[5.15.0] - 2026-01-21
π Features
-
Upgrade OpenSSL to 3.6.0 but keep 3.1.2 for FIPS crypto provider #667
-
Summary of changes:
OpenSSL Linkage FIPS NonβFIPS Static Linkage: OpenSSL 3.6.0; runtime loads FIPS provider from OpenSSL 3.1.2 Linkage: OpenSSL 3.6.0; runtime uses default/legacy providers Dynamic Linkage: OpenSSL 3.1.2; ships FIPS configs and provider OpenSSL 3.1.2 Linkage: OpenSSL 3.6.0; ships libssl/libcryptoand providers
-
-
Provide /health endpoint #690
-
Add k256 (RFC6979) curve for sign/verify for non-fips builds #671
-
Download CLI through UI #678
-
Support RFC 3394 (AESKeyWrap with no padding) #658
β οΈ WARNING about AES Key Wrap changes
Any previously manually exported keys in JSON format must be manually updated if they have been previously wrapped with AES. This can be done using the following command:
sed -i 's/NISTKeyWrap/AESKeyWrapPadding/g' your_exported_key.json
π Bug Fixes
-
Remove RUSTSEC-2023-0071 about
rsadependency and handle database without sqlx #646.-
Summary of changes:
openidconnectis removed in favor of manual OIDC implementationjwt-simpleis replaced byjsonwebtoken- old crate
cloudproof_findex(->crypto_core->rsa) has been removed sqlxhas been replaced by those crates:- tokio-postgres
- deadpool-postgres
- mysql_async
- tokio-rusqlite
- rusqlite
β οΈ WARNING about Redis migration: For KMS server versions less than v5.12, first migrate KMS Redis-Findex database to 5.14 then 5.15. For KMS server versions 5.12 to 5.14, no migration needed to 5.15.
-
-
Upgrade lru and downgrade yank flat2 to 1.1.5 #680
-
Fix double hash in RSASSAPSS in raw and digest data mode for sign/verify #677
-
RSA signature/verify tests only run on non-fips #684
-
Derive session cookie encryption key from public URL and user-provided salt for load-balanced deployments #664
π Documentation
βοΈ Build
- (deps) Bump react-router from 7.5.3 to 7.12.0 in /ui in the npm_and_yarn group across 1 directory #673