Skip to content

News and Noteworthy

Jump to bottom Edit New page
Philip Helger edited this page Nov 16, 2025 · 85 revisions

v6.1.0 - 2025-11-16

  • Updated to ph-commons 12.1.0
  • Using JSpecify annotations

v6.0.0 - 2025-09-22

  • Renamed from "as2-lib" to "phase2"
  • Maven coordinates changed from com.helger.as2:* to com.helger.phase2:*
  • Requires Java 17 as the minimum version
  • Updated to ph-commons 12.0.0
  • Renamed packages
    • Renamed com.helger.as2lib.* to com.helger.phase2.*
    • Renamed com.helger.as2servlet.* to com.helger.phase2.servlet.*
    • Renamed com.helger.as2.webapp.* to com.helger.phase2.webapp.*
    • Renamed com.helger.as2.* to com.helger.phase2.server.*
  • Renamed classes
    • Renamed CAS2Info to CPhase2Info
    • Renamed CAS2Version to CPhase2Version
    • Renamed MainOpenAS2Server to MainPhase2Server
  • Renamed methods
    • Renamed AS2ReceiverHandler.sendMDN to sendSyncMDN
    • Renamed AS2Helper.createMDN to createSyncMDN
  • Fixed the left over of temporary files during decompression. See #149. Thanks @krisztina-zsihovszki

v5.1.7 - 2025-08-20

  • Fixed an unintentional overwriting of the outgoing HTTP dumper factory. See issue #161. Thanks @ihudedi

v5.1.6 - 2025-08-19

  • Updated to BouncyCastle v1.81
  • Updated to Apache HttpClient 5.5
  • Fixed an error in certificate selection for async MDN processing

v5.1.5 - 2025-04-25

  • Updated to Apache HttpClient 5.4.4 to fix CVE-2025-27820

v5.1.4 - 2025-01-21

  • Updated to BouncyCastle 1.80
  • Updated to Apache HttpClient 5.4
  • Updated to ph-commons 11.1.12
  • Fixed potential issues with temp files (see CWE-377)

v5.1.3 - 2024-03-29

  • Updated to ph-commons 11.1.5
  • Created Java 21 compatibility

v5.1.2 - 2024-01-23

  • Updated to BouncyCastle v1.77
  • Fixed the private key selection if multiple entries with the same alias exist. See issue #106. Thanks @AlexandruCiobanu

v5.1.1 - 2023-08-01

  • Updated to ph-commons 11.1
  • Updated to BouncyCastle v1.77
  • Added new signing algorithm aliases:
    • sha2_224 - SHA224 alias
    • sha2_256 - SHA256 alias
    • sha2_384 - SHA384 alias
    • sha2_512 - SHA512 alias
  • Improved error handling in case of chunked encoding processing
  • Finally fixed the issue with chunked Transfer-Encoding in Servlet based environments
  • Avoid error in MDN signing when receiver certificate is expired

v5.1.0 - 2023-02-24

  • Using Servlet API 5.0.0 as the baseline: JakartaEE 9, Java 11+, Apache Tomcat v10.0.x, Jetty 10.x
  • Using Eclipse Angus 2.0.x
  • Using Spring Boot 3.x

v5.0.8 - 2025-08-19 [backport]

  • Updated to BouncyCastle v1.81
  • Fixed an error in certificate selection for async MDN processing

v5.0.7 - 2025-05-06 [backport]

  • Updated to BouncyCastle v1.80
  • Updated to Apache HttpClient v5.4.4 to fix CVE-2025-27820

v5.0.6 - 2024-05-31 [backport]

  • Updated to BouncyCastle v1.78

v5.0.5 - 2024-01-15 [backport]

  • Updated to BouncyCastle v1.77

v5.0.4 - 2023-06-22 [backport]

  • Avoid error in MDN signing when receiver certificate is expired

v5.0.3 - 2023-06-22 [backport]

  • Finally fixed the issue with chunked Transfer-Encoding in Servlet based environments

v5.0.2 - 2023-06-21 [backport]

  • Updated to Spring Boot 2.7.12 for the demo application
  • Improved error handling in case of chunked encoding processing

v5.0.1 - 2023-05-15 [backport]

  • Added new signing algorithm aliases:
    • sha2_224 - SHA224 alias
    • sha2_256 - SHA256 alias
    • sha2_384 - SHA384 alias
    • sha2_512 - SHA512 alias

v5.0.0 - 2023-02-19

  • Using Java 11 as the baseline
  • Updated to ph-commons 11
  • Using Servlet API 4.0.1 as the baseline: JakartaEE 8, Java 11+, Apache Tomcat v9.x, Jetty 10.x
  • Using Jakarta Mail 2.0.1 (because Bouncycastle is not yet available for Eclipse Angus)
  • Using Jakarta Activation 2.0.1
  • Fixed an error that did not print the transferred bytes correctly (AS2 Message transferred X bytes in Y seconds at Z KBps)
  • Removed the signing algorithm from PR #138 again because it didn't work out fully
  • Added new signing algorithms:
    • rsassa-pss-sha-224 - RSASSA-PSS with digest algorithm SHA224 (sha-224)
    • rsassa-pss-sha-256 - RSASSA-PSS with digest algorithm SHA256 (sha-256)
    • rsassa-pss-sha-384 - RSASSA-PSS with digest algorithm SHA384 (sha-384)
    • rsassa-pss-sha-512 - RSASSA-PSS with digest algorithm SHA512 (sha-512)
    • rsassa-pss-sha3-224 - RSASSA-PSS with digest algorithm SHA3-224 (sha3-224)
    • rsassa-pss-sha3-256 - RSASSA-PSS with digest algorithm SHA3-256 (sha3-256)
    • rsassa-pss-sha3-384 - RSASSA-PSS with digest algorithm SHA3-384 (sha3-384)
    • rsassa-pss-sha3-512 - RSASSA-PSS with digest algorithm SHA3-512 (sha3-512)

v4.11.0 - 2022-08-17

  • Updated to Apache Http Client v5.x for the underlying HTTP transport
  • Made the reading and writing of the async MDN info file more generic, so that it does not rely on the hard disc
  • Added new signing algorithm "RSA PKCS #1 v1.5 Signature with SHA-3". See PR #138. Thanks @enif77
  • Changed the public methods to configure timeouts to use the new APIs
  • Updated the Mendelson Keys, so that the test application MainSendToMendelsonTestServer works again

v4.10.1 - 2022-03-05

  • Added support for the partnership attribute remove_cms_algorithm_protect_attr. See issue #137. Thanks @dang-osu
  • Improved some execution order in case of error. See issue #135. Thanks @ihudedi

v4.10.0 - 2022-01-04

  • Changed the type of "causes" in AS2ProessorException from Throwable to AS2Exception
  • Improved the Exception handling for AS2DispositionException. See issue #130. Thanks @ihudedi
  • Removed the member "source file" from class AS2Exception
  • Using less setters for Exception members - bad style

v4.9.2 - 2021-12-30

  • Updated to Log4J 2.17.1 to circumvent CVE-2021-44832
  • Avoid double wrapping of AS2DispositionException. See issue #130. Thanks @ihudedi

v4.9.1 - 2021-12-21

  • Updated to Log4J 2.17.0 to circumvent CVE-2021-45046 and CVE-2021-45105

v4.9.0 - 2021-12-13

  • Updated to Log4J 2.15.0 to circumvent CVE-2021-44228
  • Removed the usage of Serializable where not needed - it was never fully working and only adds complexity
  • Renamed interface IAS2InputStreamProvider to IAS2HttpRequestDataProvider
  • Fixed the processing of the incoming HTTP data when the Servlet was used. See issue #131. Thanks @vansh-flexe and @kem-flexe

v4.8.0 - 2021-10-25

  • Deprecated class ExceptionParameters because it is not used
  • Simplified the IAS2InputStreamProvider interface in a backwards incompatible way
  • Changed the handling of incoming messages in the Servlet to handle large files. See issue #123 - thanks @ihudedi
  • Fixed the handling of active modules in as2-demo-spring-boot and as2-demo-webapp. See issue #129 - thanks @GeeinHub
  • The parameters errordir and sentdir of AbstractDirectoryPollingModule can now also handle date and msg parameters
  • Added the parameter stored_error_filename to class AbstractDirectoryPollingModule to define the filename for storing in the error directory. It can handle date and msg parameters. The default behaviour is the source filename.
  • Added the parameter stored_sent_filename to class AbstractDirectoryPollingModule to define the filename for storing in the sent directory. It can handle date and msg parameters. The default behaviour is the source filename.
  • The parameter errordir of DirectoryResenderModule can now also handle date parameters
  • Added the parameter stored_error_filename to class DirectoryResenderModule to define the filename for storing in the error directory. It can handle date parameters. The default behaviour is the source filename.

v4.7.1 - 2021-03-30

  • Added new interface IAS2OutgoingHttpCallback that can be set in AS2SenderModule and AsynchMDNSenderModule to be invoked after HTTP calls
  • Added new interface IAS2IncomingMDNCallback that can be set in AS2SenderModule and AS2MDNReceiverHandler to be invoked when an MDN is received

v4.7.0 - 2021-03-22

  • Updated to ph-commons 10

v4.6.4 - 2021-03-10

  • Added new servlet AS2MDNReceiveServlet to receive asynchronous MDNs
  • Fixed potential Exceptions if the "pending MDN Info" or "pending MDN" folder is not configured properly
  • Extracted the class AbstractCertificateFactory to be more flexible in KeyStore handling for receiving.

v4.6.3 - 2020-09-22

v4.6.2 - 2020-09-17

  • Using Jakarta JAXB 2.3.3

v4.6.1 - 2020-07-15

  • Made AS2 version number customizable through IAS2Session (see issue #111)
  • Tried to send Content-Length HTTP header (see issue #109) - experimental feature

v4.6.0 - 2020-05-27

  • Changed the Maven groupId to com.helger.as2
  • Updated to ph-commons 9.4.0

v4.5.5 - 2020-03-13

v4.5.4 - 2020-03-12

  • Fixed a resource leak that caused a lot of "bcMail" temporary files (see issue #103)
  • Fixed a problem with the SelfFillingPartnershipFactory if the instance survives multiple document exchanges to different partners (see issue #99)

v4.5.3 - 2020-02-17

  • Updated to ph-web 9.1.9

v4.5.2 - 2020-02-07

  • Fixed passing the keystore password in the AS2 client if the keystore was provided as a byte array
  • Sending less stack traces in the MDN if an AS2ProcessorException was thrown

v4.5.1 - 2020-02-07

  • Extended CertificateFactory API
  • Fixed a small RFC 4130 compliance bug. In the formatting of the "Disposition" response header, a blank was missing in case of an error
  • Extended other APIs of modules and processors

v4.5.0 - 2019-12-19

  • Renamed OpenAS2Exception to AS2Exception
  • Renamed WrappedOpenAS2Exception to WrappedAS2Exception
  • Renamed OpenAS2KeyStore to AS2KeyStore
  • Renamed DispositionException to AS2DispositionException
  • Renamed HttpResponseException to AS2HttpResponseException
  • Got rid of the name OpenAS2 internally
  • Renamed other exception to start with AS2
  • Moved package com.helger.as2lib.util.cert to test-only
  • The MDN payload parsing now honors the Content-Transfer-Encoding (see issue #100)

v4.4.8 - 2019-10-23

  • Allowed absolute path with Windows drives for the attributes pendingmdninfo and pendingmdn (see issue #97)
  • Removed intermediate class AbstractCertificateFactory
  • Made CertificateFactory thread-safe (and got rid of some synchronized)
  • Changed application name from ph-OpenAS2 to as2-lib
  • Renamed AS2ServletSession to AS2ServletXMLSession (incompatible but should not effect outside code)

v4.4.7 - 2019-10-22

  • Simplified ICertificateFactory to work on IBaseMessage
  • Fixed a missing HTTP header unification when using the async MDN (see issue #97)
  • The async MDN is no longer send in a separate thread but in the main thread of the processor, so that retry etc. works
  • Fixed too much quoting when having path values inside of the attributes pendingmdninfo and pendingmdn (see issue #97)

v4.4.6 - 2019-10-18

  • Added a possibility to customize the "ReceiverModule" to send back the full exception or only the class name and and the message
  • The "UserAgent" HTTP header now contains the version number of the as2-lib used

v4.4.5 - 2019-10-11

  • Updated to ph-web 9.1.4
  • Added custom MIC matching handler to class AS2ClientSettings
  • Added the possibility to provide a custom callback to receive the certificate used in class AS2ClientSettings
  • Moved IHTTPOutgoingDumperFactory from package ".http" to ".dump" (incompatible change)
  • Made the IHTTPIncomingDumper customizable per handler
  • Made AS2ReceiveServlet non final and moved initialization code to init()
  • The as2-server project was reintegrated into this repository for ease of maintenance
  • Added new submodule as2-demo-spring-boot for a stub how to use as2-lib with Spring Boot (see issue #96)
  • Fixed an issue with the Content-Transfer-Encoding and it is now more consistent

v4.4.4 - 2019-09-26

  • Removed all information about the exception from the MDN (see issue #94)
  • Updated to ph-commons 9.3.7
  • Fixed another unintentional HTTP header values quoting and made it configurable for receiving modules (see issue #95)

v4.4.3 - 2019-09-05

  • Fixed an unintended quoting of HTTP header values when reading an MDN

v4.4.2 - 2019-08-30

  • Updated to ph-commons 9.3.6
  • Changed Automatic-Module-Name of "as2-lib" to com.helger.as2lib
  • Changed Automatic-Module-Name of "as2-servlet" to com.helger.as2servlet
  • The HTTP headers can now be automatically quoted correctly according to RFC 2616 chapter 2.2 (see issue #92) - must be explicitly enabled.
  • Internal API of OpenAS2Exception was changed in an incompatible way
  • Trying to ensure correct line endings in MDNs (see issue #90)
  • By default exception stack traces are not send back in the MDN anymore

v4.4.1 - 2019-06-28

  • Extended ICryptoHelper.verify API to have a chance to retrieve the effective certificate
  • Added a new message attribute that contains the certificate used for verification
  • AS2ClientResponse now has an accessor to retrieve the certificate used to verify the MDN

v4.4.0 - 2019-06-13

  • AS2Client correctly passes the keystore type to CertificateFactory
  • AS2Client can now handle read-only keystore that is provided as byte array
  • Remove support for the old HttpUrlConnection, therefore making "large file support" the default (see issue #87)
  • Removed all the "large file support" flags (incompatible)
  • Improved MIC algorithm name matching (see issue #75)
  • Added support for deprecated signing algorithms rsa-md5 and rsa-sha1
  • Updated to new Mendelson test certificates (key3 and key4 - see http://mendelson-e-c.com/node/3211)
  • The Content-Transfer-Encoding value base64 now works correctly (see issue #71)
  • Added a custom IMICMatchingHandler interface to AS2SenderModule and AS2MDNReceiverHandler (see issue #59)
  • Removed deprecated class com.helger.as2lib.cert.PKCS12CertificateFactory. Use com.helger.as2lib.cert.CertificateFactory instead - no functionality changes.
  • Removed some other deprecated methods as well.
  • Updated to ph-commons 9.3.4
  • Reworked the outgoing dumping API, so that it can be set per "AbstractHttpSenderModule" and must not be globally set. This is a backwards incompatible change. The existing system property is still accepted.
  • The AS2 client can now dump specific outgoing requests more easily using the new API
  • The outgoing HTTP dumper does now have options to configure whether the comment, header and or payload should be dumped or not

v4.3.0 - 2019-05-17

  • Moved interface IRefreshablePartnershipFactory from project as2-server to this project
  • Improved support for large file transmission - thanks to @zharpaz for the PR (see issue #78)
  • Removed class AS2GlobalSettings
  • Removed support for the system property AS2.useSecureRandom

v4.2.2 - 2019-03-21

v4.2.1 - 2018-11-26

  • Updated to ph-commons 9.2.0

v4.2.0 - 2018-11-21

  • Added support for large file transmission (using Apache HttpClient) - thanks to @zharpaz for the PRs :D
  • AS2 client now has the possibility to not request an MDN at all
  • It's now possible to use a different Security Provider besides BouncyCastle (see issue #52)
  • Added workaround for bug in HttpHeaderMap.addAllHeaders (see issue #48)
  • Using the correct signing algorithm for the MIC, according to the partnership definitions (see issue #50)
  • Added new subproject as2-demo-webapp to provide a simple to use stub for a web application receiving AS2 messages (see issue #36)
  • Loading of keystores now also works from classpath by default. Based on https://github.com/phax/as2-peppol-server/issues/2
  • Deprecated AS2ClientRequest.setData (File) in favour of AS2ClientRequest.setData (File, Charset) (see issue #45)
  • Content-Type handling was improved all over the place to avoid exception in case of error (see issue #33)
  • Added new class HTTPIncomingDumperStreamBased
  • Calculating the MIC only if an MDN is requested (see issue #58)
  • Saved MDN uses OS specific newlines (see issue #61)
  • Changed IDynamicComponent to have attrs() and not to be a StringMap
  • Added new encryption algorithms (AES with GCM padding)
  • Requires ph-web 9.0.5 or newer
  • Required ph-commons 9.1.8. to ensure case sensitive HTTP header names (see ph-commons ä11)
  • Storing the outgoing MIC as an attribute in the message (see issue #74)

v4.1.1 - 2018-07-27 - please use only with ph-commons 9.1.4 or newer

  • The existence of just the header Disposition-Notification-Options without Disposition-Notification-To does not trigger MDN sending anymore (see issue #42)
  • Fixed overwriting of existing Content-Transfer-Encoding when receiving messages.
  • Partnership attribute blockerrormdn is now only evaluated for MDNs that are created based on errors
  • MDNs now also use the partner attribute content_transfer_encoding and content_transfer_encoding_receive (see issue #43)

v4.1.0 - 2018-06-20

  • The random parameters class now supports creating random values that are longer than 10 characters
  • Fixed OSGI ServiceProvider configuration
  • Added support for new encryption algorithms (see issue #38)
  • Added new system property AS2.httpDumpDirectoryOutgoing to easily dump outgoing transmissions
  • Renamed system property for dumping incoming HTTP transmissions from AS2.httpDumpDirectory to AS2.httpDumpDirectoryIncoming to avoid confusion. The old name can still be used but emits a warning.
  • Modules MDNFileModule and MessageFileModule now got a new attribute charset to define the charset to be used to dump the information.
  • Requires ph-commons 9.1.2

v4.0.2 - 2018-04-05

  • improved client configurability and customizability
  • Switching back to preferring BC PKCS12 key store, because JDK PKCS 12 key store is partially case insensitive

v4.0.1 - 2018-03-27

v4.0.0 - 2018-01-06

  • Updated to ph-commons 9.0.0
  • Updated to BouncyCastle 1.58
  • Fixed crypto algorithm case sensitivity issue on sending (issue #32)
  • Changed internally from java.util.Date to java.time.LocalDateTime - so all the Date parameters must be changed from yyyy to uuuu!!!
  • The certificate factory com.helger.as2lib.cert.PKCS12CertificateFactory was deprecated in favor of the more generic com.helger.as2lib.cert.CertificateFactory that handles arbitrary keystore types (like JKS).

v3.1.0 - 2017-07-27

  • AS2 client can now handle custom HTTP headers
  • Reworked dumping API to create new dumpers per request
  • Dumping API was moved into a separate package.

v3.0.4 - 2017-06-19

  • AS2 client allows different content type even if text source is used
  • AS2 client allows to specify Content-Transfer-Encoding
  • Updated to BouncyCastle 1.57
  • The receiving modules got a new attribute errorstorebody to indicate whether the body of a failed message should also be stored or not (default is false)
  • The receiving modules errordir directory can now handle parameters (date and msg)
  • AS2 client can now request and asynchronous MDN (issue #31)

v3.0.3 - 2017-01-24

  • Binds to ph-commons 8.6.x
  • Binds to ph-web 8.7.0
  • Updated to BouncyCastle 1.56

v3.0.2 - 2016-11-28

  • Improved signature validation certificate selection (#28) - thanks @rklyne
  • Made connect and read timeout configurable in AS2ClientSettings (issue #23)

v3.0.1 - 2016-09-27

  • Made incoming HTTP request dumping customizable (issue #26)

v3.0.0 - 2016-08-21

  • JDK 8 is now required
  • Using ph-commons 8.4.x

v2.2.8 - 2016-05-09

  • Improved AS2 client https customization and API

v2.2.7 - 2016-04-27

  • Added per partnership attribute rfc3851_micalgs to determine to use RFC 3851 MIC algorithm names instead of the default RFC 5751 MIC algorithm names (issue #18)
  • Fixed problem with special character escaping in MDN context (issue #19)

v2.2.6 - 2016-03-02

  • Added support for dumping HTTP requests when using as2-servlet

v2.2.5 - 2015-12-01

  • Added a validity check so that expired certificates can no longer be used to sign, verify and encrypt messages. Decrypt is still possible.
  • Added the possibility to disable the autosave of the PKCS12CertificateFactory using the new boolean attribute autosave. This can now also easily be set in the client settings. (issue #17)
  • Fixed potential endless loop when a retry count was specified at a partnership (issue #16)

v2.2.4 - 2015-11-11

  • Fixed a minor issue where details of a ProcessingException were not passed into the MDN text

v2.2.3 - 2015-10-22

  • Improved API for handling MDN errors (as2-lib issue #11)
  • The signature verification of messages sent without Content-Transfer-Encoding was fixed (as2-lib issue #12)
  • Receiving a message for an unknown partnership now results in a correct error MDN (as2-server issue #16)
  • The new sub-project as2-servlet is now contained

v2.2.2 - 2015-10-19

  • Updated to Bouncy Castle 1.53 (as2-lib issue #10)

v2.2.1 - 2015-10-08

  • Extended API and some debug logging added

v2.2.0 - 2015-09-27

  • added system properties (see below) for configuration and debugging purposes
  • added new resender modules: ImmediateResenderModule and InMemoryResenderModule
  • added the following new partnership attributes:
    • content_transfer_encoding_receive [receiver side] to define a fixed Content-Transfer-Encoding for receiving, even if none is specified.
    • force_decrypt [receiver side] to force decryption of incoming messages even if the Content-Type header claims the message is not encrypted (as a work-around for non spec-compliant senders)
    • disable_decrypt [receiver side] to disable decryption of incoming messages even if the Content-Type header claims the message is encrypted (as a work-around for non spec-compliant senders)
    • force_verify [receiver side] to force signature validation of incoming messages even if the Content-Type header claims the message is not signed (as a work-around for non spec-compliant senders)
    • disable_verify [receiver side] to disable signature verification of incoming messages even if the Content-Type header claims the message is signed (as a work-around for non spec-compliant senders)
    • verify_use_cert_in_body_part [receiver side] to define whether a certificate passed in the signed MIME body part shall be used to verify the signature (when true) or whether to always use the certificate provided in the partnership (when false). If not set the value of the AS2 session is used.
    • disable_decompress [receiver side] to disable decompression of incoming messages even if the Content-Type header claims the message is compressed (as a work-around for non spec-compliant senders)
    • sign_include_cert_in_body_part [sender side] to determine whether the certificate used for signing should be included in the signed content part (when true) or not (when false). The default value is true.
    • Added the sub-project as2-partnership-mongodb - thanks to @jochenberger for contributing it

v2.1.0 - 2015-08-20

  • fixes a problem that implicitly SHA-1 was always used for signing, no matter what you specify
  • compression according to RFC 5402 is now supported so that this is no fully AS2 1.1 compatible
Add a custom footer
Add a custom sidebar

Clone this wiki locally