Changes in 1.2 ================ - [FEATURE #1] UserAPI redone. Instead of the "id" as a common argument we now use meaningful names, like idp, profile, device etc. To get the new behaviour you need to set api_version argument to 2. - [FEATURE #2] added createTemporaryDirectory to the Helper to avoind using the came code in several places - [FEATURE #3] configuration tests rebuilt and extended - [FEATURE #4] realm checks are saved in DB and results shown on federation overview page - [FEATURE #5] federation customisation: name, logo, custom invitation texts and more - [FEATURE #6] deprecated NSISArray has been replaced with nsArry - [FEATURE #7] Support for UTF-8 installer has been added (this requires nsis v3) Configuration parameter changes ------------------------------- Changes in 1.1.3 ================ - [BUGFIX #1] session was not set (we depended on simpleSAMLphp which was wrong) Changes in 1.1.2 ================ - [BUGFIX #1] in radiust_tests translation of sme messages was not activated and they appeared in English - [BUGFIX #2] in Windows installers the profile name was not sent trough code page conversion (reported by Daniele Albrizio) - [BUGFIX #3] fix regression: federation operators see their national stats again - [BUGFIX #4] In UserAPI generateInstaller returned a link to the actual file location and not the proper API call - [BUGFIX #5] Move installer cache away from the web tree - [BUGFIX #6] in Linux module fix multiline dispplay of messages in terminal mode, the installer can be run with sh, better bash location - [BUGFIX #7] In Linux installer there was no support for SSID removal - [BUGFIX #8] Fix language changing in realm checks - [BUGFIX #9] Fix RADIUS tests for self-signed server certs - [BUGFIX #10] UDP tests running in parallel could fail due to the same Calling-Station-Id - [BUGFIX #11] Server certificate subject printing failed if multiple CNs were present - [BUGFIX #12] In "live login" RADIUS tests there was a mixup with passed identities - [BUGFIX #13] In RADIUS tests the temporary directory was not deleted - [BUGFIX #14] EAP-PWD implementation renewed and in the same time a problem with loading profiles on 64-bit systems resolved - [BUGFIX #15] fix unathenticated access to installers marked as non-production - [FEATURE #1] "About CAT" now displays a matrix of supported devices and EAP type combinations - [FEATURE #2] RADIUSTests now use the first tab to display overview information from all tests - [FEATURE #3] Linux module now supports Python3 - [FEATURE #4] Linux module verifies server certificates bases on altSubjectName - [FEATURE #5] Linux module asks the user if in case of Network Manager installation failure it should save a wpa_supplicant file Configuration parameter changes ------------------------------- [NEW] Config::$APPEARANCE['support-contact'] replaces Config::$APPEARANCE['admin-mail'] Changes in 1.1.1 ================ - [BUGFIX #1] device-level redirect not working on a selected device - [BUGFIX #2] mobileconfig proxy setting corrected - [BUGFIX #3] in RADIUS tests the contents of results box needs to be cleared the moment that a rerun of tests is called - [BUGFIX #4] in basic.php fix a problem resulting from geolocation failure - [BUGFIX #5] in roll.php - set the translation domain to het translations in - [BUGFIX #6] hide hidden devices in basic.php - [BUGFIX #7] fix language selection problem in admin pages - [BUGFIX #8] fix problem caused by installer generation delays - [BUGFIX #9] in some sutuations the footer was obsuring parts of the text - [BUGFIX #12] make clear that we support Mac OS X 10.7 and above, not 10.6 - [UPDATE #1] in devices.php added the pointer to eduroamCAT on Google play - [UPDATE #2] speed up IdP listing - [UPDATE #3] update of system names in roll.php - [FEATURE #1] in "About", show the hostnames which need to be whitelisted in captive portals for CAT to work. This required two new config parameters, see below. - [FEATURE #2] ArnesLink for TTLS in Windows 7 and Vista modules - [FEATURE #3] added ChromeOS as beta-quality device module - [FEATURE #6] allow configuration of an abuse mail contact. See below. - [FEATURE #7] add separate device module for iOS 5+6 to fix proxy regression Configuration parameter changes ------------------------------- [NEW] Config::$APPEARANCE['webcert_CRLDP'] [NEW] Config::$APPEARANCE['webcert_OCSP'] [NEW] Config::$APPEARANCE['abuse-mail'] Changes in 1.1 ============== - [BUGFIX #1] installer cache problem has been fixed by adding a mime field to the downloads table in the database, hence a schema change - [BUGFIX #2] Linux installer - passwords containing single quote broke fix suggested by Brian Epstein - [BUGFIX #3] Linux installer - added tkip in group protocol to support wpa/wpa2 mixed mode - [BUGFIX #4] Linux installer - the name of local installation directory changed from .eduroam to .cat_installer - [BUGFIX #5] Cleared a potential vulnarability in cat_info (item 9 from the audit) - [BUGFIX #6] Cleared a potential vulnarability in radius_tests.php (item 11 from the audit) - [BUGFIX #7] Cleared a potential vulnarability in cat_js.php (item 13 from the audit) - [BUGFIX #8] Cleared a potential vulnarability in index.php (item 20 from the audit) - [BUGFIX #9] Added server hardening best practices in the Configuration tutorial (closing items D2 and D4 of the audit) - [BUGFIX #10] Input sanitisation in productheader() improved (closes item 7 from the source code audit) - [BUGFIX #11] all other source code audit issues fixed - [BUGFIX #12] removed XP support and Win Vista and 7 support for TTLS due to open licensing questions on a particular third-party helper program - [FEATURE #1] Added a new eap-config device and two instances of Android devices all based on the generic XML device - [FEATURE #2] added verbose copyright and licensing information, see footer Changes in 1.1-beta1 ==================== - [FEATURE #1] added two more certificate checks: CERTPROB_OUTSIDE_VALIDITY_PERIOD CERTPROB_SERVER_CERT_REVOKED the latter can only be checked if a valid CDP is in the server certificate; and only for own realms, not others - [FEATURE #2] use PHPMailer to send emails, in order to land in less spam traps requires new config section Config::$MAILSETTINGS (see below) always sends via Submission (TCP/587) - [FEATURE #3] Invitation mails can be sent to multiple mail addresses, but - only the first consumer of the token gets access - need to specify only raw mail addresses, no real names nor brace notation Configuration parameter changes ------------------------------- [NEW] Config::$MAILSETTINGS['host'] [NEW] Config::$MAILSETTINGS['user'] [NEW] Config::$MAILSETTINGS['pass'] Changes in 1.1-alpha1 ===================== - [BUGFIX #1] fix one profile tag for W8 TTLS-MSCHAPv2 - [BUGFIX #2] certificates did not get installed for W8 TTLS - [BUGFIX #3] temporary directory cleanup did not work - [BUGFIX #4] Fixes to messages displayed by the XP module - [BUGFIX #5] Changed info on profiles to be installed in case there is only one - [BUGFIX #6] Linux module fix - user confirmation function - [BUGFIX #7] Windows TLS modules did not allow users to unset the installation of the PFX file - [BUGFIX #8] Corrected match pattern for Windows 8.1 - [BUGFIX #9] Linux module - incorrect behaviur with some special chracters in passwords - [FEATURE #1] admin interface allows admin to select wired interfaces as target not all installers actually support that yet - [FEATURE #2] Better support for internal EAP and non-EAP methods - [FEATURE #3] Generic XML profile support added - [FEATURE #4] in federation overview, show if your IdPs have a complete config and/or make their installers available for end users on the UI (on first call of overview page after upgrade from 1.0, some conversions take place and the overview takes longer than usual) - [FEATURE #5] visualise with RED letters if admin uploaded a server cert instead of a CA - [FEATURE #6] thoroughness of UDP reachability checks was VASTLY improved. List of error conditions now recognised: CERTPROB_ROOT_INCLUDED CERTPROB_TOO_MANY_SERVER_CERTS CERTPROB_NO_SERVER_CERT CERTPROB_MD5_SIGNATURE_SERVER CERTPROB_MD5_SIGNATURE_INTERMEDIATE CERTPROB_NO_TLS_WEBSERVER_OID CERTPROB_NO_CDP_HTTP CERTPROB_NO_CRL_AT_CDP_URL CERTPROB_TRUST_ROOT_NOT_REACHED CERTPROB_TRUST_ROOT_REACHED_ONLY_WITH_OOB_INTERMEDIATES CERTPROB_LOW_KEY_LENGTH CERTPROB_SERVER_NAME_MISMATCH CERTPROB_SERVER_NAME_PARTIAL_MATCH CERTPROB_NOT_A_HOSTNAME CERTPROB_WILDCARD_IN_NAME - [FEATURE #7] This feature has been reversed, number is lef for consistency - [FEATURE #8] Mac OS, iOS: support wired ethernet configuration - [FEATURE #9] Simple text inteface to TOU display - [FEATURE #10]A changed approach to JSON transfer schema as an openning for an access API (including TOU pointer) - [FEATURE #11] Logos generated for DiscoJuice are now cached in the filesystem - [FEATURE #12] New layout of the download page - [FEATURE #13] The device id can be passed to the GUI to replace the OS selfdetection - [FEATURE #14] Hotspot 2.0: now generate Mac/iOS profiles with consortium OIs - [FEATURE #15] background image of windows installers now generated dynamically, not hard-wired to the eduroam name and logo any more (file devices/ms/Files/cat_bg.bmp is now obsolete) - [FEATURE #16] Silent installer (proper handling of /S flag). - [FEATURE #17] In case of OS version missmatch Windows installers display a more explicit message - [FEATURE #18] A new design of RADIUS tests - [FEATURE #19] Modification to the users pages layout - mainly footer handling - [FEATURE #20] Installed download no longer handled via direct links to temporary directories - [FEATURE #21] Added isAuthenticated function to auth.in.php - [FEATURE #22] Significant code optimisation for the generic XML module - [FEATURE #23] Added sorting option to listProfiles in UserAPI - [FEATURE #24] Added timestamping support to Windows code signing - [FEATURE #25] QR codes now include the consortium logo (10% symbol obstruction, 25% allowed) - [FEATURE #26] Windows installer - moved the debug log file to the Documents directory - [FEATURE #27] Linux installer - force WPA2/AES - [FEATURE #28] Support for additions messages displayed before download and configurable globally in devices.php, can be used for legacy devices - [FEATURE #29] Support for unsupported devices that can be shown when device-specific redirects are set - [FEATURE #30] Core and Windows support for profile deletion (also including the Consrtium TKIP profile) - [FEATURE #31] MacOS and iOS can't delete SSIDs, but will now instead install the bootstrap SSID as no-auto-connect, effectively disabling it - [FEATURE #32] When creating a new CAT inst from eduroam DB, prefill email field with the names and mails from eduroam DB - [FEATURE #33] Smartphone interface has been completely redesigned - [FEATURE #34] EAP-TLS support for Mac OS X enabled; remains disabled for iOS - [FEATURE #35] Support mode (showing hidden devices) enabled in the GUI - [STRUCTURE #1] web/user/GUI.php renamed to core/UserAPI.php - [STRUCTURE #2] web/user/cat_back.php renamed to web/user/API.php - [STRUCTURE #3] updated PHP requirements to 5.5 - [STRUCTURE #4] SSIDs, wired, delete-bootstrap, consortium-OI are now their own configuration category ("Media") Configuration parameter changes ------------------------------- [NEW] Config::$PATHS['c_rehash'] path to openssl's CA name hashing tool [NEW] Config::$CONSORTIUM['interworking-consortium-oi'] array of sonsortium OIs which should be configured in installers [NEW] Config::$APPEARANCE['colour1'] the "light" main color of the user interface [NEW] Config::$APPEARANCE['colour2'] the "dark" main color of the user interface [OBSOLETE] Config::$PATHS['rad_eap_test'] wo don't need this wrapper any more, using eapol_test directly [OBSOLETE] Config::$PATHS['qrencode'] wo don't need this any more, QRs are generated with a library Schema changes -------------- profile:QR-user is now obsolete (no need for persistent storage of QR code) general:SSID has been renamed to media:SSID general:SSID_with_legacy has been renamed to media:SSID_with_legacy Changes in release 1.0.3 ======================== - [BUGFIX #1] generation_error was causing problems with apostophe - [BUGFIX #2] the basename of the installer file had a trailing dash when the IdP had only one profile - [BUGFIX #3] a fix for EAP-TLS certificate installation for cases when the path contained spaces - [BUGFIX #4] live login tests disregarded Config::$PATHS['rad_eap_test'] and thus failed on servers where rad_eap_test was not in the $PATH - [BUGFIX #5] live login checks failed with passwords which had exotic chars - [BUGFIX #6] move some colour definitions into CSS for easier customisation - [BUGFIX #7] display download totals of all languges, not just a random one - [BUGFIX #8] proper MOTD handling in basic.php - [BUGFIX #9] Windows drivers - there should be no attempt to install credentials when profile installation failed - [BUGFIX #10] signing did not work on some file names - [BUGFIX #11] wpa_supplicant.conf created in case of failure did not set access restrictions - [BUGFIX #12] setEAPCred unpacking was causing long delay in installer startup - [BUGFIX #13] IdP names containing double quotation marks were causing problems - [BUGFIX #14] Fixed redirect button behaviour which could cause unwanted downloads in some rare situations - [FEATURE #1] introduce stricter CA check: EAP types are only marked as complete if at least one *root CA* was uploaded - [FEATURE #2] on profile installation fail - do not delete profiles, leave for manual installation - [FEATURE #3] create an installation script on profile installation failure - [FEATURE #4] Symantec Endpoint Protection is causing profile installation problems this feature uses and fetures #2 and #3 and helps the user to start manual installation on failure - [FEATURE #5] debugging mode in Windows installers Changes in release 1.0.2 ======================== Bugfixes and Features --------------------- - [BUGFIX #1] the "Add new options" button for EAP-specific details and device- specific details now works - [BUGFIX #2] Problem with installer filename generation fixed globally by adding a generic approach common to all device modules - [BUGFIX #3] rad_eap_test can be configured with an explicit path this solves a problem of installations which put this script in non-standard places Changes in release 1.0.1 ======================== Configuration parameter changes ------------------------------- [NEW] Config::$CONSORTIUM['signer_name'] Organisation Name in code signing; see BF#1 defaults to empty, can be omitted [NEW] Config::$CONSORTIUM['deployment-voodoo'] extra code paths for some high-profile deployments, see BF#2 defaults to empty, can be omitted Bugfixes and Features --------------------- - [BUGFIX #1] the name "TERENA" for installer signatures was hard-wired. It is now a config item; if omitted, no "signed by" advertising is done - [BUGFIX #2] use of eduroam DB depended on a heuristics about DB host "monitor.eduroam.org", which failed in some circumstances introducing new config variable for this one particular deploy- ment - [BUGFIX #3] various spelling and grammar fixes - [BUGFIX #4] fix wrong error message when trying to consume an already-used token - [BUGFIX #5] roll.php OS definition had a parameter that was never used - [BUGFIX #6] Terms of Use text which is not perfectly valid UTF-8 could make the mobileconfig module produce garbled installers. Incorrect characters will now be translit-ignored. - [BUGIFX #7] federation operator API rewritten to actually work - [BUGFIX #8] installer generation broke when inst or or profile names contained slashes - [FEATURE #1] Slovak translation - [FEATURE #2] Finnish translation - [FEATURE #3] Norwegian (Bokmal) translation Changes in release 1.0 ===================== - [BUGFIX] fix spelling mistake "fiitting" - [BUGFIX] better explanations for digital signature script for Windows - [BUGFIX] make admin login more visible in pop-up window (proper button) - [BUGXIX] more space added at the bottom of the main window (the footer was obsuring the view on shor windows). - [BUGXIX] devices.php no_cache global option was not taken into account - [BUGXIX] fixes to info text - the list of SSIDs was not displayed properly - [BUGXIX] SSIDs with spaces were not properly handled by Windows installers - [BUGXIX] IdPs were not sorted in the DB link popup - [BUGXIX] Close button in Manage DB link was causing a POST - [BUGFIX] NSIS variables not properly set for W8, as a result password did not appear for Windows 8 TLS - [BUGFIX] Confirmation text on the ToU Windows page was commented out as a result the default NSIS text was diplayed instead - [BUGFIX] arguments to infoCAT on the main page were not properly escaped, which could cause apostrophy problems Changes in release 1.0-rc1 ===================== - [BUGFIX] Windows module did not work for Vista without SP1 - [BUGFIX] removed all PHPdoc parser errors and warnings - [BUGFIX] grammar and punctuation fixes throughout the UI - [BUGFIX] auto-set the radio button in manage DB link if "other" is used - [BUGFIX] non-fedadmin users in the eduroam DB are not any more falsely classified as being fedadmin for the (non-existing, non-working) "NULL" federation - [FEATURE] Apple iOS installer download help is now displaying texts condi- tional to number of CAs/number of SSIDs installed - [FEATURE] Apple iOS installers now also support TTLS-MSCHAPv2 - [FEATURE] Admins now also have a "Start page" link to the main site - [FEATURE] we now also generate QR codes for deeplinking to the inst level (not just individual profiles) Some insts might want to drop their users into the profile selection stage. - [FEATURE] Additional startup screen for the Linux module - [FEATURE] Improvement in handling deep linking - [FEATURE] Debugging for Windows modules, you can now enable a lot of messages on the client, temporary files are not deleted either - [FEATURE] allow superadmins to delete old temporary directories conveniently from their home page - [FEATURE] Installation check includes whether default values were changed in the config, and whether all client cert related files exist Changes in release 1.0-beta2 ===================== - [BUGFIX] if an invitation mail can't be sent, don't make the institution pending - [BUGFIX] make the shortcut link profile generation -> installer fine- tuning work under all conditions - [BUGFIX] User page footer must stay at the bottom during page scrolls - [BUGFIX] ToU file contents conversion into proper CP for Windows installers - [BUGFIX] Active country list must be limited to those with configured and active IdPs - [BUGFIX] basic.php should not allow for setting a non-active county - [BUGFIX] allow option containers to render with more space if needed - [BUGFIX] escape POST values for MySQL write in manageNewInst.inc.php - [BUGFIX] federation admin privileges stay confined in own federation (only affects users without fed admin rights in one fed, but with such rights in another) - [BUGFIX] provide a working link to the explanation of anon outer IDs - [BUGFIX] make credential check work if more than one CA is configured - [BUGFIX] fix an E_NOTICE when retrieving user options - [BUGFIX] Windows installers were attempting to add intermediate CA certs to the root store and failed without any error message - [BUGFIX] Institution logo positioning - [BUGFIX] parse PEM files correctly even if they contain multiple CAs and intermediate "garbage" text - [BUGFIX] after parsing a CA repository from URL successfully, display that fact on the summary page - [BUGFIX] generate the doc/ directory inside web/ - [BUGFIX] strings in geolocation need to be miltilingial, discojuice fix was required - [BUGFIX] some option names were shown twice under "Add new options" - [BUGFIX] support email was showing up in place of support URL on Windows installers welcome screen - [BUGFIX] when no TKIP profiles were required, Windows installer still issued the TKIP message on the main screen - [BUGFIX] Windows modules failed when no CA certificates were supplied (this could happen for EAP-PWD - only preofiles) - [BUGFIX] When an intaller gereation failed the user was directed to a non-existant address, an error message is now displayed. - [BUGFIX] fix welcomeletter generation if logo is PNG - [BUGFIX] info_file in Windows now uses the correct charset - [FEATURE] Installation check includes whether downloads directory is writable - [FEATURE] Installation check includes whether all locales are available - [FEATURE] Installation check includes check for openssl presence + version - [FEATURE] mobileconfig module now displays info_file text (up to 1218 B) - [FEATURE] federation admins can now revoke issued invitations - [FEATURE] show privilege level when adding new administrators - [FEATURE] invitation mails explicitly state until when the token is valid - [FEATURE] a BCC address to receive copies of the invitation mails can now optionally be specified (defaults to NULL) - [FEATURE] fed admin can immediately add himself as admin of his IdPs (no need to send mail to himself) - [STRUCTURE] New approach to devices allowing to share directories and common files Changes in release 1.0-beta1 ===================== Main screen ----------------- when admin button is pushed, it may take a while before authentication goes through, hence a message should be displayed on the screen. (Feature) DONE going from the main screen to admin does not preserve language (Bug) FIXED Admin Interface ----------------------- Invitations should display a message when sent (Feature) FIXED Fields do not switch to file upload in chrome (Bug) FIXED compatibility matrix - download button - missing slash in URL (Bug) FIXED idp_wizard, wizard mode - hardcoded link to user interface (Bug) FIXED allow user to update his personal details (Feature) allow fedadmin and co-admins to delete an admin (Feature) flag profiles as "production" - before that, don't show to users (Feature) keep invite mail address permanently to identify users (Feature) allow to specify custom anonymous outer identity values (Feature) default for anonymous outer identities changed to "anonymous@" instead of "@" (Feature) Admin interface internals -------------------------------------- NAPTR records are case sensitive (Bug) FIXED audit trail of changes to DB data (Feature) User interface ----------------------- DiscoJuice icons fail on SVG (Bug) FIXED - Imagic seemed to have problems with non-english locale (??) Borders look bad in IE (Bug) FIXED Profile choice does not work properly in some browsers (Bug) FIXED - "click" instead of "select" event was used Profile select is not shown properly on Motorola XZOOM (Bug) FIXED - dirty chack setting select size to 1 if agent matches "Android" IE 8 fails in 'foreEach' method (Bug) FIXED - used jQuery.each instead CSS problems in IE8,IE7 (Problem) FIXED mostly Group download buttons per vendor (Feature) DONE basic.php does not show the profile name on the final download screen (Bug) DONE basic.php should try to recognise user's country (Feature) User interface internals ------------------------------------- Installer caching (Development) DONE Counters for total installers served (Feature) DONE Federation operator privileges management (Feature) DONE Core --------- Google API3 (Development) DONE New layout of directories, simplification od admin/user interfaces interaction - DONE Device modules ----------------------- situations where support data have not been given need to be handled with a default test substitution - DONE Linux - wpa_supplicant (Feature) DONE Linux - Network manager (Feature) DONE Windows modules - test for wireless interface being enabled (Feature) DONE Windows modules - test for exestence of certificates in stores before adding mobileconfig: display different strings for MacOS vs. iOS (Feature) mobileconfig: enable "hidden networks" flag (Feature) Utilities ----------- Stale installers cleanup (Development) DONE Documentation --------------------- Source code copyright notices added (all PHP files) Changes in release 1.0-alpha3 ====================== New translations: Italian Serbian Swedish New devices Windows 8 with native TTLS-PAP support Certificate handling - now it is possible to uload fill certificate chains as PEM files, the system is picking out root certificates so that installers are able to pick the correct fingerprints Changes prior to release 1.0-alpha3 ========================== 2011-08-09 - T. Wolniewicz Just listing changes since Alpha 1.0 Fixed language support - in Helper set_profile has been split into set_lang and set_profile, in user and device files domain switching has been added Fixed multiple SSID support in Vista7.php Fixed a small bug in ttls.nsi (the forward button was shown before SW2 has completed) Added some translation 2011-05-31 - S. Winter Device.php Helper.php Moved base dir for temporary files to Config allow recursive directory creation all files add a debug() function to increase/decrease verbosity testvectors.php uses two different profiles to generate a TTLS/Vista and PEAP/Vista profile 2011-05-24 - T. Wolniewicz IdP.php changed certificate handling in addCA, so that the certificate would be always available in both PEM and DER format. Also changed the way in which we determine if the certificate is in the PEM format, to avoid the warning message from openssl_x509_read. The return array from addCA now contains the pem and der fields. Device.php $FPATH_main and $FPATH properties have been added createTemporaryDirectory method was added saveCertificateFiles function was added $selected_eap public propertty was added for reporting purposes. Vista.php Major extensions, still in prelimintary state. Certificates and profiles are now saved in a temporary subdirectory if the directory pointed to by $FPATH_main