Releases · OxalisCommunity/oxalis

NAPTR Lookup Support (PFUOI 4.4.0): In this release, NAPTR lookup is now the default lookup method.
Users who prefer to continue using CNAME lookup may do so until T2 (01.11.2025). To maintain CNAME lookup with this version, set the following property in oxalis.conf:

lookup.locator.class=network.oxalis.vefa.peppol.lookup.locator.BusdoxLocator

Peppol Wildcard Change (PFUOI 4.3.0)
To support the Peppol PINT wildcard migration, a new mandatory parameter has been introduced: oxalis.pint.wildcard.migration.phase
In this release, the default value is set to 1. However, you can configure this value in oxalis.conf as and when needed as per timeframe:

# For T1 (May 15th, 2025, onward): - Set value to 1 on/after May 15th, 2025 ) - Default value in this version
oxalis.pint.wildcard.migration.phase=1
# For T2 (~September 03, 2025/TBD): - "busdox scheme exact match" in PINT messages will be removed in T2. You will start getting error message with phrase "...or SMP registration is not valid" when you continue trying to send PINT message with "busdox scheme" 
oxalis.pint.wildcard.migration.phase=2

For PINT documents. always use "peppol-doctype-wildcard" as Document Type Identifier Scheme in SBDH otherwise default "busdox-docid-qns" value will be considered. This can lead to SMP lookup error if SMP registration is only available with "peppol-doctype-wildcard" and you are Not providing Document Type Identifier Scheme in SBDH. For details, refer "PINT Wildcard Migration Plan"

Bump httpclient to 5.4.4
Bump vefa.peppol to 4.1.1
Bump commons-certvalidator to 4.6.0
Bump peppol-specifications to 2.5.0
Bump cxf to 4.0.8
Bump jetty to 11.0.25
Bump jaxb-impl to 4.0.5
Bump guava to 33.4.8-jre
Bump joda-time to 2.14.0
Bump commons-dbcp2 to 2.13.0
Bump commons-io to 2.19.0
Bump mariadb-java-client to 3.5.3
Bump hsqldb to 2.7.4
Bump logback to 1.5.18
Bump opentelemetry.apache.httpclient to 2.16.0-alpha
Bump opentelemetry to 1.50.0
Bump testng to 7.11.0
Bump mockito-core to 5.17.0
Bump lombok to 1.18.38
Bump metainf-services to 1.11

Full Changelog: v7.1.0...v7.2.0-RC1

What's Changed

eDEC CodeList Support: Added support for eDEC CodeList version 9.1.
NAPTR Lookup Support (PFUOI 4.4.0): Users who wish to enable NAPTR lookup can do so by configuring the following property in oxalis.conf:

lookup.locator.class=network.oxalis.vefa.peppol.lookup.locator.BdxlLocator

Peppol Wildcard Change (PFUOI 4.3.0): A new mandatory parameter has been introduced to support Peppol PINT wildcard handling. It must be set in oxalis.conf as shown:

# For T0 status (before 15 May) - Default value
oxalis.pint.wildcard.migration.phase=0
# For T1 (May 15th, 2025, onward): - Set value to 1 on/after May 15th, 2025
oxalis.pint.wildcard.migration.phase=1
# For T2 (~August 27th, 2025/TBD): - "busdox scheme exact match" in PINT messages will be removed in T2. You will start getting error message with phrase "...or SMP registration is not valid" when trying to send PINT message with "busdox scheme" 
oxalis.pint.wildcard.migration.phase=2

For PINT documents. always use "peppol-doctype-wildcard" as Document Type Identifier Scheme in SBDH otherwise default "busdox-docid-qns" value will be considered. This can lead to SMP lookup error if SMP registration is only available with "peppol-doctype-wildcard" and you are Not providing Document Type Identifier Scheme in SBDH. Additionally, the new exact match identifier option in the wildcard scheme is introduced but cannot be used before T1 i.e. no capability registrations with that scheme may be made before T1. For details, refer "PINT Wildcard Migration Plan"

Added code to set HTTP version with default value '1.1'. You can also configure [OPTIONAL] it in oxalis.conf as:

oxalis.http.version=1.1

Added check [OPTIONAL] in inbound component to verify whether incoming message belong to your AP

# Configure below properties in oxalis.conf in production environment (access.point.isReceiverCheckEnabled=true), if you as receiving AP want to verify whether incoming messages belong to you as per your SMP registration. For Point-to-Point/simulated environment, set access.point.isReceiverCheckEnabled=false

access.point.isReceiverCheckEnabled=false
my.access.point.url="http://api.example.com/oxalis/as4"

Removed outdated FRPOC support
Fixed expired dummy AP certificates
Bump peppol-specifications from 2.3.0 to 2.4.0
Bump vefa-peppol version from 3.8.0 to 10000 4.0.0
Bump bouncycastle from 1.78.1 to 1.80
Bump guava from 33.3.1-jre to 33.4.0-jre
Bump joda-time from 2.12.2 to 2.13.0
Bump slf4j from 2.0.6 to 2.0.17
Bump logback from 1.5.6 to 1.5.16
Bump lombok from 1.18.24 to 1.18.32
Bump httpclient, from 4.5.13 to 4.5.14
Corrected jakarta.servlet-api.version

Full Changelog: v7.0.0...v7.1.0

Important Notice⚠️

Oxalis 6.8.0 is the final release in the 6.x.x series. There will be no further updates or support for this version line.
Users are strongly encouraged to migrate to either Oxalis 7.x.x or Oxalis-NG 1.x.x to receive future updates, security fixes, and improvements.

What's Changed

eDEC CodeList Support: Added support for eDEC CodeList version 9.1.
NAPTR Lookup Support (PFUOI 4.4.0): Users who wish to enable NAPTR lookup can do so by configuring the following property in oxalis.conf:

lookup.locator.class=network.oxalis.vefa.peppol.lookup.locator.BdxlLocator

Peppol Wildcard Change (PFUOI 4.3.0): A new mandatory parameter has been introduced to support Peppol PINT wildcard handling. It must be set in oxalis.conf as shown:

# For T0 status (before 15 May) - Default value
oxalis.pint.wildcard.migration.phase=0
# For T1 (May 15th, 2025, onward): - Set value to 1 on/after May 15th, 2025
oxalis.pint.wildcard.migration.phase=1
# For T2 (~August 27th, 2025/TBD): - "busdox scheme exact match" in PINT messages will be removed in T2. You will start getting error message with phrase "...or SMP registration is not valid" when trying to send PINT message with "busdox scheme" 
oxalis.pint.wildcard.migration.phase=2

For PINT documents. always use "peppol-doctype-wildcard" as Document Type Identifier Scheme in SBDH otherwise default "busdox-docid-qns" value will be considered. This can lead to SMP lookup error if SMP registration is only available with "peppol-doctype-wildcard" and you are Not providing Document Type Identifier Scheme in SBDH. Additionally, the new exact match identifier option in the wildcard scheme is introduced but cannot be used before T1 i.e. no capability registrations with that scheme may be made before T1. For details, refer "PINT Wildcard Migration Plan"

Full Changelog: v6.7.0...v6.8.0

@smahieu87

What's Changed

Major version i.e. incompatible with previous version
Jakarta version upgrade by @smahieu87
Require upgrade to Tomcat 10.1.x
Run with all Java versions starting 11 to 21 without any workaround and/or warning messages
Migration from Opentracing (archived/unsupported) to OpenTelemetry
Added configurable properties in oxalis.conf for locator and global dns server vs organization dns

# Configure following properties for BusdoxLocator and BdxlLocator in Oxalis.conf as per your requirements
lookup.locator.busdox.timeout=30
lookup.locator.busdox.maxRetries=3
# If below lookup.locator.busdox.enablePublicDNS is set to true then it will use Google & Cloudflare DNS thereby bypassing organization DNS. 
# Google DNS is faster, but it also performs DNSSEC validation by default. 
# If DNSSEC signature expired in SML then it will throw SERVFAIL error. 
# There is trade-off between speed vs security. Keep it false, if you are Not sure what you are doing.  
lookup.locator.busdox.enablePublicDNS = false 

lookup.locator.bdxl.timeout=20
lookup.locator.bdxl.maxRetries=2
# If below lookup.locator.bdxl.enablePublicDNS is set to true then it will use Google & Cloudflare DNS thereby bypassing organization DNS. 
# Google DNS is faster, but it also performs DNSSEC validation by default. 
# If DNSSEC signature expired in SML then it will throw SERVFAIL error. 
# There is trade-off between speed vs security. Keep it false, if you are Not sure what you are doing.  
lookup.locator.bdxl.enablePublicDNS = false

Further refinement of lookup results, error handling with actionable messages
Bump peppol-specifications to version 2.3.0
Bump pkix-ocsp version to 2.3.0
Bump commons-certvalidator to version 4.4.0
Bump vefa-peppol to version 3.8.0
Bump guava version to 33.3.1-jre
Bump h2 database to version 2.3.232
Bump dnsjava version to 3.6.2
Bump logback version to 1.5.6
Bump Jetty version to 11.0.24
Updated ELMA SMP domain
Replaced old revoked AP test certificate with Norstella test AP certificate
Updated SMP Prod and Test Certificate

New Contributors

@smahieu87 made his first contribution for Jakarta version upgrade

Added eDEC Codelist version 8.9 support
Bump vefa-peppol version to 3.7.0
Bump dnsjava version to 3.6.0
Bump commons-certvalidator version to 4.2.0
Replaced expired Peppol test certificate
Optimized BdxlLocator and BusdoxLocator to fix network-level errors as participant not found

# Following additional "maxRetries" and "timeout" properties configured in "reference.conf" for BusdoxLocator and BdxlLocator
mode.default.lookup.locator = {
    class: network.oxalis.vefa.peppol.lookup.locator.BusdoxLocator

    bdxl: {
        .....
        .....
        maxRetries: 3
        timeout: 30
    }

    busdox: {
        .....
        .....
        maxRetries: 3
        timeout: 30
    }
}

Full Changelog: v6.6.0...v6.7.0

Added eDEC Codelist version 8.8 support
Bump vefa-peppol version to 3.6.0
Bump Bouncycastle version to 1.78.1 to fix following vulnerabilities:
- Bouncy Castle crafted signature and public key can be used to trigger an infinite loop
- Bouncy Castle affected by timing side-channel for RSA key exchange ("The Marvin Attack")
- Bouncy Castle certificate parsing issues cause high CPU usage during parameter evaluation.
- Bouncy Castle Denial of Service (DoS)
- Bouncy Castle For Java LDAP injection vulnerability
Bump commons-certvalidator to version 4.1.0
Bump dnsjava to 3.5.3 version
France Peppol certificate update

Full Changelog: v6.5.0...v6.6.0

Bump vefa-peppol to version 3.5.0
Added Dummy certificates and fixed Test cases

Full Changelog: v6.4.0...v6.5.0

Added eDEC codelist v8.7 support
Fixed security vulnerability related to logback-classic by version upgrae from 1.3.5 to 1.3.12
Fixed Test cases

Full Changelog: v6.3.0...v6.4.0

Bump vefa-peppol version to 3.3.1 to fix AS4 Transport value
Full Changelog: v6.2.0...v6.3.0

Made C1 country code mandatory as per Peppol SBDH v2.0.1 i.e. Outbound message will fail, if C1 country code is Missing in SBD Header. Note that since Oxalis version 4.1.0, it is duty of SP AP to construct SBD Header and pass it as input payload.
Fixed Jetty Vulnerability
Fixed H2 database Vulnerability

Full Changelog: v6.1.1...v6.2.0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

What's Changed

Uh oh!

Important Notice⚠️

What's Changed

Uh oh!

What's Changed

New Contributors

Contributors

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Releases: OxalisCommunity/oxalis

Oxalis 7.2.0-RC1

Uh oh!

Oxalis 7.1.0

What's Changed

Uh oh!

Oxalis 6.8.0

Important Notice⚠️

What's Changed

Uh oh!

Oxalis 7.0.0

What's Changed

New Contributors

Contributors

Uh oh!

Oxalis 6.7.0

Uh oh!

Oxalis 6.6.0

Uh oh!

Oxalis 6.5.0

Uh oh!

Oxalis 6.4.0

Uh oh!

Oxalis 6.3.0

Uh oh!

Oxalis 6.2.0

Uh oh!