Articles and news

SFTPPlus Release 3.40.0

Tue 13 November 2018 | general release

We are announcing the latest release of SFTPPlus version 3.40.0.

New Features

  • SuSE Enterprise Linux without the Security Module and OS X are now distributed with OpenSSL 1.1.0h, making it possible to use TLS 1.2 and SHA2. [#5030]
  • It is now possible to use variable placeholders when defining the path for the local file event handler. [#5095]
  • You can now define the SSH keys used by the SFTP/SCP file transfer service and by the SFTP location as text values inside the configuration file. Storing SSH keys in external files is still supported. [sftp][scp] [#5096]
  • You can now define the SSL certificate and key pairs used by HTTPS/FTPS and the local manager services as text values inside the configuration file. [ftps][https] [#5097]
  • You can now hide the SFTPPlus session authentication method from the www-authenticate header. This can be used as a workaround for an authentication issue when using SFTPPlus with older HTTP clients, which don't recognize multiple www-authenticate headers. [server-side][http][https] [#5099]
  • It is now possible to make the files of an account available over HTTP as a public file transfer site. No username or password is required to access and manage those files. [server-side][http][https] [#5100]
  • It is now possible to filter event handlers based on the source IP address. [#5120]

Defect Fixes

  • When an SFTP transfer (upload or download) is interrupted, a dedicated event is emitted. In previous versions, no event was emitted to signal the transfer failure. [server-side][sftp] [#5027-1]
  • When an SCP transfer (upload or download) is interrupted, the emitted events now clearly signal the transfer failure. In previous versions, the same events as for a successful transfer were emitted. [server-side][scp] [#5027]
  • SFTPPlus no longer uses the MIME type database provided by the operating system. In older operating systems like SuSE 11, the MIME type for JavaScript files was defined as text/x-js, which caused failures in modern versions of Chrome and Firefox. SFTPPlus now defines the MIME type as application/javascript on any operating system. [local-manager] [#5075]
  • The speed for listing the folder content using the FTP/FTPS or HTTP/HTTPS file transfer services was improved. The improvement is observed especially on Windows, and when listing folders hosted by a remote Windows or NFS share. [server-side][ftp][http] [#5083]
  • The SCP server will now use the correct name to write a file when the client is requesting an upload without providing the base path. In previous versions, a file named '-t' was created instead. [server-side][scp] [#5094]

Deprecations and Removals

  • Event with ID 20107 was removed and replaced with the event with ID 20158. [#5095]
  • Events with ID 30013, 30048, 30052 were removed and replaced with the generic event ID 20077. Event with ID 30075 was removed and replaced with the generic event with ID 20158. [server-side][sftp][scp] [#5096]
  • Loading of SSL/X.509 certificates and keys from .DER files was removed. You should convert your certificates and keys to PEM format. PEM format is the only format supported by SFTPPlus. DER support was removed, as not all of its features were supported. For example, loading the certificate chain or using multiple certificate authorities was only supported for the PEM format. [ftps][https] [#5097-1]
  • Loading the certificate authority configuration from a directory containing multiple files is no longer supported. You can still use multiple certificate authorities for the same configuration by storing all the CA certificates in the same file. [https][ftps] [#5097]

You can check the full release notes here.

• • •

SFTPPlus Release 3.39.0

Fri 05 October 2018 | release security

We are announcing the latest release of SFTPPlus version 3.39.0.

Customers using the SCP protocol are urged to upgrade to this version. Any previous version contains a security issue when overwriting files over SCP.

New Features

  • In the event handler configuration, it is now possible to filter the events based on their groups. [#2483]
  • When the remote FTP/FTPS server supports the MLST command, SFTPPlus will use it to determine the existence of remote paths. [client-side][ftp][ftps] [#3885]
  • The events emitted at the start or at the end of a client-side file transfer now contain the size of the file, duration and transfer speed. [client-side] [#5067]

Defect Fixes

  • When overwriting files using the SCP file transfer, the content of the existing file is completely erased. In previous versions, when overwriting an existing file with a new file which was smaller in size, the resulting file would still have the file size of the previous file, with the extra data kept from the previous file. [security][server-side][scp] [#5087]
  • When using execute_on_destination_before in a transfer for which the destination location is stopped, the transfer will automatically start the location. In previous versions, the transfer would failed as the location was stopped, requiring a manual start of the location. [client-side] [#3511]
  • When checking the existence of a remote FTP file, the operation now fails when the server returns an error other than 'Path not found'. In previous versions, the error was ignored and the path was considered as non-existing. [client-side][ftp][ftps] [#3576]
  • FTP/FTPS client operation can now successfully detect the absence of a file on a remote server. [client-side][ftp][ftps] [#3885]
  • You can now disable the timeout for the FTP data connection by setting its value to 0. In previous versions, when set to 0, the connection was disconnected right away due to the timeout. [server-side][ftp][ftps] [#5049]
  • When changing the extra_data configuration for the HTTP event handler, the Local Manager UI now shows that a restart is required for the event handler. [#5079]
  • You can now change from the Local Manager the list of SSH ciphers available to the SFTP and SCP file transfer services. This was a regression introduced in 3.37.0. [server-side][sftp][scp] [#5085]

Deprecations and Removals

  • When a FTP server-side operation fails due to a permission error, the error code is now 553. In previous versions, it was 550, which was the same error code for Path not found or the generic error code for other error cases. [server-side][ftp] [#3576]

You can check the full release notes here.

• • •

SFTPPlus Release 3.38.0

Fri 21 September 2018 | general release

We are pleased to announce the latest release of SFTPPlus version 3.38.0.

New Features

  • When the remote FTP/FTPS server supports the MLST command, SFTPPlus will use it to determine the existence of remote paths. [client-side][ftp][ftps] [#3885]
  • For a transfer, it is now possible to execute on destination commands which will include the source and destination path and file name. [client-side] [#4522]
  • New permissions allow-create-folder, allow-delete-folder, allow-delete-file, and allow-set-attributes were added to help defining a stricter configuration. [server-side] [#4955-1]
  • A new permission, deny-full-control was added to deny any action to the configured path. [server-side] [#4955]
  • You can now add custom values to the JSON payload sent by the HTTP event handler. This allows sending SFTPPlus HTTP events to existing webhooks like Slack or Splunk. [api] [#5068]

Defect Fixes

  • FTP/FTPS client operation can now successfully detect the absence of a file on a remote server. [client-side][ftp][ftps] [#3885]

You can check the full release notes here.

• • •

SFTPPlus Release 3.37.1

Thu 13 September 2018 | security release

We are pleased to announce the latest release of SFTPPlus version 3.37.1.

Defect Fixes

  • The HTTP API authentication for an account now fails when the account is accepted by the remote HTTP API but the associated group is disabled. [server-side][security] [#5058]
  • A defect was fixed in Local Manager which was causing the Local Manager to fail on Internet Explorer 11. [#5061]

Deprecations and Removals

  • Event with ID 20060 was removed and replaced by event with ID 20136. [server-side] [#5058]

You can check the full release notes here.

• • •

SFTPPlus Release 3.37.0

Thu 06 September 2018 | general release

We are pleased to announce the latest release of SFTPPlus version 3.37.0.

New Features

  • The HTTP and HTTPS file transfer API now support session based authentication. The Basic Auth login is still supported. [server-side][http][https] [#5009-1]
  • The HTTP and HTTPS file transfer services now have a session based login page. The Basic Auth login is still supported for web clients which don't support cookies. [server-side][http][https] [#5009]
  • LDAP authentication method was extended to allow defining a LDAP filter for LDAP users which are allowed to act as administrators through the Local Manager service. [manager] [#5010-1]
  • You can now define multiple authentication methods for the Local Manager service. [manager] [#5010-2]
  • OS authentication method was extended to allow defining a list of Operating System account groups which are allowed to act as administrators through the Local Manager service. [manager] [#5010]
  • You can now use Local Manager to configure the accounts and groups of the local-file authentication method. [#5041]
  • It is now possible to configure an event handler filter based on excluded usernames or components by using the ! (exclamation mark) to mark a value which needs to be excluded. [server-side][client-side] [#5043]
  • The MDTM FTP command now shows microseconds when displaying time. [server-side][ftp][ftps] [#93-1]
  • The FTP/FTPS server now supports MLST and MLSD commands (Listings for Machine Processing) as specified in RFC 3659. [server-side][ftp][ftps] [#93]

Defect Fixes

  • The authentication process now fails when an authentication is configured but not running. In previous versions, the stopped authentication method was skipped, and the authentication process continued with the next configured method. [security] [#5010]
  • When sending files to an FTP or FTPS destination location, transfers will no longer saturate the network, instead they will follow the TCP congestion signaling. In previous versions this issue was causing excessive memory usage and transfer failures over low bandwidth networks. [client-side][ftp][ftps] [#5033]
  • Comma-separated values in Local Manager can now be configured using a simple free-text input box. This allows editing existing values and makes it easier to reorder them. [management] [#5043]

Deprecations and Removals

  • HTTP file transfer service API now uses cookie-based authentication by default. In previous versions the default authentication method was HTTP Basic authentication, which remains an available method. [server-side][http][https][#5009-1]
  • The HTTP file transfer service API now uses JSON as the default content type for responses. In previous versions you would have to explicitly ask for JSON. Now, you need to explicitly ask for HTML. [server-side][http][https] [#5009]
  • Events with ID 20005 and 50008 were removed and replaced with event 20136. Events with ID 20135 and 20138 were removed and replaced with event 20142. [#5010-1]
  • Event with ID 50009 was removed, as OS administrators now use the OS authentication method. [#5010-2]
  • With the introduction of multiple authentication methods for the Local Manager service, you will now need to explicitly define the [server] manager_authentications configuration option. If manager_authentications is not defined (or left empty), SFTPPlus will fall back to the first defined Application authentication method. [#5010-3]
  • The include_os_group configuration options for roles was removed. Now you can explicitly define an OS authentication method for the Local Manager server. include_os_group was replaced by the manager_allowed_groups configuration option for the OS authentication method. [server-side] [#5010]

You can check the full release notes here.

• • •