Skip to content

v1.5.1
Compare
Choose a tag to compare
@denyeart denyeart released this 17 Aug 20:30
v1.5.1
a01d0ae

v1.5.1 Release Notes - August 16, 2021

Improvements

FABC-931: Re-enroll with existing key even if certificate is expired

As of Fabric CA v1.4.9 it is possible to reenroll and get a certificate using an existing
private/public key pair when passing --csr.keyrequest.reusekey to the Fabric CA
client re-enroll request. This is advantageous especially for TLS certs since it means an
orderer identity can get a certificate with updated expiration without the channel
configuration needing to be updated (as of Fabric v1.4.9 and v2.2.1 when TLS certs
are verified between channel members only the key is checked, the entire certificate
does not need to be identical). However, if the certificate is already expired,
Fabric CA has historically returned an error and did not allow the identity to
reenroll to receive a new certificate.
This improvement allows the client to re-enroll even if the current certificate is expired.
To use the improvement, start the Fabric CA with the configuration option ca.reenrollIgnoreCertExpiry
set to true (or set environment variable FABRIC_CA_SERVER_CA_REENROLLIGNORECERTEXPIRY).
Alternatively, start the Fabric CA with flag --ca.reenrollignorecertexpiry.

Fixes

Release binaries for Linux and Windows that were corrupted in v1.5.0 have been fixed in v1.5.1.

Dependencies

Fabric CA v1.5.1 has been tested with the following dependencies:

  • Go 1.15.7
  • Alpine 3.13 (for Docker images)

Changes, Known Issues, and Workarounds

None.

Known Vulnerabilities

  • FABC-174 Commands can be manipulated to delete identities or affiliations

    This vulnerability can be resolved in one of two ways:

    1. Use HTTPS (TLS) so that the authorization header is not in clear text.

    2. The token generation/authentication mechanism was improved to optionally prevent
      token reuse. As of v1.4 a more secure token can be used by setting environment variable:

    FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false

    However, it cannot be set to false until all clients have
    been updated to generate the more secure token and tolerate
    FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false.
    The Fabric CA client has been updated in v1.4 to generate the more secure token.
    The Fabric SDKs will be updated by v2.0 timeframe to generate the more secure token,
    at which time the default for Fabric CA server will change to:
    FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false

Resolved Vulnerabilities

None.

Changes:

  • a01d0ae Build release artifacts on native platforms
  • d6f546b Release commit for Fabric CA v1.5.1
  • 71436f4 Add native target description in Makefile
  • 9b0e156 review comments
  • 5c502ff Docs updates
  • cb74047 Review comments and added an integration test
  • ac256a9 Support ignoring certificate expiry for re-enrolls
  • 3852738 521 is not supported anymore
  • 2147670 fixed 521 to 512 ecdsa algorithm
  • 05fe243 fixed missed double quotation
See More
  • 2f05c9a fixed a typo
  • 0e750f7 Enable arm64
  • 9a9d6ff Bump jinja2 from 2.10.1 to 2.11.3 in /docs
  • c8d2ffb Update default branch to main
  • 8ea82d3 Update Fabric CA Readme
  • 7fd582b Update doc references for main branch
  • 99187d5 Update CI to use main branch
  • 7bb43f2 Remove local copy of repolint.json
  • f960dd4 Prepare for next version Fabric CA v1.5.1
  • 6e825cc Add release Target to Release Pipeline
  • fd12c1d Change release pipeline service connection

This list of changes was auto generated.

Assets 5
Loading