ArrayOS APV Release Note

Transcription

1 Introduction Release Date: August 3, 2016 This release note summarizes the new features, general enhancements, resolved issues and known limitations for ArrayOS APV Contacting Customer Support To contact Array Networks Customer Support, please call or the team at Additional Information: Array Networks, Inc McCarthy Blvd. Milpitas, CA Phone: (408) Toll Free: (1-866-MY-ARRAY) Fax: (408) Telephone access to Array Networks is available Monday - Friday, 9 A.M. to 5 P.M. PST. Array Networks, Inc. All Rights Reserved. 1

2 Table of Contents Before You Upgrade... 3 WHAT S NEW... 4 FIPS... 4 vapv for Cloud Platforms... 4 ENHANCEMENTS... 5 HTTP/ Server Load Balance (SLB)... 7 Secure Socket Layer (SSL)... 8 High Availability (HA) General System/Tools RESOLVED ISSUES Server Load Balance (SLB) Link Load Balance (LLB) Reverse Proxy Cache General System/Tools WebUI Legacy WebUI KNOWN LIMITATIONS HTTP/ Secure Socket Layer (SSL) WebUI Array Networks, Inc. All Rights Reserved. 2

3 Before You Upgrade Before upgrading the system to ArrayOS APV , please review the content in this section. Backward compatibility (63479) ArrayOS APV 8.x can be upgraded to this version smoothly. However, downgrading from this version to an earlier version will cause ECC certificates, if any, to be lost due to data structure incompatibility. The ECC certificates, if supported, should be reconfigured. Array Networks, Inc. All Rights Reserved. 3

4 WHAT S NEW FIPS Supporting Runtime Synconfig in the HA environment, and the SNI function (ID: 47994) Beginning with ArrayOS APV , the Federal Information Processing Standard (FIPS) Hardware Security Module (HSM) supports Runtime Synconfig in the HA environment, and the Server Name Indication (SNI) function. For details, please refer to the FIPS Release Note. vapv for Cloud Platforms Supporting installation of vapv on cloud computing platforms (57242&57524&58460&62557&62684) ArrayOS APV supports installing vapv on cloud computing platforms such as Microsoft Azure and Amazon Web Services (AWS). The number of CPUs supported and the system memory size of vapv instances are enlarged to support cloud computing platforms. To be more precise, vapv instances of 8, 16 or 32 CPUs and 16, 32 or 64 GB system memory are available for cloud computing platforms. In addition, the SSH function of vapv for Microsoft Azure is enabled by default. Therefore, the vapv for Microsoft Azure is always accessible even if it is restored to factory default settings. For more information on how to install the vapv on specific cloud computing platforms and other details, please contact Array Networks Customer Support. Array Networks, Inc. All Rights Reserved. 4

5 ENHANCEMENTS HTTP/2 Beginning with ArrayOS APV , some important enhancements are introduced to the HTTP/2 feature. The enhancements are detailed as follows. Optimized the commands for enabling HTTP/2 (ID: 63722) To provide better usability, the commands used for enabling HTTP/2 for virtual services and real service groups have been optimized. Before: slb virtual option http2 enable <virtual_service> no slb virtual option http2 enable <virtual_service> show slb virtual option http2 enable [virtual_service] clear slb virtual option http2 enable slb group option http2 <group_name> no slb group option http2 <group_name> show slb group option http2 [group_name] clear slb group option http2 The preceding commands have been optimized into the following ones: Now: http2 virtual {on off} <virtual_service> This command is used to enable or disable HTTP/2 for the specified virtual service. By default, HTTP/2 is disabled. show http2 virtual [virtual_service] This command is used to display the enabling status of HTTP/2 for an HTTP/HTTPS virtual service. clear http2 virtual This command is used to disable HTTP/2 for all HTTP/HTTPS virtual services. http2 group {on off} <group_name> This command is used to enable or disable HTTP/2 for the specified HTTP/HTTPS real service group. By default, only HTTP/1 is enabled for HTTP/HTTPS real service groups, and HTTP/2 is disabled. Enabling HTTP/2 for a real service group that does not support HTTP/2 is not recommended. show http2 group [group_name] This command is used to display the enabling status of HTTP/2 for the specified HTTP/HTTPS real service groups. Array Networks, Inc. All Rights Reserved. 5

6 clear http2 group This command is used to disable HTTP/2 for all HTTP/HTTPS real service groups. Supporting health check for HTTP/2 real service (ID: 61559) HTTP/HTTPS real services that are enabled with HTTP/2 now support basic health check and group health check. HTTP/2 over TLSv1.2 In an SSL acceleration/offloading scenario, the SSL virtual host and real host support HTTP/2 running over TLS. For an SSL virtual host, the following conditions must be met; otherwise, HTTP/1.1 will be used: 1. The Server Load Balancing (SLB) virtual service associated with the virtual host is enabled with HTTP/2. 2. The virtual host supports TLSv The virtual host supports at least one of these cipher suites: ECDHE-RSA- AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE- ECDSA-AES128-GCM-SHA256 and ECDHE-ECDSA-AES256-GCM- SHA384. For an SSL real host, the following conditions must be met; otherwise, HTTP/1.1 will be used: 1. The SLB real service associated with the real host supports and is enabled with HTTP/2. 2. The virtual host supports running HTTP/2 (see the three conditions for HTTP/2 support by virtual host stated previously). 3. The real host supports TLSv The real host supports at least one of these cipher suites: ECDHE-RSA- AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE- ECDSA-AES128-GCM-SHA256 and ECDHE-ECDSA-AES256-GCM- SHA384. Note: In an SSL acceleration scenario where HTTP/2 runs over TLSv1.2, SSL renegotiation must be disabled. Use the ssl globals renegotiation off command to disable it globally, and the no ssl settings reneg <virtual_host_name> command to disable it on an individual virtual host. IPv6 support (ID: 62511) Now, the system supports HTTP/2 in both IPv4 and IPv6 environments. Array Networks, Inc. All Rights Reserved. 6

7 Server Push feature (ID: 60722) Beginning with ArrayOS APV , the system supports the Server Push feature of HTTP/2 protocol. This feature allows a server to preemptively send responses to a client in association with a previous client-initiated request. This can be useful when the server knows the client will need to have those responses available in order to fully process the response to the original request. Supporting HTTP/2 for more SLB configuration options (ID: 59033&59572&59371&61232&61641) More HTTP/HTTPS SLB configuration options support HTTP/2, specifically: URL redirect based on error code (configured by the http redirect error command) URL redirect based on host (configured by the http redirect url command) Compression of customized file types and user agents (configured by the http compression policy... commands) Cache (configured by the cache on command) Configuration of the encoding format for transferring the client certificate DN (configured by the http xclientcert dnencoding command) Configuration of the DN field separator (configured by the http xclientcert rdnsep command) Configuration of the header name used to transfer the client certificate to the real service (configured by the http xclientcert header command) Outlook Web Access (OWA) subsystem function (by the http owa on and http owa virtual commands) Enhanced error handling and flow control capabilities (ID: 54700) Error handling capability has been enhanced. Flow control algorithms have been enhanced to alleviate processing load on endpoints in communication. Server Load Balance (SLB) Disconnecting a client when no real service is available (ID: 63782) Previously, with virtual service health check enabled and all real services of the virtual service in down status, the APV appliance would send code 503 Service Unavailable to the client that sent a request. Now, in such a scenario, the APV appliance will disconnect from the client and drop received requests. Array Networks, Inc. All Rights Reserved. 7

8 Forbidding a space in epolicy script names (ID: 63756) To avoid configuration failures caused by a space in an epolicy script name, spaces are forbidden in epolicy script names. Keeping the client port the same as the virtual service port in transparent mode (ID: 62939) In transparent mode, when the difference between the port number of the virtual service and that of the real service is a multiple of the number of CPU cores, the system will not change the client port when forwarding client requests to the real service. The CPU core number is now indicated in the output of the show debug usage cpu command. Supporting TLSv1.2-based basic health check (ID: 60831) Previously, HTTPS and TCPS real services supported a basic health check based on TLSv1.0 and SSLv3.0 when the HTTPS or TCPS real service was associated with an SSL real host. Now, the system also supports a TLSv1.2-based basic health check for an HTTPS or TCPS real service associated with an SSL real host. Among these protocol versions, which will be used for the basic health check depends on the protocol versions configured for the SSL real host and whether it is in the FIPS environment. The order of precedence for selecting a protocol from those configured for the SSL real host is as follows: In a FIPS environment, the protocol is selected in the order of TLSv1.0 and SSLv3.0. In a non-fips environment, the protocol is selected in the order of TLSv1.2, TLSv1.0 and SSLv3.0. Secure Socket Layer (SSL) Adding a log for an unavailable trusted CA certificate (ID: 63371) When the server authentication function is enabled and no trusted CA certificate is available, the system will record a warning-level log SSL: SSL host <hostname> can't get trusted CA certificate for <server client> certificate. Deactivation of a specific active certificate (ID: 63242) Previously, administrators could only deactivate an active certificate by activating another one. Beginning with ArrayOS APV , administrators can deactivate a Array Networks, Inc. All Rights Reserved. 8

9 specific active certificate, as the system now supports two active certificates for each SSL host. To support this enhancement, the following command is added: ssl deactivate certificate <host_name> <domain_name> <certificate_type> This command is used to set the certificate of the specified SSL virtual host or real host as inactive. Adjusting the cipher suite list for SSL host (ID: 62742) Because an SSL real host now supports TLSv1.2, more cipher suites are added to the list available for it. The order of cipher suites in the list has also been adjusted for both real hosts and virtual hosts. This is to enable the most secured and wellsupported cipher suite to be preferentially negotiated. The default cipher suite list assigned to a newly created SSL host has also been adjusted. The list assigned depends on the SSL host s global default protocol version, which is configured by the ssl globals protocol virtual or ssl globals protocol real command. The cipher suite list configuration for an SSL host can be displayed by running the show ssl settings command. Optimizing CLI prompts and outputs (ID: 61554&63459&62154&63332&63331&62564&62585&63558) To help administrators better configure and monitor the system, ArrayOS APV has optimized the CLI prompts and outputs of the following SSL commands: ssl activate certificate <host_name> [certificate_index] [domain_name] [certificate_type] ssl import certificate <host_name> [certificate_index] [domain_name] [tftp_ip] [file_name] ssl export key <host_name> [certificate_index] [domain_name] [key_type] no ssl certificate <host_name> <certificate_index> [domain_name] [certificate_type] show ssl certificate <host_name> [display_mode] [certficate_index] [domain_name] [certificate_type] show ssl csr <virtual_host_name> [domain_name] [csr_type] ssl start <host_name> ssl restore certificate <host_name> <file_name> <password> [domain_name] ssl import key <host_name> [certificate_index] [domain_name] [tftp_ip] [file_name] In addition, when an SSL real host is configured, the prompt of the clear config command has been changed. This list includes the major commands of which the prompts and outputs are optimized. For details, please refer to the CLI Command Changes to SSL document. Array Networks, Inc. All Rights Reserved. 9

10 Supporting TLSv1.2 for SSL real host with both RSA and ECC cipher suites (ID: 60798&53101) An SSL real host previously supported SSL protocol versions SSLv3 and TLSv1.0. For the purpose of enhancing connection security, it now also supports the more secure SSL version TLSv1.2. Also, RSA and ECC cipher suites are supported for a TLSv1.2 real host; AES256-GCM-SHA384 and AES256-GCM-SHA256 cipher suites are added for both TLSv1.2 real hosts and virtual hosts. To support this enhancement, a new value TLSv12 now is available for the version parameter in the following commands: ssl globals protocol real <version> version This parameter specifies default SSL protocol versions supported by all SSL real hosts. Its value must be: SSLv3: indicates that the SSLv3 protocol is supported. TLSv1: indicates that the TLSv1.0 protocol is supported. TLSv12: indicates that the TLSv1.2 protocol is supported. ALL: indicates that all the three protocols are supported. To support two or three protocols, separate them with colons (:). ssl settings protocol <host_name> <version> version This parameter specifies the SSL protocol versions supported by the SSL host. Its value must be: SSLv3: indicates that the SSLv3 protocol is supported. TLSv1: indicates that the TLSv1.0 protocol is supported. TLSv12: indicates that the TLSv1.2 protocol is supported. ALL: indicates that all the three protocols are supported. To support two or three protocols, separate them with colons (:). The cipher suites allowed by the ssl settings ciphersuite command are listed in the following table ( Y highlighted in red indicates the cipher suites supported beginning with ArrayOS APV ). Cipher Suites Protocols Virtual Hosts Protocols Real Hosts Bits SSLv3 TLSv1.0 TLSv1.2 SSLv3 TLSv1.0 TLSv1.2 AES256-GCM-SHA N N Y N N Y AES128-GCM-SHA N N Y N N Y AES256-SHA N N Y N N Y AES256-SHA 256 Y Y Y Y Y Y AES128-SHA N N Y N N Y AES128-SHA 128 Y Y Y Y Y Y Array Networks, Inc. All Rights Reserved. 10

11 Bits Protocols Virtual Hosts Protocols Real Hosts Cipher Suites DES-CBC3-SHA 192 Y Y Y Y Y Y DES-CBC-SHA 64 Y Y N N N N RC4-SHA 128 Y Y Y Y Y Y RC4-MD5 128 Y Y Y Y Y Y EXP-DES-CBC-SHA 40 Y N N N N N EXP-RC4-MD5 40 Y N N N N N ECDHE-RSA-AES256-GCM-SHA N N Y N N Y ECDHE-RSA-AES128-GCM-SHA N N Y N N Y ECDHE-RSA-AES256-SHA N N Y N N Y ECDHE-RSA-AES256-SHA 256 Y Y Y Y Y Y ECDHE-RSA-AES128-SHA N N Y N N Y ECDHE-RSA-AES128-SHA 128 Y Y Y Y Y Y ECDHE-ECDSA-AES256-GCM-SHA N N Y N N Y ECDHE-ECDSA-AES128-GCM-SHA N N Y N N Y ECDHE-ECDSA-AES256-SHA N N Y N N Y ECDHE-ECDSA-AES256-SHA 256 Y Y Y Y Y Y ECDHE-ECDSA-AES128-SHA N N Y N N Y ECDHE-ECDSA-AES128-SHA 128 Y Y Y Y Y Y Supporting multiple active certificates (ID: 55804) Previously, each SSL host supported only one active certificate, which could be either an RSA certificate or an Elliptic Curve Cryptography (ECC) certificate. To provide enhanced security based on ECC, now a real host is allowed to have two active certificates, and a virtual host is allowed to have two active certificates for each domain name associated with it. Among every pair of the certificates, one of them must be of the RSA type, and the other must be of the ECC type. To support this enhancement, the following commands have been modified to include a CSR, key or certificate type option. Previously, commands were: no ssl csr <virtual_host_name> [domain_name] show ssl csr <virtual_host_name> [domain_name] ssl export key <host_name> [certificate_index] [domain_name] no ssl certificate <host_name> <certificate_index> [domain_name] ssl activate certificate <host_name> [certificate_index] [domain_name] show ssl certificate <host_name> [display_mode] [certficate_index] Now, commands are: no ssl csr <virtual_host_name> [domain_name] [csr_type] csr_type Optional. This parameter specifies the type of CSR to be deleted. Its value must be: rsa: deletes only the RSA CSR. ecc: deletes only the ECC CSR. all: deletes all types of CSRs. Array Networks, Inc. All Rights Reserved. 11

12 The default value is all. show ssl csr <virtual_host_name> [domain_name] [csr_type] csr_type Optional. This parameter specifies the type of CSR to be displayed. Its value must be: rsa: displays only the RSA CSR. ecc: displays only the ECC CSR. all: displays all types of CSRs. The default value is all. ssl export key <host_name> [certificate_index] [domain_name] [key_type] key_type Optional. This parameter specifies the type of private key to be displayed. Its value must be: rsa: displays only the RSA private key. ecc: displays only the ECC private key. all: displays all types of private keys. The default value is all. no ssl certificate <host_name> <certificate_index> [domain_name] [certificate_type] certificate_type Optional. This parameter specifies the type of certificate to be deleted. Its value must be. rsa: deletes only the RSA certificate. ecc: deletes only the ECC certificate. all: deletes all certificates. The default value is all. ssl activate certificate <host_name> [certificate_index] [domain_name] [certificate_type] certificate_type Optional. This parameter specifies the type of certificate to be activated. Its value must be: rsa: activates the RSA certificate. ecc: activates the ECC certificate. all: activates all types of certificates. The default value is all. show ssl certificate <host_name> [display_mode] [certficate_index] [domain_name] [certificate_type] certificate_type Optional. This parameter specifies the type of certificate to be displayed. Its value must be: rsa: displays only the RSA certificate information. Array Networks, Inc. All Rights Reserved. 12

13 ecc: displays only the ECC certificate information. all: displays the information of all types of certificates. The default value is all. High Availability (HA) Automatic conversion of some HA configurations during updates from ArrayOS APV 8.5.x.x to ArrayOS APV (ID: 64035) The system beginning with ArrayOS APV has introduced some important enhancements to the HA module, which brought up changes to certain HA commands. These commands, if configured in the system running ArrayOS APV 8.5.x.x, needed to be manually reconfigured after the system was updated to ArrayOS APV To reduce manual reconfiguration load after the upgrade, the system now supports automatic conversion of some HA configurations. Specifically, the following commands configured in ArrayOS APV 8.5.x.x do not need to be reconfigured in ArrayOS APV : ha hc peerunit ha hc cpu overheat ha hc cpu utilization ha hc gateway ha hc vcondition Note: If the system running ArrayOS APV 8.5.x.x has no CPU health check configurations, the default CPU health check configurations which are normally available in ArrayOS APV 8.6.x.x will not be generated after the system upgrade. General System/Tools Enhancing security in SSH connections (ID: 62847) To enhance security in SSH connections, the weak encryption algorithms arcfour, arcfour128, and arcfour256 have been disabled when the APV appliance functions as an SSH server or client. Note: The full set of SSH algorithms remains available if it is explicitly configured by the ssh remote command. Optimizing epolicy CLI prompts and outputs (ID: 62681&62568) Array Networks, Inc. All Rights Reserved. 13

14 To help administrators better configure and monitor the system, ArrayOS APV has optimized the CLI prompts and outputs of the following epolicy commands: epolicy import script <url> <script_name> no epolicy import setting <script_name> Increasing the number of log filters to 20 (ID: 62558) From ArrayOS APV , the maximum number of log filters that can be configured is increased from 3 to 20. Adding OIDs for total throughout of virtual IP address (ID: 62173) The following object identifiers (OIDs) are added for querying the total throughput of virtual IP addresses: : Outbound throughput of all VIPs (KB/s) : Inbound throughput of all VIPs (KB/s) Supporting an identical IP address for a virtual service and a system interface (ID: 60868) Beginning with ArrayOS APV , the administrator can configure an identical IP address for a system interface and a virtual service. QoS supporting 10 Gigabit interface (ID: 58106) Now, the Quality of Service (QoS) function can be applied to 10 Gigabit interfaces. Array Networks, Inc. All Rights Reserved. 14

15 RESOLVED ISSUES Server Load Balance (SLB) Failing to parse cookies nested with double quotation marks (ID: 63016) The system would not properly parse a cookie nested with double quotation marks ("), for example, psback=""label":"home" "layout":9". This issue has now been resolved. Invalid SIP SLB with IP fragment (ID: 59662) In a scenario where an IP fragment existed, SIP SLB might become invalid. This issue has now been resolved. Failing to process POST requests without Content-Length when a virtual service used HTTP/2 and a real service used HTTP/1 (ID: 58777) Previously, an HTTP/2 virtual service did not support POST requests without the Content-Length header when a real service used HTTP/1. This issue has been resolved. Link Load Balance (LLB) Improper warning about link route overload (ID: 62345&62809) An improper warning about link routes being overloaded might be logged in either of the following scenarios after the system was started for at least an hour: A link was configured with no bandwidth limitation, traffic matched the link, and the show llb link bandwidth was executed one time. One of the links was configured with no bandwidth limitation, and traffic matched the link. This issue has now been resolved. Array Networks, Inc. All Rights Reserved. 15

16 Reverse Proxy Cache Excessive connections to a real server for mass requests with identical host name and URL string (ID: 61581) When a large number of requests with an identical host name and URL string arrived at the APV appliance at the same time, the connections between the APV appliance and the real server would become excessive and possibly exhaust the real server. This issue has now been resolved. General System/Tools Incorrect diskspace unit in output of show memory (ID: 62555) In the output of the show memory command, the unit of diskspace was Mb whereas it should be MB. This issue has now been resolved. Incorrectly logging warnings when the power supply was working properly (ID: 62496) On certain APV6600 and APV5600 models, the APV appliance incorrectly and repeatedly logged warning messages One of the power supplies has failed and The failed power supply is restored, while the power supply in actuality did not fail. This issue has now been resolved. Interface route of bond/vlan/mnet interface was removed after a route with the same subnet was added (ID: 62306) For a bond, VLAN, or MNET interface, when a route whose destination subnet was the same as that of the interface route was added, the interface route of the bond, VLAN or MNET interface would be removed by the system. This issue has now been resolved. WebUI Failing to display a VLAN interface with a numeral in name (ID: 62771) Array Networks, Inc. All Rights Reserved. 16

17 In Network > Interface Settings > VLAN Interface, a VLAN interface whose name contained numeral(s) would not be displayed in the VLAN Interface table. This issue has now been resolved. Missing configuration of cipher strength redirection (ID: 62663) In SLB > SSL Settings > SSL Virtual Host, if you double-click a virtual host, in the Client Authentication Settings tab the configuration of cipher strength redirection was not available. This issue has now been resolved. Improper status button name (ID: 62280) Previously, for a function, the word Enable on the status button indicated that the function was enabled. However, administrators would comprehend it as the function being disabled and believed they must click on Enable to enable the function. This issue has now been resolved. The button name has been modified to Enabled and Disabled. Displaying an incomplete default policy name for a virtual service with a long name (ID: 62149) When the name of a virtual service consisted of more than 22 characters, and a default policy was configured for the virtual service, the system failed to display complete information in the Policy Name column in SLB > Policies. This issue has now been resolved. Failing to export saved configuration file to the local disk (ID: 60574) In System > Config Management > View > Saved File, the saved configuration file could not be exported to the local disk. This issue has now been resolved. Full attributes of a global root CA certificate improperly displayed (ID: 55688) In SLB > SSL Settings > SSL Global Settings > Global Root CA Certificate, if you clicked an item, the full attributes of the item were not properly displayed. This issue has now been resolved. Array Networks, Inc. All Rights Reserved. 17

18 Legacy WebUI Failing to uncheck the security keyword for HTTPS and HTTP virtual services (ID: 64141) To set a security keyword, in Server Load Balance > Virtual Services, double-click an HTTPS or HTTP virtual service, and uncheck the Add "secure" Keyword to Set- Cookie Headers for HTTPS Virtuals and Add "secure" Keyword to Inserted Set- Cookie Headers for HTTPS Virtuals check boxes. Previously, the unchecking did not take effect after the Save Changes button was clicked. This issue has now been resolved. Failing to log in with a new user account (ID: 63943) Logging into the legacy WebUI by using a newly created user account would fail. This issue has now been resolved. Failing to configure an IPv6 address for LLB link route (ID: 63478) When adding an LLB link route, the gateway IP address of the LLB link route could not be configured as an IPv6 address. This issue has now been resolved. Failing to display an IP pool with special character in name (ID: 63753) In Server Load Balance > Groups > Groups Setting, the IP pool whose name contained a special character such as a hyphen (-) could not be displayed in the Global IP Pool List table. This issue has now been resolved. Failing to preview an SLB statistics report when the number of real services is a multiple of 18 (ID: 62674&62673) In Server Load Balance > Monitoring > Report, if the number of real services was a multiple of 18, the SLB statistics report could not be previewed. This issue has now been resolved. Displaying an incorrect maximum length of syslog filter string (ID: 62366) Array Networks, Inc. All Rights Reserved. 18

19 In Admin Tools > Graph > Logging > Syslog Servers, when a log filter entry was to be added, the maximum length of a log filter was displayed as 1024 characters whereas the actual maximum length is 40 characters. This issue has now been resolved. Array Networks, Inc. All Rights Reserved. 19

20 KNOWN LIMITATIONS HTTP/2 Unsupported features (ID: 63086&58308&62470&60010&53446&62481&64021) The following functions are known to be unavailable in an HTTP/2 environment: HTTP content rewrite Upgrade to HTTP/2 via Next Protocol Negotiation (NPN) extension on HTTPS virtual service Import of error pages from an HTTP/2 server Upgrade of a client s protocol to HTTP/2 through the Upgrade header Static policy Function of splicing TCP connections at the client and real service sides (configured by the http connsplice on command) Acceleration of HTTP request processing (configured by the http turbo command) FastHTTP (configured by the http proxymode command) Persistence based on session ID obtained from HTTP request body for HTTP/2 real service group Stream priority and frame padding Secure Socket Layer (SSL) http acl url does not support access level 3 in HTTP/2 over TLS (ID: 63635) In an SSL acceleration scenario where HTTP/2 is running over TLSv1.2, access level 3 configured by the http acl url command will not take effect. This is because this level requires SSL renegotiation, which needs to be disabled as speculated by RFC debug trace live ssl failing to display plaintext data traffic (ID: 62563&62885) The debug trace live ssl command will fail to display plaintext data traffic if no active RSA certificate exists for the SSL connection to be traced. If both RSA and ECC certificates exist, but the negotiated cipher suite is of the ECDHE type, this command can display only encrypted ECC data traffic. Array Networks, Inc. All Rights Reserved. 20

21 ssl settings clientcert minkey does not work for ECC certificate (ID: 62483) The minimum key length set by the ssl settings clientcert minkey command does not work for ECC certificates. WebUI Occasional display of error page when clicking an element name containing a special character (ID: 63830) On the WebUI, the expected page might display a 404 or 500 error when the administrator attempts to open it by clicking the linked element name. This occurs occasionally if the linked element name contains some specific special characters such as the question mark (?) or percent symbol (%). Array Networks, Inc. All Rights Reserved. 21