OpenLI 1.0.13

• RADIUS parser now copes with situations where an assigned IP is not included in the access-Accept message.
• SIP parser now copes with SIP URIs that are just "sip:" followed by an IP address.

Packaging:

• CentOS 8 is no longer supported, but we now build RPMs for Rocky Linux 8.5 and Alma Linux 8.4 instead.

OpenLI 1.0.12

• Fixed bugs where changes to certain intercept properties (either via the REST API or through configuration reloading) were not being correctly applied when encoding subsequent ETSI records.
• Fixed bug where the username property for a static IP intercept was not being encoded into the ETSI targetUsername field.
• Fixed bug where digest hashes added using our helper script were not able to be authenticated by the provisioner.
• Fixed collector crashing when processing a SIP message that spans multiple packets.

OpenLI 1.0.11

• Improved collector encoding performance by saving and reusing previously-encoded records that have the exact same layout.
• Also improved encoding performance at high packet rates by sending encoded records to the forwarding thread in batches.
• Mediators will now actively avoid splitting a record across multiple send calls wherever possible -- this fixes issues where a reconnecting LEA handover (e.g. tracepktdump) would complain about being unable to parse the data it receives upon reconnection.
• Fixed bug where a collector would simply stop forwarding records for an LIID on to the mediator for no apparent reason, especially when more encoder threads were being used.
• Fixed bug where encoding jobs would be lost without being seen by the encoder thread.
• Fixed performance-related issue where an overwhelmed mediator would never send data to its handovers.
• Fixed crash in mediator after a handover is disconnected for failing to send a keep alive response.
• BER encoding optimization has been removed -- it was not interoperable with some LEA software, and the new encoding performance enhancements are a better alternative anyway.
• Fix issue where collector memory usage would be extremely high when under load.

OpenLI 1.0.10

• Intercepts can now be configured with a start and/or end time (unix timestamp only).
• SIP-based VOIP intercepts will now check the P-Asserted-Identity and Remote-Party-ID fields for matches against the target identities.
• Added config option to allow the "From:" URI in a SIP packet to be used for target identification. Defaults to not allowed.
• Added config options to adjust pcap output filenames and compression levels.
• Fixed bug where the agencyID for an intercept could not be modified via the REST API.
• Fixed issues where the set of active pcap intercepts was not updated when intercepts were no longer active.
• Fixed various crashes and memory leaks when reloading the collector config file.
• Improve performance when analysing SIP traffic while having a large number of active VOIP intercepts.

OpenLI 1.0.9

• Reduce collector CPU usage when the forwarding thread is idle.
• Fix HI1Operation messages that were not able to be decoded by LEAs.
• Allow a BPF filter to be applied to any collector input.
• Remove dependency on rsyslog -- syslog-ng can now be used instead, if desired.
• Allow use of BER encoding for faster record encoding by the collector.

OpenLI 1.0.8

• Fixed bugs that were causing HI1 Operations messages to not be generated under certain circumstances.
• Fixed bugs that were causing HI1 Operations messages to have an incorrect sequence number, when generated following a reload of the intercept configuration file.

OpenLI 1.0.7

• Mediators will now correctly emit HI1 Operations messages (via HI2) whenever an intercept is added, removed or modified by the provisioner.
• Fixed bug where a reconnected mediator would no longer be sent any messages that are broadcast by the provisioner to the mediators (such as new or withdrawn LIID mappings).
• The mediator and provisioner binaries that are shipped in the OpenLI packages are now run as a separate openli user, rather than running as root. The collector still runs as root as this is required by some packet capture methods that we support.

OpenLI 1.0.6

• Added authentication layer to the provisioner REST API. If enabled, REST API requests must either provide a valid API key or use Digest Authentication to confirm that the request has been issued by an authorised party.
• Collectors may now use rabbitmq to "buffer" encoded records before sending them to their mediator. The records will be persistently buffered to disk, so we are not solely relying on memory to retain records for mediators that have failed or disappeared.
• Added RADIUS-friendly hashing option for collector input sources. This option should be used on all inputs that are going to receive RADIUS packets. Resolves issues with RADIUS packet ordering that required users to decrease the number of processing threads for their RADIUS inputs to 1.
• Added scripts (openli-prov-authsetup.sh and openli-prov-adduser.sh) to assist in the creation and management of user credentials for the provisioner REST API.
• Completely refactored mediator code to be easier to maintain. This in theory should have no impact on end users, but any code refactor may introduce new bugs so we want to make sure users know that we have done this.
• Fixed bug where multiple configuration changes to an agency handover would not be applied correctly on the mediator.
• Fixed crash when a RADIUS user has been removed but still had an outstanding request. The crash would occur if we then later saw the response.
• Fixed hanging when collector processes a RADIUS packet that has been padded to the minimum frame size.
• Fix provisioner crashes after expiring an unauthorised client that has connected to one of its listening ports.
• Components that are not using TLS will now immediately exit after connecting to a component that is using TLS (and vice versa).

Note: some existing packaged installs may find that your package manager will "hold back" the new OpenLI packages if you attempt an upgrade. This is because we have upgraded from using libwandder1 to libwandder2 for one of our dependencies. To resolve this, you can explicitly install the packages directly, e.g. apt install openli-collector, to force the upgrade of the underlying libwandder package.

OpenLI 1.0.5

• Added HTTPS support to the REST API -- if you are using TLS to encrypt inter-component communication in OpenLI, then you will also now need to use HTTPS (and accept the provisioner's certificate) to use the REST API to provision intercepts.
• Added config option to disable the combining of VOIP calls with the same SDP O identifier into the same CIN, as this was a problem for some VOIP implementations.
• Improved IPv6 address handling in the RADIUS parser by adding support for Delegated-IPv6-Prefix AVPs.
• Fixed bug that caused erroneous "duplicate intercept" announcements.
• Added support for RADIUS sessions which announce both an IPv4 and IPv6 address to the same user session.
• Fixed log spamming caused by RADIUS Accounting-On messages.
• Fixed "bad file descriptor" bug in the mediator.
• Added ability to intercept multiple RTP streams (e.g. audio and video) from the same SIP session.
• Fixed crashes when RADIUS messages did not have a Username field.
• Fixed bugs in silent logoff detection when a RADIUS session has multiple identifiers (e.g. username and CS-ID).
• Fixed slow memory leak caused by RADIUS sessions expiring.
• Added more graceful detection and handling of OOM errors on the collector.
• Fixed bug where a reconnecting mediator would not receive the records that the collector had buffered while it was gone.
• Fixed bug where a second mediator running on the same host could "steal" intercepted records that were intended for another mediator.
• Fixed handling of SSL write failures due to the socket being too busy.
• Fixed bug where a disappearing provisioner would cause the collectors to drop all of their mediator connections, rather than continuing to intercept and forward to them.
• Fixed hanging bug when a collector is halted.
• Fixed small memory leaks on the collector when a provisioner disconnects and then reconnects.
• Fixed session map corruption when a user IP session was deleted.
• Fixed bug where a silent logoff detected for a single IP would destroy the session, even when there were other non-logged-off IPs still associated with it.

OpenLI 1.0.4

• Added update socket to the provisioner, which allows new intercept configuration to be pushed to the provisioner via a REST API. As part of this change, any intercept-related configuration (including IP and VOIP intercepts, RADIUS core servers, SIP servers and agency details) has now been moved into a separate configuration file, which will be managed directly by the provisioner. Configuration changes made using the REST API will be written into this file by the provisioner as soon as they are enacted. Any intercept-related configuration remaining in the provisioner configuration file after upgrading to 1.0.4 will be ignored.
• UMTS (mobile) intercepts are now supported, based on sessions established using GTP. GTP + the IP for the target's sessions must be fed into a collector, much like you would do for RADIUS + IP for a conventional IP intercept. The validity of the resulting encoded UMTS records is not yet confirmed with an LEA, so please consider this feature to still be "in beta". Feedback from both operators and LEAs on this feature would be more than welcome.
• Allow RADIUS Calling-Station-ID AVP to be used to determine the user identity for a RADIUS stream (either in addition to or in place of the standard Username AVP).
• Add configuration option to list "default" RADIUS usernames that should not be treated as genuine user identities (useful for operators relying on Calling-Station-ID for identity instead).
• If an LEA is withdrawn, the mediator will now disconnect its handovers to that LEA.
• Allow multiple concurrent RADIUS sessions for a given user (e.g. a concurrent IPv4 and IPv6 session should now each produce their own HI2 streams).
• Allow multiple concurrent IP intercepts for the same JMirror or ALUShim session.
• Fixed bug where starting a collector with systemd would fail if using a DPDK or DAG device as a packet source.
• Fixed memory leaks in the collector forwarding code.
• Fixed bug where CINs for Jmirror intercepts were inconsistent across HI2 and HI3.
• Fixed bug where mediators were accepting client connections after they had been told to halt.
• Fixed bug where a static IP range that was being stored by the collector could become invalid after being modified.
• Fixed bugs that were preventing large UDP SIP messages from being correctly reassembled.
• Improved logging of connection status between the mediator and handover clients.
• The keep alive response timeout must now be less than or equal to the keep alive frequency.
• Improve mediator performance by rate-limiting keep alive timer resets to one per second.
• Fix concurrency issues on the mediator related to newly-connected handovers.
• Fix crash when flushing a pcap output file that has not been given any packets to write yet.
• Fix excessive logging in mediator when an LEA has been disabled or removed by the provisioner.
• Fix bug where modifications to the configured LEA for an IP intercept would only remove the existing LEA and not add the new one.
• Fixed assertion failure that could trigger in the mediator if a client handover failed to respond to a keepalive.
• Prevent mediator from sending any new data to a client handover as long as there is an unanswered keepalive.
• Do not start the keep alive response timer until after a successful send() of the keep alive message.