Reflection for Secure IT Windows Client 7.2 Service Pack 3: Fixes, Features, and File Download

  • 7021991
  • 31-Mar-2011
  • 02-Mar-2018

Environment

Reflection for Secure IT Windows Client version 7.2

Situation

Reflection for Secure IT Windows Client 7.2 Service Pack 3 (SP3) is available for maintained customers who have version 7.2 installed and to customers who have downloaded and installed the version 7.2 evaluation package. This technical note provides information about how to obtain your service pack and a list of features and fixes included in the service pack. Service Pack 3 is cumulative and also applies the features and fixes listed below for earlier service packs. This note also includes a list of features and fixes in Reflection FTP Client 14.1, which ships with Reflection for Secure IT Windows Client.

  • For Reflection for Secure IT Windows Client 7.2 SP3 Update 1 release notes, see KB 7021992.
  • For a list of features originally included Reflection for Secure IT 7.2, see KB 7021989.
  • For important information regarding security updates and Reflection for Secure IT, see https://support.microfocus.com/security/.

This technical note includes the following sections:

Resolution

Obtaining the Service Pack

Maintained customers are eligible to download the latest product releases from the Attachmate Download Library web site: https://download.attachmate.com/Upgrades/. For information about logging into and using the Download Library, see KB 7021965.

Supported Platforms

For information about platform support in Reflection for Secure IT, see KB 7022010.

New Features and What’s Fixed in Reflection for Secure IT Windows Client 7.2 SP3

New Features

  • Secure Shell connections now support SHA256. Support for this newer, more secure algorithm is configured by default. You can view and edit settings in the Encryption tab of the Reflection Secure Shell Settings dialog box or modify settings using config file keywords. The updates made for this support include changes to:
    • Hashed message authentication codes (HMAC)

Encryption tab: When "SHA256" and "SHA512" are selected, the client now sends additional values during the key exchange to support newer OpenSSH servers.

New Macs keyword values: hmac-sha2-256, hmac-sha2-512

    • Signature algorithms

Encryption tab: The RSA signature list now includes "SHA256."

New x509rsasigtype keyword value: sha256

    • Key exchange algorithms

Encryption tab: The Key Exchange Algorithms list now includes "DH Group Ex SHA 256."

New HostKeyAlgorithms keyword values: x509v3-rsa2048-sha256, ssh-rsa-sha2-256@attachmate.com

  • The scp command line utility supports a new switch (-z) for downloading files from Windows servers. By default filename matches are case-sensitive for all downloads. When you use the -z option, downloads that include wildcards in the server filename specification are not case-sensitive.
  • The Reflection Key Agent menu includes a new option, "Use Only SHA1 Signatures." When this option is enabled (the default), the agent uses only SHA1 Signatures. To enable support for SHA256 signatures, uncheck this menu option. Note: Agent forwarding to some servers may not be supported when this option is unchecked because of the length of the reply to the server list request.
  • Starting with Service Pack 3, you must explicitly set the RSA signature type to MD5 to connect to older servers that don't support SHA1. Previously the client automatically changed the signature type from SHA1 to MD5 when connecting to version 2.1 to 2.4 (inclusive) servers. Because MD5 is now considered insecure, the client no longer makes this change automatically. This update may cause a connection failure if your current signature setting is SHA1 (the default). To connect to servers that don't support SHA1, use the Encryption tab of the Secure Shell Settings dialog box to change the RSA signature type to MD5.

Resolved Issues

  • The public key upload utility now correctly handles key uploads to both ODS-2 and ODS-5 Disk Structures on OpenVMS servers.
  • This service pack resolves an issue that caused certificate validation to fail intermittently with certificates configured to use OCSP without using NextUpdate.
  • This release includes a fix for a potential OpenSSL ASN1 BIO denial of service vulnerability reported in CVE-2012-2110. See https://support.microfocus.com/security/ for details.

New Features and What’s Fixed in Reflection FTP Client 14.1 SP3

New Features

  • The file owner is now included in the Server pane display when you configure a detailed display (View > Server Pane(s) > Details).
  • The FTP Client now supports a new server type to support NonStop connections. In the Site Properties dialog box, for Server Type, select "NonStop (Guardian API)."
  • SSL/TLS connections now support TLS version 1.2.

Resolved Issues

  • Improved transfer speed for large files.
  • File names containing a semicolon are no longer truncated after a drag-and-drop download.
  • The FTP Client no longer closes unexpectedly during some file downloads when "Use structured listing data" is enabled on the Secure Shell tab of the Security Properties dialog box.

New Features and What’s Fixed in Reflection for Secure IT Windows Client 7.2 SP2

New Feature

  • Reflection Secure Shell now supports SHA256 digital signatures. You can configure this setting from the Encryption tab of the Reflection Secure Shell Settings dialog box, or by setting the x509rsasigtype keyword to sha256.

Resolved Issues

  • Reflection Key Agent Manager no longer closes with an application error when you import a certificate from the Windows certificate store (File > Import Certificate from System Store).
  • Secure Shell connections no longer fail because Reflection could not create a .pki folder in the My Documents folder when it has been redirected to a network share. This folder is now created correctly.
  • Agent forwarding now works correctly when authentication uses the public key from a smart card.
  • The ssh -t switch now allows ssh to be used interactively.

New Features and What’s Fixed in Reflection FTP Client 14.1 SP2

The Secure Shell updates described for the Reflection for Secure IT Windows Client also apply to FTP Client sessions that are configured to use Reflection Secure Shell (the default). The following additional FTP Client updates are provided in this service pack.

New Features

  • The Site Properties information tab now includes SSL and SSH security information when you are connected to a host using either of those protocols.

Resolved Issues

  • Connections made through the Reflection for the Web security proxy will now reliably open the data channel.
  • The FTP Client no longer closes with an application error when you have installed software that creates a custom right-click context menu. This problem was seen when the Workshare Compare component of Workshare Professional is installed on the user computer.
  • Site names with Japanese characters are now saved correctly in the FTP Client settings file, and are displayed correctly in the Connect to FTP Site dialog box.
  • The LastError property of the FTP Client API is now set appropriately when a transfer is interrupted by a network failure.
  • Security fix for CVE-2011-4576: SSL 3.0 block cipher padding initialization vulnerability. For additional information, see https://support.microfocus.com/security/, "Security Updates and Reflection."
  • Security fix for a heap overflow vulnerability in the FTP Client. For additional information, see https://support.microfocus.com/security/, "Security Updates and Reflection."

New Features and What’s Fixed in Reflection for Secure IT Windows Client 7.2 SP1

New Features

  • SFTP transfers now support SFTP version 4. This change provides UTF-8 character support. A new keyword, SftpVersion, is available to configure which version is used. Valid values are 3 and 4. When this setting is 4 (the default), the connection uses SFTP version 4 if the server supports it, and drops to version 3 if the server doesn’t support version 4. If this setting is 3, the client always uses SFTP version 3.
  • You can now configure the client to automatically add keys used for authentication to the Key Agent. To configure this in the Secure Shell settings dialog box, open the User Keys tab and select "Add key used for authenticating to host to key agent." To configure this in the config or ssh_config file, set AddAuthKeyToAgent=yes.
  • You can now configure the client to attempt public key authentication using all available keys, regardless of whether the Use checkbox is selected on the User Keys tab. To configure this in the Secure Shell settings dialog box, open the User Keys tab and select "Use all keys for authenticating to the host." To configure this in the config or ssh_config file, set AuthUseAllKeys=yes.

Resolved Issues

  • The registry key UseSshConfigSchemes now works correctly with the ssh2, scp2, and sftp2 command line utilities running on Windows 2008 R2.
  • Using the New Session option when you are connected to a host (Connection > Connect > New Session) now works as expected.
  • Executing an sftp -l file-name command now returns an error as expected if the filename includes a hyphen (-) and the specified file doesn’t exist.
  • The scp command now executes as expected when the command includes two filenames that include an absolute path.
  • The scp command now correctly handles transfers in which more than four files are specified on a single scp command line.
  • You can now run an sftp batch file using the Task Scheduler on Windows Server 2008 and Windows Server 2003.
  • The sftp get command now handles wildcard characters correctly when logged into a chrooted environment.
  • When an scp copy to the server is interrupted by a server reboot, the error returned is now 7. Previously the client received a message saying, "an existing connection was forcibly closed by the remote host, Connection closed to xxxx error: Send message failed," however, the return code was zero.
  • The Reflection for Secure IT client no longer prompts to save changes on exit when a site default settings file is used and no changes have been made.
  • Smart card authentication no longer fails after about 30-50 repeated connections.
  • The terminal window display is now resized correctly when the Reflection for Secure IT Windows client is maximized.
  • Entries in the ssh config and ssh_config file are now consistently case-sensitive.
  • When Reflection is configured for PKCS #11, it now automatically detects ActivIdentity client DLLs that are installed to the default Program Files folder as well as older DLLs that are installed in Windows\System32.
  • Connections to servers using the SSH1 protocol now work as expected.

New Features and What’s Fixed in Reflection FTP Client 14.1 SP1

The Secure Shell updates described above also apply to FTP Client sessions that are configured to use Reflection Secure Shell (the default). The following additional FTP Client updates are provided in this service pack.

New Features

  • SFTP transfers now support SFTP version 4. This change provides UTF-8 character support. A new keyword, SftpVersion, is available to configure which version is used. Valid values are 3 and 4. When this setting is 4 (the default), the connection uses SFTP version 4 if the server supports it, and drops to version 3 if the server doesn’t support version 4. If this setting is 3, the client always uses SFTP version 3.
  • You can now configure default permissions for directories created by the client. To configure a global default, use Tools > Options > Directory Attributes > Set default directory attributes on creation. To confirm or change attributes before a new directory is created, open the site Properties dialog box and use Directories > Show attributes before creating the directory.
  • The FTP Client now supports connections to Sterling Connect servers. To configure connections to these servers, open the site Properties dialog box and set "Server type" to "Auto detect" the default) or "Sterling Connect."
  • The FTP Client API includes a new SSHConfigDir property for specifying the folder used for storing the Secure Shell config file, known host keys, and user keys. This property is only relevant when UseSSH is True.
  • You can now specify which certificate to use for client authentication in SSL/TLS connections. To configure this, open the Security Properties dialog box, enable "Use SSL/TLS security," and click Configure PKI. Under Client Authentication, select "Use selected certificate for authentication," then click Select.

Resolved Issues

  • The client now consistently saves passwords when "Save my password as obfuscated text" is enabled.
  • Large SFTP file downloads that are interrupted by a network failure no longer cause the client to shut down with an rftpc.exe Application Error.

Additional Information

Legacy KB ID

This document was originally published as Attachmate Technical Note 2554.