Web Services changes

There are changes in support of web services in Genero 3.21.

Security note: OpenSSL 3.0 LTS support

Starting with FGLGWS 3.10.23, 3.21.01, 4.01.05 and 5.00.00, OpenSSL 3.0 LTS is required for encryption and security.

Because OpenSSL 1.1.1 goes EOL in September 2023, it is now mandatory to use OpenSSL 3.0 LTS to get the latest security fixes.

When installing an FGLGWS package, OpenSSL 3.0 libs will be provided in FGLDIR, if no OpenSSL 3.0 exists on the system.

Starting with OpenSSL 3.0, the SHA-1 digest algorithm is no longer supported by default. The OpenSSL 3.0 libs provided in FGLDIR still have SHA-1 digest activated by default. If you want to enable SHA-1 with the system OpenSSL 3.0 libs, use a command such as update-crypto-policies --set DEFAULT:SHA1 in order to use SHA-1. However, the SHA-1 digest algorithm is no longer recommended, because it is increasingly vulnerable as computers become more and more powerful. If you are using SHA-1 with GWS crypto APIs, consider moving to SHA-256 or to a stronger secure hash algorithm.

See GWS Security for more details about security and encryption with GWS.

New security.global.options entry in FGLPROFILE to allow legacy OpenSSL 1 options

Starting from FGLGWS 3.21.02, 4.01.06, and 5.00.00, it is now mandatory to use OpenSSL 3.0 LTS to get the latest security fixes. This change is due to OpenSSL 1.1.1 going EOL in September 2023.

To ease your migration from OpenSSL 1 to OpenSSL 3, the FGLPROFILE option security.global.options can be used to set OpenSSL 1 options to connect to a legacy server.

For details, go to Security Configuration FGLPROFILE entries.

New fglwsdl option -SSLOptions to support legacy OpenSSL 1 options

Starting from FGLGWS 3.21.02, 4.01.06, and 5.00.00, it is now mandatory to use OpenSSL 3.0 LTS to get the latest security fixes. This change is due to OpenSSL 1.1.1 going EOL in September 2023.

The fglwsdl tool supports an option (-SSLOptions) to set OpenSSL 1 options when connecting to a legacy server.

For more details, see fglwsdl.

Change to OAuthAPI.GetIDSubject returns

Starting from FGLGWS 3.21.02 and 4.01.06, the OAuthAPI.GetIDSubject function returns the subject identifier of an ID token in a string instead of an integer.

If you have previously used the function, review your code and ensure that the variable that affects the return value is of type STRING.

For details, go to OAuthAPI.GetIDSubject.

Changes in earlier versions

Make sure to check the upgrade notes of earlier versions, to not miss changes introduced in maintenance releases. For more details, see Web services changes in BDL 3.20.

Notable changes introduced in maintenance releases:

Support for validating filenamess in WSAttachments. The high-level REST WSAttachment attribute has an option to verify file names in received files using a regular expression pattern, also available in FGLGWS 4.01.00.
Changes to default IP version used by a GWS client. The default IP version is now IPv4, also available in FGLGWS 4.01.00.
fglwsdl -xmlname option added to generate variables named with XMLName, also available in FGLGWS 4.01.00.
Dynamic loading of zlib library for data compression, also available in FGLGWS 4.01.03.