Garphic Airlock Secure Access Hub

Airlock Gateway 8.5

Now post quantum ready!

Airlock Gateway 8.5 introduces key improvements in security, automation and operational efficiency. Anomaly Shield is strengthened with IP Reputation, post-quantum-safe algorithms provide protection against future cryptographic risks, and expanded ACME services enable automated certificate management even in internal environments. The new PXE-based installation allows Gateways to be deployed fully unattended. In addition, several components have been updated and legacy elements removed.

Airlock Anomaly Shield – Now with IP Reputation

The new IP Reputation feature incorporates the historical behavior of an IP address directly into the risk assessment. IPs with a negative reputation are evaluated earlier and more strictly.

This reduces false positives for known, benign IPs while accelerating the detection of genuinely suspicious activity.

The feature is enabled by default and requires no configuration.

Upgrade to OpenSSL 3.5 – Modern cryptography with long-term support

Airlock Gateway has been updated to OpenSSL 3.5. The new LTS version is supported until 2030. This upgrade not only introduces new capabilities but also reduces long-term cryptographic risks.

Key improvements include:

  • Server-side QUIC (Quick UDP Internet Connections) for better performance with modern protocols.
  • Modernized defaults, such as AES-256 instead of outdated 3DES
  • PQC-capable algorithms (see section Post-Quantum Cryptography for details).
  • Full HSM compatibility is maintained. Both nCipher and Luna HSMs have been successfully validated with OpenSSL 3.5.

This ensures your Gateway installation remains aligned with state-of-the-art cryptographic standards for the years ahead.

Post-Quantum Cryptography – Protection against "Harvest Now, Decrypt Later"

Attackers are already collecting encrypted data today with the intention of decrypting it later using quantum computers. Gateway 8.5 addresses this "harvest now, decrypt later" threat with several important enhancements, that make your systems resistant to future quantum attacks: 

  • Secure by default: PQC-capable KEM groups (Key Encapsulation Mechanisms) are enabled by default. 
  • Hybrid Key Exchanges: Classical and post-quantum algorithms are combined. This ensures that connections remain secure even if one of the methods is broken in the future.
  • Reporting: The logging clearly shows which clients already use PQC-capable groups. TLS key exchange groups appear in TLS-SESS-START and are also available as ENV cookies and rewrite variables.
  • Performance: PQC introduces no relevant performance degradation on the same hardware.
  • Broad compatibility: Chromium-based browsers such as Chrome and Edge already support PQC. Apple will enable PQC automatically with iOS/macOS 26. Firefox offers PQC support via configuration switch.

Since Gateway 8.2 (early 2024), these PQC capabilities have been evaluated together with customers and partners in PoCs. The insights gained have been directly incorporated into the product.

Further information can be found in our blog article.

Add-on Tomcat – Modernisation for current Java applications

With Gateway 8.5, the Add-on Tomcat is available in version 11, providing support for modern Java versions.

  • Upgrade:
    • If WAR files are deployed, the Add-on Tomcat 9 will be upgraded automatically during the Gateway upgrade.
    • If no WAR files are deployed, the Add-on Tomcat will be removed as part of the upgrade.
  • Manual installation: If required, the Add-on Tomcat can still be installed manually via the console.
  • Tomcat 11 requirements: Tomcat 11 requires Java 17 or newer, which means Java applications must be updated accordingly.
  • Parallel operation of Tomcat 9 and 11: Both versions are available in Gateway 8.5, allowing older Java applications to continue running until the next release (Gateway 8.6).
  • Airlock modules: The ICAP SDK and the SOAP filter have been updated and are fully compatible with Tomcat 11.

Starting with Gateway 8.6, only Tomcat 11 will be supported. It requires Java 17 or newer. Please update your applications accordingly or deploy them externally on an older Tomcat version.

ACME Services – Enhancement for internal and non-public domains

With Gateway 8.3, we introduced ACME to fully automate certificate issuance, renewal, and management. Gateway 8.5 continues this approach by adding support for DNS-01 in addition to TLS-ALPN-01. This enhancement enables fully automated certificate provisioning for domains that are not publicly reachable.

  • Automated certificates for internal domains: DNS-01 allows ACME-based certificates for systems operating exclusively in internal networks or segmented environments.
  • ACME services and DNS providers are linked together so that the necessary DNS TXT entries can be created.
  • Unified automation across all zones: Certificates for both external and internal services can be managed consistently and without manual intervention.
  • Reduced risk of expired certificates: Automation ensures continuous coverage across all network areas.

This extension significantly reduces administrative effort and broadens the applicability of ACME, particularly in internal or isolated environments.

PXE-based installation – Provisioning without manual steps

The new PXE installation enables fully automated deployment of new Gateways. This accelerates initial setups and large-scale rollouts, reduces errors, and ensures consistent configurations, particularly in:

  • large environments and distributed locations
  • MSSP (Managed Security Service Provider) scenarios
  • lab and QA environments

The Gateway documentation has been expanded to cover PXE-based installation and describes all required steps.

End of life

Microsoft Mapping Templates & Splunk app

Microsoft Mapping Templates – End of life

The mapping templates for the following products have been removed:

  • Exchange 2016 / 2019
  • SharePoint 2016 / 2019
  • WebDAV

This decision follows the market-wide shift toward cloud services and Microsoft’s own support timelines: support for Exchange 2016 and 2019 ended on 14 October 2025, and SharePoint 2016 and 2019 will follow on 14 July 2026. WebDAV has also become a niche use case due to modern alternatives such as OneDrive.

As a result, we will no longer maintain these mapping templates. Existing installations will continue to function with Gateway 8.5.

 

Airlock Splunk App – End of life

We have decided to discontinue further development of the Airlock Splunk App. It is retired with immediate effect.

Shortened support lifecycle for Gateway 8.4

Airlock Gateway 8.5 will introduce OpenSSL version 3.5. Since the current version 3.0.x will only be supported by the OpenSSL project until August 2026, the support lifecycle for Gateway 8.4 has been slightly shortened to align with this timeline.

Support for Airlock Gateway 8.4 will therefore end in August 2026.

Hardened filter rules thanks to bug bounties

Last but not least, our Airlock Bug Bounty Program, successfully running since 2020, has led to numerous security improvements, which are now included in this release. We thank the white-hat hackers who share their findings with us. Learn more about the Airlock Bug Bounty Program here.

Updating is easy

Airlock Gateway 8.5 is now available on the Airlock Techzone. Updating to this minor version requires no manual adjustments – your existing configuration can be easily migrated and activated. A detailed overview of all updates and fixes can be found in the release notes.

Airlock Gateway 8.5 release video

In our release video you learn all the details about Airlock Gateway 8.5.

This website uses cookies
This website uses tracking and targeting technologies (e.g. cookies). Cookies necessary for the operation of the site are set. In addition, we use technologies to analyze access to our website and to personalize content and advertisements. By clicking "Accept all", you agree to the use of the above technologies and cookies (revocable at any time). Under "Settings" you can change your preferences and refuse data processing.
Necessary cookies enable you to navigate our website and provide its basic functionality. Without these cookies, essential functions cannot be provided.Statistics Cookies are used to record the use of our website statistically and to evaluate it for the purpose of optimizing our offer for you.Marketing cookies may be placed on our website by us or our advertising partners to build a profile of your interests and show you relevant content on our and third-party websites. To show you relevant content on third-party websites, we share this information with third parties, such as advertising platforms and social networks.
←  Back
ImprintPrivacy Policy

Information for you

-Our whitepapers-

White paper: The puzzle pieces of modern authentication

Identity management is like a puzzle: you have to understand the big picture, identify the relevant pieces and put them together in the right order. This white paper shows how to do that.

 

Request white paper

Whitepaper: How to make cIAM a success

Increasing requirements for security and user-friendliness make Customer Identity and Access Management an essential. Read our whitepaper to find out how you can secure your competitive advantage with the right CIAM strategy.

 

Request whitepaper

Whitepaper: Security for cloud-native applications

You can read about how companies can ensure the security of web applications and APIs in Kubernetes in the white paper "Security for cloud-native applications", which was created in collaboration between heise and Airlock.

 

Request whitepaper

Whitepaper: Zero Trust is a journey

The ongoing digital transformation of the world is progressing and having a profound impact on our personal and professional lives in ways that were difficult to imagine just a few years ago.


This white paper discusses the effects of continuous digitalization and its impact.

Request free of charge

Off to DevSecOps

In this white paper, you will learn the most important insights into how you can implement DevSecOps successfully and efficiently, which security components are required for this and the advantages of a microgateway architecture.

 

Request free of charge

Airlock 2FA - Strong authentication. Simple.

Double security - this is what two-factor authentication offers in the field of IT security.


Find out more about strong authentication and the possibilities offered by Airlock in our white paper.

Download for free

Further whitepapers

We provide you with free white papers on these and other topics:

 

  • Successful IAM projects
  • compliance
  • Data protection (DSGVO)
  • Introduction of PSD2
  • PCI DSS requirementsPCI DSS requirements
Request free of charge