SNMP4J Release 3.3.1 (2.8.0)

SNMP4J 3.3.1 (and 2.8.0 for the Java 8 branch) have been released to fix functional and security issues regarding the (D)TLS implementation. Simplified said the new releases support using a different TLS security callback for a target than specified for the transport mapping (this feature is required to use the SNMP-TARGET-MIB with (D)TLS. In addition, certificate checks that failed on fingerprint could succeed with certificate path validation in the past - although this is not allowed according to RFC-6353.

Both release include performance improvements about the MPv3 cache as wells as the AuthGeneric.passswordToKey function like suggested by the community here in the forum.

Dependencies

  • Java 9 or later (3.3.1) or Java 8 or later (2.8.0)

CHANGES

  • Fixed: TLSTMExtendedTrustManager and TrustManager did not allow to fall back to Java Runtime certificate path validation if provided security callback was not configured for validation.
  • Fixed: Removed debug output from TLSTMTest.
  • SECURITY: Due to necessary changes for SFJ-207, several security issues related to TLSTM and DTLSTM only in SNMP4J 3.2.2 and 2.7.0 (and earlier respectively) have been identified and fixed:
    • In previous releases, the connection establishment was not interrupted (canceled) on client and server side
      if a fingerprint match of the provided certificate failed but the certificate was trusted by the Java Runtime.
    • In addition, the fingerprint match worked on CA certificates too although this matching on CA level is not mentioned in RFC6353. It has been removed in 3.3.0 and now a connection cannot be established if a fingerprint
      is given but it does not match the provided certificate.
    • In previous versions, if the identity specified in the security callback did not match the identity of the certificate (i.e. subjectDN name), then connection could be still established if the Java Runtime trusted the certificate. In SNMP4J 3.3.0 (and SNMP4J 2.8.0) later the connection will not be established if a mismatch occurred.
  • Fixed [SFJ-207]: SNMP4J-Agent NotificationOriginatorImpl does not use snmpTlsAddrTable when sending TLS notifications.
  • Added: TlsX509CertifiedTarget which can specify a TlsTmSecurityCallback to override the security callback defined at TLSTM or DTLSTM level as required to support RFC6353 regarding sending of (D)TLS messages based on SNMP-TARGET-MIB.
  • Improved [SFJ-208]: Performance of AuthGeneric.passwordToKey can be improved by using 1MB HMAC buffer instead of 64 bytes.
  • Improved [SFJ-209]: Improve MPv3Cache performance for high load multi-threaded message processing. Cache now scales with O(2) instead O(n) where n is the number of concurrently pending requests.