements to the DNS cluster service. - Modifications to DNS cluster name support routines to make sure that ASTs are disabled while pointers are manipulated. - Note that the address parsing code has become more strict. In the past an address such as 127.0.0.1/8 would be accepted, now this will generate an error and it will need to be changed to 127.0.0.0/8 - Add support for DNSSEC-KEYGEN algorithms ECDSAP256SHA256 and ECDSAP384SHA384 on Alpha and ia64 systems. - Improve error reporting in code to load crypto routines and cluster code to get some information on some rare conditions. - Modification to accept routine to limit the number of times it will retry after a "soft" errors. Also add logging for the soft errors, so that they can be better understood in the future. - Correct a problem with verifying DNSSEC file names that caused DNSSEC to not work. While investigating this problem it was also discovered that use of the DIRECTORY option would cause problems for the support for DNSSEC with DNS clusters (NAMED-060_A054). It is possible that use of the KEY-DIRECTORY, MANAGED-KEYS-DIRECTORY, SESSION-KEYFILE, and SESSION-KEYNAME options could have problems with the DIRECTORY option. - Correct a problem with reload when the 'directory' keyword has been used in the configuration file. *TFTP* - RFC 1123 compliance (elimination of Sorcerer's Apprentice Syndrome) in the server. - RFC 2348 support for transfer size and timeout *FTP TLSv1.2 is now the default for FTPS on Alpha and ia64 systems. bug fixes - Correct a build problem where the wrong SSL libraries were referenced, which will cause problems when using TLS. - Correct a memory management error in TLS handling. - Correct a problem with mailboxes and logical names not being cleaned up when using FTP over TLS. - Improve SSL error reporting in FTP_SERVER. - Miscellaneous other fixes for problems encountered when using TLS. Improve connect error messages on Integrity systems. Correct problem with LS when in +VMS+ mode. Correct a hang on connecting with TLS and not getting the desired certificates. Correct a misleading error message. - Correct a kit assembly problem for FTPS_CONTROLLER on ia64. - Allow TLS PBSZ and PROT to be specified before user authentication. - Improve security for FTPS (FTP over TLS) for Alpha and ia64 to use TLSv1.2 and stronger ciphers by default. This can be disabled by defining the logicals: $ DEFINE/SYSTEM MULTINET_FTP_SERVER_USE_ALL_CIPHERS TRUE $ DEFINE/SYSTEM MULTINET_FTP_SERVER_ALLOW_TLSV1 TRUE - Correct various problems when using FTP over TLS with non-passive mode data connections. - Change the way that a fixed length record file with no carriage control is opened for ASCII transfers so that it is the same whether it has an odd or even number of bytes in the record and that the MULTINET_FTP_SEMANTICS_FIXED_IGNORE_CC logical works the same. - Correct a problem with UNIX style output and file processing not being preserved after an NLST command. - Improve error reporting on ia64 systems. - Only have FTP negotiate +VMS+ mode if the logical MULTINET_FTP_CLIENT_NEGOTIATE_VMS_PLUS is defined to True, Yes or 1. - Have FTP recognize errno of zero on read with negative return as EOF. - Change how a parameter to select is computed for when non-passive transfers are done so that the number is not too large on ia64 systems. - Correct problems with client TLS connections. - Make sure that files are opened with sharing when obtaining information for MLSD/MLST functions. - Correct an error in the directory completed reply that will cause an accvio when MODE Z is used. - Correct a problem with the FTP client and single line commands that can cause an unexpected exit after a bad response to the attempt to use SITE +VMS+. - Correct a problem with the FTP_SERVER implementation of MLSD that can cause looping and large FTP server log files. *SFTP* bug fixes - Correct a problem with exchanging files with FileZilla. - Allow a default file size to be specified with the logical MULTINET_SFTP_DEFAULT_SIZE for interacting with servers that don't return a file size. - Change installation procedures such that the V7 SFTP2 and SCP2 Alpha images are only used for system running VMS V7.2 and later. There have been some problems using the V7 images on earlier V7 VMS systems. The difference between the V6 and V7 images is large file and ODS-5 support, which is only in VMS V7.2 and later. - Correct a problem in SFTP2 with LCD to a logical name. - Correct a problem that can lead to dangling SFTP_SERVER processes. - Fix some parsing problems in SSH_FXP_REALPATH - Improve CD operations in VMS mode when a logical is used as the target. - Make SCP2, SFTP2 and SFTP-SERVER2 observe the setting of the MULTINET_SFTP_DEFAULT_FILE_TYPE_REGULAR at all points that files could be accessed. *NFSv3* Numerous improvements & bug fixes. *R_Services* added intrusion reporting for login failures. *Master server* bug fixes. - Clear allocated memory used for the DOMAINNAME SHOW command so that stale data does not show up in the output. - Add some checking to some RPC calls to prevent possible process crashes. - Increase the size of a temporary variable to prevent possible stack corruption and process or system crashes due to it. - Correct a problem in parsing ACCEPT-HOSTS/REJECT-HOSTS and ACCEPT-NET/REJECT-NET where the length of the list would not be accurately maintained. - Change the naming scheme of MULTINET_ROOT:[FTPS]FTPS.LOG to include the date in the filename so that it will be unlikely that it will hit version 32767 and cause problems. *MULTINET_SET_INTERFACE* bug fixes - Improve bounds checking when examining interface parameters. *TCPDUMP* bug fixes - Correct a possible ACCVIO. *UCXDRIVER* bug fixes - VMS Software reported that a customer reported that a zero length write returned SS$_BADPARAM, and TCP/IP Services return SS$_NORMAL. I checked with the traditional UCXDRIVER and it looks like it would return SS$_NORMAL. So the code has been modified to return SS$_NORMAL for a zero length write. - Correct an error in ACCEPT processing that can overwrite memory outside of what is specified for the sockaddr. - Correct a potential crash. - Correct some issues with freeing buffers that can cause memory consumption. - Correct a problem for Alpha V7 and V8 and ia64 systems for programs writing from 64 bit address space. - Correct an error in setting up buffers for a variety of write requests that are used by Apache that can cause a crash. - Detect a bad address to prevent a crash. *UCX_LIBRARY_EMULATION* bug fixes - Correct a problem with the GETADDRINFO implementation that can overwrite other memory in certain situations. Make check for ipv6 interfaces recognize both types of address formats. - Correct a problem with DNS resolver code that can act differently depending upon SSH debug level, and sometimes cause erroneous name lookups. - Corrects issues with the socketpair call when the address family requested is not AF_INET. [End of release notes]