Backport TLS 1.3 support for IPS engine 4.0.

Added parameter default and multiple lines support; a new feature related to Mantis 466084 and the new SCADA/ICS NFR 571919.

Fixed crash when copying to packet mime_body buffer. Fix crash when ZIP uncompressed size is bigger than INT_MAX.

Fixed cross session tags with multiple engine processes.

Fixed a specified service with default TCP protocol.

Fixed IPS engine drops FIN-ACK packet for flow-based AV.

In some cases when SNI verify failed, IPS engine crashed.

Fixed reply to FIN+ACK retransmission with seq=0&ack=0 pkt.

Fixed intermittent web access issue with SSL session ticket.

In some rare cases, the RTP/RTSP/RTCP dissector resulted in a crash.

Keep getting attackid=0 in FortiGate IPS logs for P2P traffic.

Port IPS tag database improvement patch for IPS 4.0.

Fixed wait time too long in sniff mode.

Always choose explicitly configured rules over implicit ones.

Do not generate a random serial number for a resigned server certificate.

Avoid padding oracles due to different handling of invalid record MAC and invalid paddings. Fixed incomplete HMAC validation and crashes. Fixed IPS engine crash when doing CBC HMAC validation.

Fixed web rating overrides that do not work with an external proxy.

Do not filter out application signatures based on applications detected in host session.

Fixed incorrect SACK.

Fixed IPS engine with high memory issue.

Fixed botnet database loading crash on Windows and removed garbage strings from database.

Fixed inconsistent local URL filtering for SSL sessions.

CIFS AV flow-based mode allows malware, which was blocked via HTTP. Change the value of SMB2_OOO_LIMIT to 4 MB.

Apply URL filtering in packet error handler for certificate inspection as well.

Create different sessions for the same session from a different policy.

Support UTF-8 for flow web filter URLdatabase.

Malware cannot be detected when both IPS and AV are enabled.

Fixed HTTP decoder does not send file to flow-based AV.

Fixed crash on HTTP2 control when getting content disposition.

Fixed negative session expire time.

Fixed IPS intelligent mode not working on random traffic.

Fixed IPS engine signal 11 crash.

Check null pointer before reference. Use -Os to compile for the FSOC2/FSOC3 platforms.

Do not perform URL filter query if SNI is not yet verified.

Use greased SSL extension to fill the gap in a session ticket extension.

Fixed an IPS engine crash caused by session release.

Check whether IPSA database is up-to-date before compile to avoid an unnecessary IPSA database compile.

Fixed an IPS engine crash happening in SSL packet finish handler.