From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4b5kFd6NVHz30Hh for ; Mon, 26 May 2025 18:05:25 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4b5kFZ3Cw7z2xw9 for ; Mon, 26 May 2025 18:05:22 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4b5kFX4QJ0zrD for ; Mon, 26 May 2025 18:05:20 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1748282721; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6KCGncDtRmp6YWMvZHuUxCjk3Z5pfXrVktjyMlEnrD8=; b=aL8/NS14W9JJvO1TBI+xqBlef3RBXAGl3oL2iXtZo6tv6/x+58ZEY7q5NLFJz3FWaLjwYZ WC2IET0tbvObOJDg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1748282721; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6KCGncDtRmp6YWMvZHuUxCjk3Z5pfXrVktjyMlEnrD8=; b=ThqvYS/E3wmUYo8z9HnQQ3HlINEFvkiaSsRvDyXtwFeTNqt9NehQopaUHCYgVGTSW6UJ4D ZUQyoQKtlvL5uogdYNP4cagsrQhD4YJ0ySSRgsrwUpa4/AEJ1JzC/0aVJ3BOB2qin/jkCL bBl7p8sNg38vRSbdQEF9i/pugzrGmrEoC8HJczaA+56Bv4YkvYCFK8DB/DxI+xO/ebVTRc bpNByM1+qbT4/0eg6XWlcYAGFYgAhWlFMXDYHHT8koGmYqvtZGBfxFs/xSKvZY6tbxWPmq sXBWOiqenRLODjbEkXaLAEjvaYi1wMSvcbRG/7e4LsE5qXmsa7+sYtaczjw+xA== Message-ID: Date: Mon, 26 May 2025 18:05:00 +0000 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Subject: Re: [PATCH 2/2] Core Update 196: Adjust existing IPsec connections using ML-KEM To: development@lists.ipfire.org References: <8baae50f-cf7b-4af0-81ec-89d898966993@ipfire.org> <7F8BE5B9-47B1-4B74-AB0A-1A8F04E3358E@ipfire.org> From: =?UTF-8?Q?Peter_M=C3=BCller?= In-Reply-To: <7F8BE5B9-47B1-4B74-AB0A-1A8F04E3358E@ipfire.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Hello Michael, > Hello Peter, > > Thanks for this patch. > >> On 15 May 2025, at 09:09, Peter Müller wrote: >> >> This causes existing IPsec connections using ML-KEM to always use it in >> conjunction with Curve 25519, in line with the changes dfa7cd2bbac3c746569368d70fefaf1ff4e1fed2 >> implements for newly configured IPsec connections. >> >> Again, we can reasonably assume an IPsec peer supporting ML-KEM also >> supports Curve 25519. In case such a peer does not support RFC 9370, and >> the IPsec connection was created using our default ciphers, it will fall >> back to Curve 448, Curve 25519, or any other traditional algorithm. >> >> This patch will break existing IPsec connections only if they are >> exclusively using ML-KEM (which means the IPFire user reconfigured them >> manually using the "advanced connection settings" section in the WebUI), >> and the IPsec peer is configured in the same manner, and/or is an IPFire >> machine not yet updated to Core Update 196. Any other IPFire-to-IPFire >> IPsec connection will continue working, potentially falling back to >> Curve 448 or 25519 until both peers are updated to Core Update 196, >> after which ML-KEM in conjunction with Curve 25519 will be used again. >> >> Signed-off-by: Peter Müller >> --- >> config/rootfiles/core/196/update.sh | 8 ++++++++ >> 1 file changed, 8 insertions(+) >> >> diff --git a/config/rootfiles/core/196/update.sh b/config/rootfiles/core/196/update.sh >> index 0138fabcf..4f92b998b 100644 >> --- a/config/rootfiles/core/196/update.sh >> +++ b/config/rootfiles/core/196/update.sh >> @@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do >> done >> >> # Stop services >> +/etc/rc.d/init.d/ipsec stop >> >> # Remove files >> rm -rfv \ >> @@ -65,7 +66,14 @@ esac >> # Apply SSH configuration >> #/usr/local/bin/sshctrl >> >> +# Change IPsec configuration of existing connections using ML-KEM >> +# to always make use of hybrid key exchange in conjunction with Curve 25519. >> +sed -i -e "s@-mlkem@-x25519-ke1_mlkem@g" /etc/ipsec.conf > > I believe this is not what you intend. > > You are changing the generated configuration file, but more likely, you want to change /var/ipfire/vpn/config where we are storing the properties of the connections. > > Afterwards, you should call vpnmain.cgi to generate /etc/ipsec.conf. ah, right. Apologies - its been a while. :-/ I'll submit a second version of the patchset in due course. All the best, Peter Müller > > -Michael > >> + >> # Start services >> +if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then >> + /etc/rc.d/init.d/ipsec start >> +fi >> >> # This update needs a reboot... >> #touch /var/run/need_reboot >> -- >> 2.43.0 >> > >