Release Notice: LoadMaster LMOS 7.2.48.3 LTS

Release Notice: LoadMaster LMOS  7.2.48.3 LTS

Release Date: 9th December 2020

 

Download Current LTS Version - 7.2.48.3

LoadMaster 7.2.48.3 Release Notes

 

To get the latest firmware updates please visit our Firmware Downloads page.

 

Update Image Verification

Depending on the LMOS version running on the LoadMaster you are updating, you may need to supply one of the XML verification files when upgrading. See the notes for your release below.

Currently Running Version

Update Notes

7.2.51
or later

Verification of the digital signature on update images is required by default. See the Update Verification Options setting under System Administration > Miscellaneous Options > WUI Settings. If the unit you are updating is set to require validation, you must upload the following XML Verification file supplied with this release during the update process:

7.2.48.3.19710.RELEASE.PATCH-64-MULTICORE.checksum.xml

After the update, any capabilities specific to 7.2.51 will no longer be available on LoadMaster.

7.2.50

Same as above, except a different XML file supplied with this release must be uploaded during the update process:

7.2.48.3.19710.RELEASE.PATCH-64-MULTICORE-pre7.2.51.0.checksum.xml

After the update, any capabilities specific to 7.2.50 will no longer be available on LoadMaster.

7.2.49.1

Online verification not supported. You can verify the digital signature using a manual process documented on the support website using the same verification file as shown above for 7.2.50.

After the update, any capabilities specific to 7.2.49.1 will no longer be available on LoadMaster.

7.2.48.2 or earlier

Online verification not supported. You can verify the digital signature using a manual process documented on the support website using the same verification file as shown above for 7.2.50.

 

If you are currently running LMOS 7.1.x or an earlier version, please see the article Kemp LoadMaster Firmware Upgrade Path for full upgrade path information.

Note: The XML file verification is not part of the process of switching the active LoadMaster partition to the LMOS release that was running on LoadMaster before the last update.

 

Release Highlights

Change Notices

  • Cavium III SSL Accelerator Performance Switch
    • A new switch has been introduced on the Network Options page in the UI that allows you to switch from using the current 1.1.1 OpenSSL libraries to using the older 1.0.2 libraries. This helps to mitigate against the performance issues seen with the 1.1.1 libraries with Cavium III hardware SSL accelerator and TLS 1.3.
  • IRQ Pinning Default for LoadMaster MT VNFs
    • The IRQ Pinning debug option on LoadMaster is now enabled by default when the VNF is deployed to improve overall system performance.
  • Modified EC Curves in LoadMaster Client Hello
    • Updates have been made to the supported EC curves for ECDHE ciphers in the client hello, removing x25519 and x448 to meet Common Criteria security requirements.

 

Security Updates

  • Syslog and LDAPS Server Certificate Validity Checking
    • LoadMaster has been modified to use OCSP to check the validity of the server certificates supplied by syslog and LDAPS servers configured into the configuration.
  • Enhanced Server-Side KCD Authentication Cipher Option
    • A new option for server-side Kerberos Constrained Delegation (KCD) authentication improves the security of LoadMaster's server-side KCD connections to meet evolving security policies.
  • Enhanced NTP Key Exchange Algorithms
    • The SHA-1hashing algorithm has been added to the key types supported for NTP.
  • Regeneration of SSH Host Key
    • The LoadMaster host key that is used for SSH login can now be regenerated using controls on the system console.
  • Certificate Signing Request (CSR) Generation Permissions
    • If Self-Signed Certificate Handling is set to EC certs with an EC signature, CSR generation is restricted to the administrative (bal) user only. If Self-Signed Certificate Handling is set to a different value, all users can generate CSRs.
  • Certificate Signing Request (CSR) Generation Key Display
    • In previous releases, both the unsigned Certificate Signing Request (CSR) generated by LoadMaster, and the associated private key, were displayed in the UI (or returned via the API). A new option has been provided to allow the private key to be managed more securely, preventing unintentional disclosure or improper handling of the private key by the user.
  • 509 Certificate Format Updated
    • LoadMaster has been enhanced to use the X.509v3 certificate format, as defined in RFC 5280. [Previously, the X.509v1 format defined in RFC 1422 was used.]
  • LDAPS and Syslog Server Certificate Validation
    • LoadMaster has been enhanced to validate the entire certificate chain sent by remote LDAPS and Syslog servers when the system is configured to use ECDSA certificates with ECDSA signatures.

 

 

Was this article helpful?

0 out of 0 found this helpful

Comments