File README.conf of Package sblim-sfcb.23461
There are a couple of new sfcb.cfg properties: * sslDhParamsFilePath supports the use of an external Diffie Hellman (DH) parameters file, and sslEcDhCurveName allows the user to set the "curve name" for Elliptic Curve Diffie Hellman (ECDH) key generation. These options can be used with openssl cipher suites supporting "ephemeral" Diffie Hellman (DHE) key exchange algorithms. Ephemeral key exchange enhances security by decoupling the private key used to generate the session key, from the private key associated with the server certificate. This provides "forward secrecy" while maintaining a key exchange algorithm compatible with a conventional RSA-based server certificate. See the .cfg file comments for more info. * SFCB_LABELPROCS Perhaps the most fun new feature is SFCB_LABELPROCS. This will label each SFCB process by adding some identifying information to the cmdline so that it appears in 'ps' output. This provides an easy way to identify each running SFCB process without having to rely on the "sfcb-ps.sh" or "sfcbproc" utilities. This really enhances visibility and is a great troubleshooting tool. Further, when using the ps command's -T or H options, you can see a labeled view with thread-level granularity, which is something you can't really do with "sfcb-ps.sh" or "sfcbproc". (Individual threads are not labeled per se; that is, each thread of a process has the same label. But you can easily see which threads belong to which process, and you can see the individual thread ids for each.) For example, before starting sfcb: $ export SFCB_LABELPROCS=100 Get a view of running sfcb processes: $ watch 'ps -efT H | grep sfcb[d]' Thanks to all who contributed to this release, especially Chris who fixed up the SFCC issues and Klaus Kampf who made a big contribution to LABELPROCS. New features for 1.4.8 For new features: There is new config property * enableSslCipherServerPref which allows a fine adjustment in the selection of cipher suite on the connection, by enforcing the server's order of preference instead of the client's (as is the case by default). In general, the selection of cipher suite is determined by the openssl library based on the "cipher list" provided to the client and the server. SFCB's cipher list is set using the "sslCiphers" config property. Remember, you can use the openssl "s_client" tool to check the actual cipher used on the connection, for a given configuration at client and server. See the .cfg file comments for more info. There a a couple of new properties to control the behavior of the indication sender: * indicationCurlUseExpect100 and * indicationCurlHonorRedirect. This will have little or no impact for most environments but users should be aware we shut off curl's use of the HTTP Expect:100-continue by default. This eliminates a short delay on indication send that is not desirable unless Expect:100-continue behavior is really being used. For those who do rely on this behavior it can be reenabled with indicationCurlUseExpect100. It can be useful in conjunction with HTTP redirect, for example, which can now be enabled via the indicationCurlHonorRedirect property. See https://sourceforge.net/p/sblim/sfcb-tix/101/ for more info. On the aforementioned improvements: SFCB tix #94 is an attempt to reduce the likelihood of shutdown hang due to an inter-thread signal being missed, as can happen if shutdown occurs under particularly gnarly conditions. #95 is a tweak that tends to prevent a (benign but) annoying core dump at the end of shutdown. #89 improves providerDvr's handling and recovery when providers crash, making a req handler less likely to hang. And #96 is an attempt to also not hang a req handler when there is a request outstanding at shutdown, which can in fact hang the whole shutdown. Because these changes reduce but do not entirely eliminate the possibility of a req handler hang, it is determined we ultimately need some sort of configurable req handler timeout. This is under development but will have to wait until the next release! Watch this space for updates: https://sourceforge.net/p/sblim/sfcb-tix/97/. Thanks to Klaus from Novell for goals/assists on all of the new shutdown patches! And thanks to the others who contributed to this release.




