Page 1 sur 1

Release WAPT 1.8.1

Publié : 12 févr. 2020 - 10:40
par cbarille
Bonjour à tous,

Une release WAPT 1.8.1 est disponible avec correction des bugs fixes.

Changelog :

WAPT-1.8.1-6700 (2020-02-04)
(hash dae3fc37)

Major changes :

waptconsole : Added a page to show packages install status summary (merge) of all selected hosts, grouped by package,version,install status, with count of hosts. Context menu allow to apply selectively the pending actions. On enterprise, one can apply safely the updates (only packages for which there is no running process on client side)

Prevent users from saving a host package if targeted host(s) do not accept their personal certificate. (Checked on waptconsole when editing / mass updating host packages, and on server when uploding packages)

The personal certificate file (.crt) must contains at first the personal certificate, followed by the issuer CA certificates, so that wapt can rebuild certificate chain and check intersection with host’s trusted certificates.

Important note about SSL client side authentication

In your nginx configuration, be sure to reset the headers X-Ssl-Authenticated and X-Ssl-Client-DN as waptserver trust these headers if ssl cient side auth is enabled in waptserver.ini.

If SSL client side auth is setup these headers can be populated by proxy_set_header with result of ssl_verify_client as explained in ./wapt-security/security-configuration-certificate-authentication.html#enabling-client-side-certificate-authentication

Fixes and detailed changelog

Security fix for waitress module

Security: blank X-Ssl* headers in default nginx templates

waptconsole: Allow update of host package only if user certificate is actually allowed on the host (based on last update of host status in database).

Imp: Add and option to disable automatic hiding of panels…

Imp: Add explicit AllowUnauthenticatedRegistration task to waptserversetup windows

Fix: regression : kerberos register_host did not work anymore

waptsetup: Remove explicit VCRedistNeedsInstall task. Use /VCRedistInstall=(0/1) if you need to force install or force not install vcredist VC_2008_SP1_MFC_SEC_UPD_REDIST_X86

Fix: wapt-get.exe: use wapt-get.ini for “scan-packages” and’update-packages” wapt-get actions

Fix: wapt-get: auth asked when checking if server is available (ping) and client ssl auth is enabled

Imp: wapt client: if client ssl auth failed with http error 400, retry without ssl auth to be able to ask for new certificate signing

waptserver register behaviour : Revert over rev 6641: sign host certificate if an authenticated user is provided or data is signed with a key which can be verified by existing certificate in database for this host uuid

waptserver register behaviour : When receiving 401 from server when registering, retry registering without ssl auth.

wapt client: Be sure to have proper host private key saved on disk when receiving signed certificate from server.

waptconsole: Advanced Filters for selected host packages status. Filter on Install status and Section + keyword. Pending button to show only pending installations / removes

wapt-get make-template / edit package : Add .vscode directory. Add template project for vscode

waptconsole: Fix ssl auth for mass package dependencies / conflicts updates

waptconsole: Fix import packages from external repos with ssl auth

backports from master:

target OS in import packages
choose editor for packages in linux in cmdline
backports from master:

refactoring for HostCapabilities.waptos
add new target_os unix for mac and linux
so target_os : windows, darwin (for mac), linux or unix
Fix WAPT.wapt_base_dir

Fix makepath in linux/macOS

Some refactoring / fixes for setuphelpers

Fix for rights_to_check in repo-sync client

Fix for repo-sync

waptserver : allow kerberos or ssl auth check in waptserver only if enabled in waptserver.ini config file.

Add two setuphelpers for linux : type_debian and type_redhat

indent the local sync.json

use get_os_version and windows_version_from_registry instead of windows_version

use windows_version_registry for get_os_version on windows

backport host_capabilities.os from master

Add automatic maintenance of a CRL for clients auth certificates signed by server

default CRL lifetime to 30 days

check renewal of client cert CRL every hour

add a parameter for the next update time of crl

add clients_signing_crl_url clients_signing_crl_days known_certificates_folder waptserver parameters

add a /ssl location in nginx templates

add crl_urls in client auth signed certificates

add a scheduled task to renew server side crl

add clients_signing_crl waptserver parameter to add client cert to server crl when host is unregistered.

Add revoke_cert methode to SSLCRL class

Add a authorityKeyIdentifier to the client auth CRL

force restart if windows task is broken

waptservice: use sys._exit(10) to ask nssm to restart service in case of unhandled exception in waptservice (loops..)

wapt client: don’t log / store into db Wapt.runstatus if not changed