Changed in 10.6.x

Library upgrade to support TLS

10.6.0.0 includes an updated library to support TLS and cryptographic operations. The updated crypto library improves security and usability, but the added complexity of this implementation comes with a performance cost. This update is needed to maintain the proper security posture, which includes CVE updates.

Value changes

In the 10.6.x continuous delivery (CD) release, the following changes apply to values. These changes apply to 10.6.0.0 and later fix packs and to 10.6.1 and later update packages.

Behavioral changes

In the 10.6.x CD release, the following changes apply to behavior. These changes apply to 10.6.0.0 and later fix packs and to 10.6.1 and later update packages.

API routing to determine which API to process

10.6.0.1 - The rules changed when the API gateway runs the routing API action to match which API to process. For more information, see Routing API action.

Default TLS server profile to secure connections from clients

10.6.0.0 - The default TLS server profile that secures connections from clients to any management interface supports only TLS 1.2 and TLS 1.3 and the following cipher suites in preference order.

AES_256_GCM_SHA384
CHACHA20_POLY1305_SHA256
ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
ECDHE_RSA_WITH_AES_256_GCM_SHA384

Instead of using the built-in TLS server profile that uses a DataPower self-signed certificate, use a custom TLS server profile or TLS SNI server profile to secure connections from clients. For more information, see Custom TLS profile for management access.

Error message when remote peer abruptly closes a TLS connection without sending the close_notify alert

10.6.0.0 - The close_notify alert at the end of a TLS handshake is mandatory. However, some peers do not send the close_notify alert, which abruptly ends the TLS connection. When a TLS client abruptly closes a connection, message 0x8120002f is logged with TLS error 0A000126. This TLS library error indicates an unexpected EOF.