From: "Peter Müller" <peter.mueller@ipfire.org>
To: "IPFire: Development" <development@lists.ipfire.org>
Subject: [PATCH 2/2] Core Update 196: Adjust existing IPsec connections using ML-KEM
Date: Thu, 15 May 2025 08:09:00 +0000 [thread overview]
Message-ID: <b073e757-e4e0-49cd-b3cf-604c4a8faa26@ipfire.org> (raw)
In-Reply-To: <8baae50f-cf7b-4af0-81ec-89d898966993@ipfire.org>
This causes existing IPsec connections using ML-KEM to always use it in
conjunction with Curve 25519, in line with the changes dfa7cd2bbac3c746569368d70fefaf1ff4e1fed2
implements for newly configured IPsec connections.
Again, we can reasonably assume an IPsec peer supporting ML-KEM also
supports Curve 25519. In case such a peer does not support RFC 9370, and
the IPsec connection was created using our default ciphers, it will fall
back to Curve 448, Curve 25519, or any other traditional algorithm.
This patch will break existing IPsec connections only if they are
exclusively using ML-KEM (which means the IPFire user reconfigured them
manually using the "advanced connection settings" section in the WebUI),
and the IPsec peer is configured in the same manner, and/or is an IPFire
machine not yet updated to Core Update 196. Any other IPFire-to-IPFire
IPsec connection will continue working, potentially falling back to
Curve 448 or 25519 until both peers are updated to Core Update 196,
after which ML-KEM in conjunction with Curve 25519 will be used again.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
config/rootfiles/core/196/update.sh | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/config/rootfiles/core/196/update.sh b/config/rootfiles/core/196/update.sh
index 0138fabcf..4f92b998b 100644
--- a/config/rootfiles/core/196/update.sh
+++ b/config/rootfiles/core/196/update.sh
@@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do
done
# Stop services
+/etc/rc.d/init.d/ipsec stop
# Remove files
rm -rfv \
@@ -65,7 +66,14 @@ esac
# Apply SSH configuration
#/usr/local/bin/sshctrl
+# Change IPsec configuration of existing connections using ML-KEM
+# to always make use of hybrid key exchange in conjunction with Curve 25519.
+sed -i -e "s@-mlkem@-x25519-ke1_mlkem@g" /etc/ipsec.conf
+
# Start services
+if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then
+ /etc/rc.d/init.d/ipsec start
+fi
# This update needs a reboot...
#touch /var/run/need_reboot
--
2.43.0
next prev parent reply other threads:[~2025-05-15 8:09 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-15 8:06 [PATCH 1/2] vpnmain.cgi: Use ML-KEM only as a hybrid with Curve 25519 Peter Müller
2025-05-15 8:09 ` Peter Müller [this message]
2025-05-15 8:16 ` Adolf Belka
2025-05-15 12:07 ` Adam Gibbons
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b073e757-e4e0-49cd-b3cf-604c4a8faa26@ipfire.org \
--to=peter.mueller@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox