mendelson AS2 2022 b535 released

min read
A- A+
mendelson AS2

Yearly release of the mendelson AS2 server
- Log4j is no longer part of the product nor referenced in the included libs

What is new

  • Added support for PostgreSQL and MySQL databases via a new plugin
  • Added the possibility to the server settings to delete old system events
    and transaction logs in the system maintenance process
  • Allow to build up a High Availability cluster (HA) using multiple mendelson
    AS2 instances
  • Improved performance for the message delete processes by bulk delete operations
    on the database
  • Fixed a SQL injection problem
  • Moved several lock mechanism from the server instance to the underlaying
    database instance
  • It's again possible to select the sign/encrypt keystore location - this
    is required if you work with shared file systems
  • Added a data migration wizard to transfer the data from the internal HSQLDB
    to an external database
  • Added a notification in the client if the client-server connection exceeds
    the timout because of a bad connection or high server load
  • Modified the Java API samples - now they will send AS2 messages to the mendelson
    testserver - includes all required settings (HTTP/HTTPS)
  • Added a new plugin that allows the integration of the mendelson AS2 via
  • Added an icon to each password field to see the password unmasked
  • Added images to encryption and signature in different colors (green, yellow,
    red) to indicate if the underlaying algorithms are still strong
  • Added product related fonts to the system

Resolved problems

  • Fixed the problem that a configuration check warning occured if no inbound

    HTTPS port was set in the configuration (keystore mismatch for in/outbound

    TLS handling)

  • Under some circumstances the send order queue has not been deleted
  • The HTTP basic authentication was set to standard basic authentication -
    required is preemtive basic authentication
  • Fixed a problem to start the application on macOS Big Sur 11.2.3, the error
    message was "Native library not found in resource path"
  • Fixed a problem in the web interface that allowed to execute JS using manipulated
    message content, thanks to the ERNW Vulnerability Disclosure team
  • In the partner management there was a problem with the text widget if unicode
    has been pasted into the comments of a partner
  • Modified a log message for outbound MDNs that showed the wrong receipt URL
  • RFC 822 states that it is not allowed to transfer characters with ASCII
    >127 in MIME headers. Therefor a encoding has been added for the filename
    transfer in the attachment header where this is required (see RFC 2047). Means
    it should work now to transfer filenames that contain special characters.
    Anyway if the receiver will process the filename somehow he has to decode
    it after RFC 2047.
  • Fixed a problem where the splash screen scaled wrong for high resolution
  • Fixed a problem where the server did not start up if you started the mendelson
    AS2 with the option -nohttpserver

Updated software packages

  • Complete removal of Log4j from the product and all 3rd party products -
    so the product is no longer affected by previous and upcoming Log4j vulnerabilities
  • The DB connection pool commons pool and commons dbcp was replaced by HikariCP
  • Update to Bouncycastle v1.69 (Crypto API)
  • Update to Lucene 8.11.0 (Indexing of system events)
  • Update to MINA 2.1.5 (Client-Server Interface)
  • Update to flatlaf 1.5 (dark mode)
  • Update to Vaadin 8.14.2 (Web Interface)
  • Adding Jackson for JSON processing