Yearly release of the mendelson AS2 server
- Log4j is no longer part of the product nor referenced in the included libs
What is new
- Added support for PostgreSQL and MySQL databases via a new plugin
- Added the possibility to the server settings to delete old system events
and transaction logs in the system maintenance process - Allow to build up a High Availability cluster (HA) using multiple mendelson
AS2 instances - Improved performance for the message delete processes by bulk delete operations
on the database - Fixed a SQL injection problem
- Moved several lock mechanism from the server instance to the underlaying
database instance - It's again possible to select the sign/encrypt keystore location - this
is required if you work with shared file systems - Added a data migration wizard to transfer the data from the internal HSQLDB
to an external database - Added a notification in the client if the client-server connection exceeds
the timout because of a bad connection or high server load - Modified the Java API samples - now they will send AS2 messages to the mendelson
testserver - includes all required settings (HTTP/HTTPS) - Added a new plugin that allows the integration of the mendelson AS2 via
REST API - Added an icon to each password field to see the password unmasked
- Added images to encryption and signature in different colors (green, yellow,
red) to indicate if the underlaying algorithms are still strong - Added product related fonts to the system
Resolved problems
- Fixed the problem that a configuration check warning occured if no inbound
HTTPS port was set in the configuration (keystore mismatch for in/outbound
TLS handling)
- Under some circumstances the send order queue has not been deleted
- The HTTP basic authentication was set to standard basic authentication -
required is preemtive basic authentication - Fixed a problem to start the application on macOS Big Sur 11.2.3, the error
message was "Native library not found in resource path" - Fixed a problem in the web interface that allowed to execute JS using manipulated
message content, thanks to the ERNW Vulnerability Disclosure team - In the partner management there was a problem with the text widget if unicode
has been pasted into the comments of a partner - Modified a log message for outbound MDNs that showed the wrong receipt URL
- RFC 822 states that it is not allowed to transfer characters with ASCII
>127 in MIME headers. Therefor a encoding has been added for the filename
transfer in the attachment header where this is required (see RFC 2047). Means
it should work now to transfer filenames that contain special characters.
Anyway if the receiver will process the filename somehow he has to decode
it after RFC 2047. - Fixed a problem where the splash screen scaled wrong for high resolution
- Fixed a problem where the server did not start up if you started the mendelson
AS2 with the option -nohttpserver
Updated software packages
- Complete removal of Log4j from the product and all 3rd party products -
so the product is no longer affected by previous and upcoming Log4j vulnerabilities - The DB connection pool commons pool and commons dbcp was replaced by HikariCP
- Update to Bouncycastle v1.69 (Crypto API)
- Update to Lucene 8.11.0 (Indexing of system events)
- Update to MINA 2.1.5 (Client-Server Interface)
- Update to flatlaf 1.5 (dark mode)
- Update to Vaadin 8.14.2 (Web Interface)
- Adding Jackson for JSON processing