Actions required when upgrading to 3.4

This section describes changes in Airlock Microgateway 3.4 that may require manual actions. Read this section carefully to see whether your configuration is affected.

SSL 3.0 and old ciphers removed

Support for SSL 3.0 has been removed and OpenSSL was updated to major version 3.

  • Because of the OpenSSL update, some old ciphers for encrypting private keys are no longer supported:
  • PBE-SHA1-RC2-128, PBE-MD2-DES, PBE-MD5-DES
  • SHA1-RC4-128

See also Supported SSL/TLS versions.

SecurityGateway *-prefix in SG Expert Settings

The prefix SecurityGateway * for Security Gate expert settings has been deprecated in previous releases and is not supported anymore. Remove the prefix.

Session tracking by external token

By using Expert Settings it is possible to track the client's session by a request header. Improvements are required to change the settings to enable this feature. The feature is still available, but must be configured differently (see replacement code block below).

Solution supported up to Microgateway 3.3:

Session.Tracking.ExternalToken.Enable             "FALSE"  
Session.Tracking.ExternalToken.AllowTokenUpdate   "TRUE"  
Session.Tracking.ExternalToken.MaxLength          "256"  
   
Session.Tracking.ExternalToken.Request.Header.Pattern    "^Access-Token: ([[:graph:]]+)$"  
Session.Tracking.ExternalToken.Request.Header.IgnoreCase "TRUE"  
Session.Tracking.ExternalToken.Request.Header.Template   "$1"  
Session.Tracking.ExternalToken.Response.Header.Pattern    "^Authorization: Bearer ([[:graph:]]+)$"  
Session.Tracking.ExternalToken.Response.Header.IgnoreCase "TRUE"  
Session.Tracking.ExternalToken.Response.Header.Template   "$1" 

Replacement for Microgateway 3.4 and newer:

Session.Tracking.HeaderToken.Enable                               "True"  
Session.Tracking.HeaderToken.Response.Header.Name                 "Access-Token"  
Session.Tracking.HeaderToken.Request.Header.Name                  "Authorization"  
Session.Tracking.HeaderToken.Request.Header.Value.Pattern         "^Bearer ([[:graph:]]+)$"  
Session.Tracking.HeaderToken.Request.Header.Value.IgnoreCase      "TRUE"  
Session.Tracking.HeaderToken.Request.Header.Value.Template        "$1" 

Deny rule updates

Default Deny rules have been improved and extended. Critical applications should be tested in a pre-production environment. In summary, the below changes were made.

  • New rules:
  • Security levels of DOR_014A changed from Strict to Standard, Strict.
  • Deleted/changed rules:
  • DOR_013A deleted.
  • Security levels of SAN_050B changed from Standard, Strict to Strict.

Due to security improvements, various filter evasion fixes in SQL, XSS, UNIX, Sanity, Insecure Direct Object Reference and Automated Scanning rules.

  • Affected rules:
  • AS_001A, AS_005A, AS_015A, AS_050B
  • DOR_002A, DOR_005A, DOR_014A, DOR_015A
  • HPE_005A
  • SAN_050B
  • SQL_001A, SQL_001B, SQL_005A, SQL_005B, SQL_025A, SQL_025B, SQL_030A, SQL_030B, SQL_040A, SQL_040B, SQL_045A, SQL_045B, SQL_050A, SQL_050B, SQL_055A, SQL_055B, SQL_060A, SQL_060B, SQL_065A, SQL_065B
  • UNIX_005A, UNIX_005B, UNIX_006A, UNIX_006B, UNIX_010A, UNIX_010B
  • XSS_030A, XSS_030B, XSS_035A, XSS_055A, XSS_055B
  • False-positive reduction:
  • DOR_012C no longer blocks the wp-admin directory.
  • UNIX_005A no longer blocks unknown top-level UNIX directory names.
  • SAN_025E no longer blocks header names consisting only of a single character.
  • SQL_050A, SQL_050B no longer consider unlimited tables/column names with special characters.
  • Various:
  • The short names of all deny rules have changed to uppercase letters. E.g., deny rule SQL_001a has changed to SQL_001A.

JSON Limits

JSON limits are enforced regardless of whether api_security.treat_json_objects_as_parameter is disabled or enabled.