-
Notifications
You must be signed in to change notification settings - Fork 710
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add release notes for Fabric CA v1.5.1 Signed-off-by: David Enyeart <enyeart@us.ibm.com>
- Loading branch information
Showing
2 changed files
with
59 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
v1.5.1 Release Notes - August 16, 2021 | ||
====================================== | ||
|
||
Improvements | ||
------------ | ||
|
||
**FABC-931: Re-enroll with existing key even if certificate is expired** | ||
|
||
As of Fabric CA v1.4.9 it is possible to reenroll and get a certificate using an existing | ||
private/public key pair when passing --csr.keyrequest.reusekey to the Fabric CA | ||
client re-enroll request. This is advantageous especially for TLS certs since it means an | ||
orderer identity can get a certificate with updated expiration without the channel | ||
configuration needing to be updated (as of Fabric v1.4.9 and v2.2.1 when TLS certs | ||
are verified between channel members only the key is checked, the entire certificate | ||
does not need to be identical). However, if the certificate is already expired, | ||
Fabric CA has historically returned an error and did not allow the identity to | ||
reenroll to receive a new certificate. | ||
This improvement allows the client to re-enroll even if the current certificate is expired. | ||
To use the improvement, start the Fabric CA with the configuration option ``ca.reenrollIgnoreCertExpiry`` | ||
set to ``true`` (or set environment variable FABRIC_CA_SERVER_CA_REENROLLIGNORECERTEXPIRY). | ||
Alternatively, start the Fabric CA with flag ``--ca.reenrollignorecertexpiry``. | ||
|
||
Dependencies | ||
------------ | ||
|
||
Fabric CA v1.5.1 has been tested with the following dependencies: | ||
- Go 1.15.7 | ||
- Alpine 3.13 (for Docker images) | ||
|
||
|
||
Changes, Known Issues, and Workarounds | ||
-------------------------------------- | ||
None. | ||
|
||
Known Vulnerabilities | ||
--------------------- | ||
- FABC-174 Commands can be manipulated to delete identities or affiliations | ||
|
||
This vulnerability can be resolved in one of two ways: | ||
|
||
1) Use HTTPS (TLS) so that the authorization header is not in clear text. | ||
|
||
2) The token generation/authentication mechanism was improved to optionally prevent | ||
token reuse. As of v1.4 a more secure token can be used by setting environment variable: | ||
|
||
FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false | ||
|
||
However, it cannot be set to false until all clients have | ||
been updated to generate the more secure token and tolerate | ||
FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false. | ||
The Fabric CA client has been updated in v1.4 to generate the more secure token. | ||
The Fabric SDKs will be updated by v2.0 timeframe to generate the more secure token, | ||
at which time the default for Fabric CA server will change to: | ||
FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false | ||
|
||
Resolved Vulnerabilities | ||
------------------------ | ||
None. |