Uniface 10.4.01: Updates for Security and Performance

In this release, the OpenSSL and the CURL libraries have been updated to enable Uniface to use the most recent security updates for network connections.

This affects the following Uniface functionality:

  • UHTTP and UPOPMAIL component APIs used for HTTP and email integration.
  • WSDL and SOAP connectors used for web services
  • LDAP connector
  • TLS network connections.

Some changes affect current behavior; so if your application relies on this behavior, you will need to manually adapt your application.

Changes to Current Behavior

  • UHTTP."SEND" operation

    The SEND operation no longer sends body content for the HTTP request methods GET, HEAD, DELETE, TRACE, and LINK. If your application relies on these request bodies being sent, you should either use the proper type of HTTP requests for the situation, or deprecate the dependency on this request body. For more information, see SEND .

  • Pre-shared key for TLS connections

    In the previous version of Uniface, the default cipher for a pre-shared key was PSK-AES256-CBC-SHA. However, it is recommended that you use the most secure cipher that both endpoints can handle in their handshake. In most cases, you can leave it up to the system to determine the cipher to use.

    For older servers that cannot be upgraded to support new ciphers, you can downgrade the cipher by setting the cipher_list TLS connector option in the assignment file. For more information, see Pre-Shared Key Authentication and cipher_list.

Enabled Legacy Features

Uniface follows industry standards and best practices for security. However, to minimize the impact of this upgrade, some legacy features have been temporarily enabled. These less secure features will be deprecated in upcoming releases, so it is recommended that you prepare and upgrade their security well in advance.

  • OpenSSL has been built with weak ciphers and SSL v2 has been enabled to allow their continued use in Uniface applications.

    We encourage you to configure your servers to use modern and secure ciphers. For the best practices, refer to (for example) Recommendations for TLS/SSL Cipher Hardening.

  • CURL and OpenSSL have been configured to allow self-signed certificates.

    From a security standpoint, self-signed certificates are strongly discouraged. Instead, you are encouraged to use keys and certificates signed by recognized certification authorities. For development purposes, you should opt to configure a CA locally. For more information, see Create a Self-Signed Certificate. .

  • A Uniface-specific version of the CURL library is provided to prevent HTTP responses codes 400 and 500 from being treated as errors

    The SOAP protocol relies on headers in HTTP responses with codes 400 and up. Some customers the HTTP response status codes 400 and 500 to diagnose the server status, but CURL treats these as errors and rejects headers that contain them.

    To maintain backward compatibility, a Uniface-specific called libucurl has been provided to ensure that HTTP responses with codes 400 and 500 are not treated as errors.

    For technical details, refer to https://curl.se/libcurl/c/CURLOPT_FAILONERROR.html.