The following changes were made between the 5.1.3 and 5.1.4 releases:
- Fixed a potential issue that could affect the fewest connections and round-robin server sets. Under certain circumstances (when a server associated with the server set is no longer available), the LDAP SDK could have left a background thread running until that server became available again. If the server was permanently unavailable, then that background thread would have remained alive until the JVM was shut down.
- Improved support for running in a JVM that has been configured to operate in a FIPS 140-2-compliant mode using the Bouncy Castle BCFIPS provider. The LDAP SDK does not include the Bouncy Castle libraries, but if they are available in the classpath, and if the com.unboundid.crypto.FIPS_MODE system property is set to "true" (ideally at the time the JVM is launched, but at the very least before any LDAP SDK classes are loaded), then the Bouncy Castle FIPS provider will be used for cryptographic operations. In addition, the manage-certificates tool has been updated to add support for interacting with BCFKS key stores, and the LDAP listener and command-line tool frameworks have been updated to support using key and trust store files in the BCFKS format when explicitly requested.
- Updated the TLS cipher suite selector to improve compatibility with JVMs that report all cipher suite names starting with "SSL_". Previously, the LDAP SDK assumed that modern TLS cipher suite names would always start with "TLS_" and only legacy SSL suite names would start with "SSL_". However, some JVMs (like the one maintained by IBM) use the "SSL_" prefix for all TLS cipher suite names, regardless of the protocol with which they are intended to be used. In such cases, the LDAP SDK would previously not identify any recommended suites, which would prevent the SSLUtil helper class from establishing secure connections, but it will now fall back to allowing suite names that start with "SSL_" as long as they do not meet any other criteria for exclusion. Further, if the cipher suite selector is still unable to identify any recommended suites, it will now fall back to using the JVM-default set of enabled suites.
- Updated the TLS cipher suite selector so that cipher suites that rely on the SHA-1 digest are excluded by default in FIPS 140-2-compliant mode.
- Improved the order in which the LDAP SDK returns the names of the recommended cipher suites chosen by the TLS cipher suite selector. It now uses more fine-grained ordering based on the key agreement for cipher suites with the "SSL" protocol. It will also order suites that use null encryption after those that do not, will order suites that use anonymous authentication after those that do not, and will order suites that use export-grade encryption after those that do not.
- Updated the TLS cipher suite selector to provide a way to recompute the sets of supported, recommended, and non-recommended cipher suites. This may be necessary after performing some action that changes the set of cipher suites available for use in the JVM, like enabling FIPS 140-2-compliant mode or installing a new cryptographic provider into the running JVM.
- Added a new PEMFileKeyManager class that can be used as a Java X.509 key manager that reads the certificate chain and private key from PEM files.
- Added a new PEMFileTrustManager class that can be used as a Java X.509 trust manager that reads information about trusted certificates from PEM files.
- Added new X509PEMFileReader and PKCS8PEMFileReader classes that can be used to read PEM-formatted X.509 certificates and PKCS #8 private keys.
- Improved an error message that could be used in an exception if a connection becomes invalid in the course of trying to send a request to the server.
- Updated the ldifmodify command-line tool to add support for ignoring duplicate attempts to delete the same entry, as well as attempts to delete or modify entries that do not exist in the source LDIF file.
- Updated support for the get user resource limits request control to allow clients to request that the server not return information about the user's group membership in the response control. This can help improve performance, especially in servers with large numbers of dynamic groups.
- Added draft-coretta-x660-ldap to the set of LDAP-related specifications.
- Updated to the latest revision of draft-ietf-kitten-password-storage in the set of LDAP-related specifications.