We are pleased to announce the latest release of SFTPPlus, version 3.12.0.
This release adds a couple of security related functionalities and security related defect fixes.
Here is the list with the main new features:
- Support was added for validating certificate revocation lists (CRL) based on the distribution points extension advertised by the peer's certificate.
- It is now possible to use the fips configuration value in the ssh_cipher_list configuration option to allow using only FIPS 140-2 compliant ciphers and algorithms for the SSH based services.
- Accounts authenticated using the HTTP authentication method can now be configured to be associated with any group defined in SFTPPlus. In previous implementation they were always associated with the default group.
- You can now authenticate legacy SFTPPlus WebAdmin accounts as operating system accounts using the "User Alias" configuration option defined by the WebAdmin.
Here is the list of the most important defects fixed in this release:
- Certificates signed by unknown certificate authorities are now rejected right away, without being first checked for revocation.
- Home folder path configuration can no longer be defined with empty values. This prevents accidental configuration in which the account is given access to the application's installation folder.
- Home folder path configuration is now enforced to absolute paths. This prevents accidental configuration in which the account is given access to the application's installation folder.
- An internal server error is no longer generated when an invalid path is configured as a home folder.
- An internal server error is no longer emitted when a response from the Local Manager is produced after the Local Manager page was closed or refreshed.
- Transfers will no longer fail shortly after being started or resumed when the source locations fails. The transfers enter the suspended stated and will automatically resume once the source is available.
- Rotating files base on size will now keep all rotated files when rotate_count is set to 0.
- The HTTP/HTTPS service will now request the web browser to download files with unknown mime types (extensions) rather than trying to display them as HTML files.
You can also check the full release notes.