mendelson opensource AS2 1.1 b61 released

min read
A- A+
mendelson opensource AS2

Yearly release of the mendelson AS2 opensource (2022)

Please find the download link at

What is new

  • Added the possibility to the server settings to delete old system events and transaction logs in the system maintenance process
  • Improved performance for the message delete processes by bulk delete operations on the database
  • Fixed a SQL injection problem
  • Moved several lock mechanism from the server instance to the underlaying database instance
  • It's again possible to select the sign/encrypt keystore location - this is required if you work with shared file systems
  • Added a data migration wizard to transfer the data from the internal HSQLDB to an external database
  • Added a notification in the client if the client-server connection exceeds the timout because of a bad connection or high server load
  • Added an icon to each password field to see the password unmasked
  • Added images to encryption and signature in different colors (green, yellow,red) to indicate if the underlaying algorithms are still strong
  • Added product related fonts to the system

Resolved problems

  • Fixed the problem that a configuration check warning occured if no inbound HTTPS port was set in the configuration (keystore mismatch for in/outbound TLS handling)
  • Under some circumstances the send order queue has not been deleted
  • The HTTP basic authentication was set to standard basic authentication - required is preemtive basic authentication
  • Fixed a problem to start the application on macOS Big Sur 11.2.3, the error message was "Native library not found in resource path"
  • Fixed a problem in the web interface that allowed to execute JS using manipulated message content, thanks to the ERNW Vulnerability Disclosure team
  • In the partner management there was a problem with the text widget if unicode has been pasted into the comments of a partner
  • Modified a log message for outbound MDNs that showed the wrong receipt URL
  • RFC 822 states that it is not allowed to transfer characters with ASCII >127 in MIME headers. Therefor a encoding has been added for the filename transfer in the attachment header where this is required (see RFC 2047). Means it should work now to transfer filenames that contain special characters. Anyway if the receiver will process the filename somehow he has to decode it after RFC 2047.
  • Fixed a problem where the splash screen scaled wrong for high resolution
  • A problem has been fixed where a key import from a JKS keystore into the TLS certificate manager resulted in the problem "unable to recover key" on next server start. With this error message the system did not start up. As the certificate manager codebase is shared between all mendelson products please wait for an update of the other product if you encounter it there.
  • Capped the number of threads in the directory poll manager. This reduces the overall load, but leads to the side effect that the specified poll intervals may not be met. Please always keep an eye on the displayed system configuration problems where this is mentioned.

Updated software packages

  • Complete removal of Log4j from the product and all 3rd party products - so the product is no longer affected by previous and upcoming Log4j vulnerabilities
  • The DB connection pool commons pool and commons dbcp was replaced by HikariCP
  • Update to Bouncycastle v1.69 (Crypto API)
  • Update to Lucene 9.0.0 (Indexing of system events)
  • Update to MINA 2.1.5 (Client-Server Interface)
  • Update to flatlaf 2.0 (dark mode)
  • Update to Vaadin 8.14.2 (Web Interface)
  • Adding Jackson for JSON processing