From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZJXsw2PNZz332B for ; Thu, 20 Mar 2025 17:40:36 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZJXsr5jq7z2xMD for ; Thu, 20 Mar 2025 17:40:32 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ZJXsq4KP5z5lt for ; Thu, 20 Mar 2025 17:40:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1742492431; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wav8qA1xr+dl1TCBTdAOQmAvk6OkJQSr7tIuKbCbsBE=; b=P0PSb096HZtid9jJXfN50WI1IE8Dym9ApJmnbN+UUV/e2QO/svJqbxBaSZfeARUtJJU1xG kjWi375tSX5VOk08/jiKczDJHP6y99EBbcvMXLcvsTkQ+3JnS0J1/X9ZiyyhXD7LeALWWL GHUKjsvkYbhcJIZtmdP4ZU2qQ6YjR2a2E3CqZtFBJpNdX/DrBrzMJRZgJ+ZgekcC9l+YlA 5E+xgKPb7kpoTX6jusuX/OsXc8oMEeAhddehidqAdz8PUFsDp6nhQc/y4aW6xOfZzB3H8X +35OWyLFE+mRhywiQBB4IM5MVJRu4MRKxTHo1fG4N4cpy/p6YkiYhysf5GPzMg== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1742492431; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wav8qA1xr+dl1TCBTdAOQmAvk6OkJQSr7tIuKbCbsBE=; b=SYoeerQJPWxtsXarRybPofLxRci0p2wLQl/6EectY7i8MbKsVUQ5a3WcOUDkw1a48fYK3N 8vTSMxH9lQbN1lCQ== Message-ID: Date: Thu, 20 Mar 2025 18:40:26 +0100 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Subject: Re: IPFire 2.29 - Core Update 193 is available for testing To: "IPFire: Development-List" References: <174238111584.1720815.10275774082881760962.ipfire@ipfire.org> Content-Language: en-GB From: Adolf Belka In-Reply-To: <174238111584.1720815.10275774082881760962.ipfire@ipfire.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Hi All, My first findings from CU193 Testing. The IPBlocklist sources file and the backup.pl file with the changes related to removal of the ABUSECH blocklist, did not get into the filelist file and so that blocklist was not removed. I tested out ipsec. A working PSK and cert connection from CU192 were both tested out with CU193 Testing. Both worked in CU192 and also worked without issues when IPFire was updated to CU193 Testing. I then created a new ipsec cert connection and tested that out and it worked but it did not use the post quantum cipher. Strongswan-6.0.0 is also on my laptop but I am using Network Manager with a Strongswan plugin and that might not yet be updated with the post quantum ciphers. My laptop and IPFire negotiated a cipher and that connection then worked. The other thing that might be getting in the way is that all the certs currently created in IPSec are legacy based ones,m even if the Root/Host certificate has been re-created to have the more secure version with openssl-3.x I raised a bug on this a while back. https://bugzilla.ipfire.org/show_bug.cgi?id=13808 This came about when we updated to OpenSSL-3.x. I added in the legacy options into the openssl commands in the ovpnmain.cgi page and did the same thing to the vpnmain.cgi page for IPSec. Then in the ovpnmain.cgi page I added in the check if the root/host x509 set was legacy or not and then only used the legacy option if it was. However, I never went back to the vpnmain.cgi page to update that to only use -legacy if the root/host x509 was legacy. So currently all client certs are legacy, even if the root/host x509 is not. I have assigned that ipsec bug to myself and it will be something I will have a go at sometime soon. However, main thing, the change to strongswan-6.0.0 has not negatively impacted the ipsec operation. All existing connections, at least the ones I had, worked after the CU193 Testing update. Regards, Adolf. On 19/03/2025 11:57, IPFire Project wrote: > Hello Community! Only a few days after releasing the latest update, we are excited to begin testing the next one. It comes with support for Post-Quantum Cryptography in IPsec as well as a new toolchain and a lot of bug and security updates. > ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ > > > IPFire_ > > > IPFire 2.29 - Core Update 193 is available for testing > > Hello Community! Only a few days after releasing the latest update, we are excited to begin testing the next one. It comes with support for Post-Quantum Cryptography in IPsec as well as a new toolchain and a lot of bug and security updates. > > Read The Full Post On Our Blog > > The IPFire Project, c/o Lightning Wire Labs GmbH, Gerhardstraße 8, 45711 Datteln, Germany > > Unsubscribe >