From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] vpnmain.cgi: Fix writing ESP settings for PFS ciphers Date: Wed, 19 Jun 2019 20:38:00 +0000 Message-ID: <25986a8d-7e45-b94d-0d9d-4c6e02c95594@ipfire.org> In-Reply-To: <9F68F24B-956A-4BCA-B487-88273B09109E@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5847052717139401117==" List-Id: --===============5847052717139401117== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Hello Michael, could you merge the change into "next", too? So it won't be overwritten with the next Core Update... Thanks, and best regards, Peter Müller > Oops. Yes. > > Weirdly, someone confirmed that this patch works for them… > >> On 17 Jun 2019, at 15:08, Peter Müller wrote: >> >> The changes introduced due to #12091 caused IPsec ESP >> to be invalid if PFS ciphers were selected. Code has >> to read "!$pfs" instead of just "$pfs", as it should trigger >> for ciphers _without_ Perfect Forward Secrecy. >> >> Fixes #12099 >> >> Signed-off-by: Peter Müller >> Cc: Michael Tremer >> --- >> html/cgi-bin/vpnmain.cgi | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi >> index fbc274919..750b69b1d 100644 >> --- a/html/cgi-bin/vpnmain.cgi >> +++ b/html/cgi-bin/vpnmain.cgi >> @@ -3338,7 +3338,7 @@ sub make_algos($$$$$) { >> push(@algo, $int); >> } >> >> - if ($pfs || $grp eq "none") { >> + if (!$pfs || $grp eq "none") { >> # noop >> } elsif ($grp =~ m/^e(.*)$/) { >> push(@algo, "ecp$1"); >> -- >> 2.16.4 > -- The road to Hades is easy to travel. -- Bion of Borysthenes --===============5847052717139401117==--