VMware

vFabric Web Server 5.1 Release Notes

vFabric Web Server 5.1.1 | 17 JUL 2012
vFabric Web Server 5.1.0 | 22 MAY 2012

Last Document Update: 17 JUL 2012

What's in the Release Notes

The release notes cover the following topics:

What's New in vFabric Web Server 5.1.1

This VMware® vFabric™ Web Server release includes the following changes and enhancements:

  • Updated component and module versions: vFabric Web Server updates the versions of the following components and modules:
    • mod_jk: 1.2.37
    • ASF Tomcat libtcnative connector: 1.1.24
    • mod_fcgid: 2.3.7
    • mod_bmx: 0.9.4
    • OpenSSL: 1.0.1c
  • Validated OpenSSL/FIPS 2.0 module: vFabric Web Server re-introduces the OpenSSL/FIPS 2.0 module which can be enabled with the global directive SSLFIPS On. Note that, because certain ciphers are prohibited or eliminated in that operating mode, it may introduce incompatibilities with legacy loaded modules or in-process applications. vFabric Web Server only meets the validation criteria when deployed in accordance with the OpenSSL/FIPS 2.0 Security Policy.
  • Updates to Solaris package: Solaris 32-bit packages no longer have an incorrect dependency on libnet.so and packages on Solaris Intel now work with older CPU's supporting the SSE2 instruction set.
  • New --mpm option of newserver script: When using the newserver script to create a new vFabric Web Server instance, the worker MPM is installed by default on all Unix-like packages, without prompting the user. Use the new --mpm=prefork option to specify the old behavior or --mpm=event to specify the asynchronous connection/keepalive MPM. See newserver Prompts and Command Reference for details.
  • Updates to mod_ssl: The mod_ssl SSLProtocol directive can now be used to independently enable or disable any of the supported protocols: SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2.

These changes are in addition to those in Web Server 5.1.0.

What's New in vFabric Web Server 5.1.0

This vFabric Web Server release includes the following changes and enhancements:

  • Integration with the vFabric License Server 1.1.0: The License Server will now track the number of times that vFabric Web Server is installed on one or more VMs. You can then monitor the license usage using command-line tools and the Web user interface. See vFabric Licensing for general information about vFabric licensing.
  • Standalone offering: vFabric Web Server is now offered as a standalone product in addition to being offered as part of vFabric Suite.
  • mod_bmx module: vFabric Web Server instances are automatically configured with the mod_bmx module so that monitoring applications, such as Hyperic, can gather status and metric information about the instance. See Configure BMX for Monitoring vFabric Web Server Instances.
  • Updated Apache HTTPD binaries and modules: vFabric Web Server 5.1 includes version 2.2.22 of the core Apache HTTPD binaries as well as other updated components, such as OpenSSL 1.0.1 (which includes TLS 1.1/1.2), Expat 1.2.0 and PCRE 8.30. See Complete Packages and Modules in vFabric Web Server 5.1.
  • Additional documentation: The vFabric Web Server documentation includes new sections, in particular:
  • newserver Script Change: The newserver script no longer prompts to use the worker MPM. If you want any behavior other than multiple threads on Unix, you must modify the INSTANCE-DIR/conf/startup.properties file manually.
  • Separate distribution files: The vFabric Web Server distribution has been split into two separate packages to simplify the installation and deployment to the data center. The two packages are as follows:
    • vfabric-web-server: Base package sufficient for all production environments.
    • vfabric-web-server-devel: Supplemental package that developers can use to compile and link httpd modules with the same headers and library dependencies as httpd itself using the httpd-2.2/bin/apxs tool.

    See Installing vFabric Web Server for details.

Known and Fixed Issues

The following issues have been identified in this release of vFabric Web Server. Where possible, a workaround is also provided.

The table indicates the version in which the problem was found and, where applicable, the version in which it was fixed. If the Fixed In column is blank, it means the problem still exists in the latest version of vFabric Web Server.

Issue Number Description Found In Fixed In
VWS-17 The Microsoft Windows package and self-extraction mechanism do not provide a capability to store and unpack the vfabric-web-server/httpd-2.2 symbolic link.

Workaround: Create the symbolic link yourself. See Windows: Install vFabric Web Server from a ZIP File for details.		 5.0.0
VWS-69

(Tracks CVE-2012-2333)		 A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1, 1.2 and DTLS can be exploited in a denial of service attack on both clients and servers.

Users running vFabric Web Server 5.0.2 are not affected.

See OpenSSL Security Advisory.		 5.1.0 5.1.1
VWS-72 The OpenSSL FIPS 2.0 module included in vFabric Web Server 5.1.0 has not yet received its FIPS validation.

Update for 5.1.1: vFabric Web Server 5.1.1 supports FIPS on all platforms with the exception of Windows and Linux PPC 64. If you require FIPS on those platforms, VMware recommends you continue using vFabric Web Server 5.0.2.		 5.1.0 5.1.1

(See the note in the issue description about two exceptions to the fix.)
VWS-119 vFabric Web Server does not function correctly if you install it in a directory path that contains space characters, if you create a Web Server instance in a path that contains spaces, or if you specify an instance name that contains spaces. 5.0.0 5.1.0
VWS-136 TLS v1.1 and v1.2 (features of OpenSSL 1.0.1) cannot be individually disabled. 5.1.0 5.1.1
VWS-137 On Windows, vFabric Web Server does not function correctly if you install it in a directory path that contains non-ASCII characters, if you create a Web Server instance in a path that contains non-ASCII characters, or if you specify an instance name that contains non-ASCII characters. 5.0.0 5.1.1
VWS-171 On Unix platforms other than Linux, such as Solaris, the vfhttpd user and group account must be an unprivileged, normal user for accessing the server worker processes to access the content. Because listening ports, error logs and secured credentials such as the SSL key files are accessed during startup as root, the account needs the minimal access to open those files to be served by the worker runtime process after startup.

Workaround: Create the vfhttpd user and group as an unprivileged, normal user, then invoke the newserver tool.		 5.1.0
VFP-470 In certain circumstances (described below), the vFabric License Client that is integrated in a vFabric Web Server instance fails to release its vFabric Suite license on shutdown of the Web Server instance. After about 4 hours, the vFabric License Server detects that the Web Server instance has stopped and will release the license.

This issues applies only to vFabric Web Server instances that use a vFabric Suite license (i.e. not local licensing) and are configured with the default_mpm="prefork" option. The 5.1 version of the newserver script does not give you the option to set this flag, although in 5.0 it did.

Workaround: Edit the INSTANCE-DIR/conf/startup.properties file and change the value of the default_mpm variable to worker.		 5.1.0