Development June 2018

development@lists.ipfire.org

12 participants
64 discussions

[PATCH 3/3] add ChaCha20/Poly1305 to IPsec WebUI
by Peter Müller 30 Jun '18

30 Jun '18

The algorithm is selected by default since it is considered to be both secure and state-of-the-art. This required Linux kernel > 4.2, which is satisfied by Core Update 2.12 122. Fixes #11549 Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> --- html/cgi-bin/vpnmain.cgi | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index eefe97599..4650bd237 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1919,11 +1919,11 @@ END $cgiparams{'REMOTE_ID'} = ''; #use default advanced value - $cgiparams{'IKE_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18]; + $cgiparams{'IKE_ENCRYPTION'} = 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18]; $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256'; #[19]; $cgiparams{'IKE_GROUPTYPE'} = 'curve25519|4096|3072|2048'; #[20]; $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; - $cgiparams{'ESP_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21]; + $cgiparams{'ESP_ENCRYPTION'} = 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21]; $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256'; #[22]; $cgiparams{'ESP_GROUPTYPE'} = 'curve25519|4096|3072|2048'; #[23]; $cgiparams{'ESP_KEYLIFE'} = '1'; #[17]; @@ -2180,7 +2180,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { + if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|chacha20poly1305|camellia(256|192|128))$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2221,7 +2221,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { + if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|chacha20poly1305|camellia(256|192|128))$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2347,6 +2347,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || } ADVANCED_ERROR: + $checked{'IKE_ENCRYPTION'}{'chacha20poly1305'} = ''; $checked{'IKE_ENCRYPTION'}{'aes256'} = ''; $checked{'IKE_ENCRYPTION'}{'aes192'} = ''; $checked{'IKE_ENCRYPTION'}{'aes128'} = ''; @@ -2385,6 +2386,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'}); foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = "selected='selected'"; } + $checked{'ESP_ENCRYPTION'}{'chacha20poly1305'} = ''; $checked{'ESP_ENCRYPTION'}{'aes256'} = ''; $checked{'ESP_ENCRYPTION'}{'aes192'} = ''; $checked{'ESP_ENCRYPTION'}{'aes128'} = ''; @@ -2497,6 +2499,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || <td class='boldbase' width="15%">$Lang::tr{'encryption'}</td> <td class='boldbase'> <select name='IKE_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'> + <option value='chacha20poly1305' $checked{'IKE_ENCRYPTION'}{'chacha20poly1305'}>256 bit ChaCha20-Poly1305/128 bit ICV</option> <option value='aes256gcm128' $checked{'IKE_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option> <option value='aes256gcm96' $checked{'IKE_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option> <option value='aes256gcm64' $checked{'IKE_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option> @@ -2517,6 +2520,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || </td> <td class='boldbase'> <select name='ESP_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'> + <option value='chacha20poly1305' $checked{'ESP_ENCRYPTION'}{'chacha20poly1305'}>256 bit ChaCha20-Poly1305/128 bit ICV</option> <option value='aes256gcm128' $checked{'ESP_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option> <option value='aes256gcm96' $checked{'ESP_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option> <option value='aes256gcm64' $checked{'ESP_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option> -- 2.16.4

1 0

[PATCH 2/3] update StrongSwan to 5.6.3
by Peter Müller 30 Jun '18

30 Jun '18

This also takes advantage of changed crypto plugins (see first patch) and updates the rootfile. Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> --- config/rootfiles/common/strongswan | 6 +++--- lfs/strongswan | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/config/rootfiles/common/strongswan b/config/rootfiles/common/strongswan index 0a0dd050e..6981a7ca8 100644 --- a/config/rootfiles/common/strongswan +++ b/config/rootfiles/common/strongswan @@ -17,6 +17,7 @@ etc/strongswan.d/charon.conf etc/strongswan.d/charon/aes.conf etc/strongswan.d/charon/attr.conf etc/strongswan.d/charon/ccm.conf +etc/strongswan.d/charon/chapoly.conf etc/strongswan.d/charon/cmac.conf etc/strongswan.d/charon/constraints.conf etc/strongswan.d/charon/counters.conf @@ -51,7 +52,6 @@ etc/strongswan.d/charon/pkcs7.conf etc/strongswan.d/charon/pkcs8.conf etc/strongswan.d/charon/pubkey.conf etc/strongswan.d/charon/random.conf -etc/strongswan.d/charon/rc2.conf etc/strongswan.d/charon/resolve.conf etc/strongswan.d/charon/revocation.conf etc/strongswan.d/charon/sha1.conf @@ -112,6 +112,7 @@ usr/lib/ipsec/libvici.so.0.0.0 usr/lib/ipsec/plugins/libstrongswan-aes.so usr/lib/ipsec/plugins/libstrongswan-attr.so usr/lib/ipsec/plugins/libstrongswan-ccm.so +usr/lib/ipsec/plugins/libstrongswan-chapoly.so usr/lib/ipsec/plugins/libstrongswan-cmac.so usr/lib/ipsec/plugins/libstrongswan-constraints.so usr/lib/ipsec/plugins/libstrongswan-counters.so @@ -146,7 +147,6 @@ usr/lib/ipsec/plugins/libstrongswan-pkcs7.so usr/lib/ipsec/plugins/libstrongswan-pkcs8.so usr/lib/ipsec/plugins/libstrongswan-pubkey.so usr/lib/ipsec/plugins/libstrongswan-random.so -usr/lib/ipsec/plugins/libstrongswan-rc2.so usr/lib/ipsec/plugins/libstrongswan-resolve.so usr/lib/ipsec/plugins/libstrongswan-revocation.so usr/lib/ipsec/plugins/libstrongswan-sha1.so @@ -197,6 +197,7 @@ usr/sbin/swanctl #usr/share/strongswan/templates/config/plugins/aes.conf #usr/share/strongswan/templates/config/plugins/attr.conf #usr/share/strongswan/templates/config/plugins/ccm.conf +#usr/share/strongswan/templates/config/plugins/chapoly.conf #usr/share/strongswan/templates/config/plugins/cmac.conf #usr/share/strongswan/templates/config/plugins/constraints.conf #usr/share/strongswan/templates/config/plugins/counters.conf @@ -231,7 +232,6 @@ usr/sbin/swanctl #usr/share/strongswan/templates/config/plugins/pkcs8.conf #usr/share/strongswan/templates/config/plugins/pubkey.conf #usr/share/strongswan/templates/config/plugins/random.conf -#usr/share/strongswan/templates/config/plugins/rc2.conf #usr/share/strongswan/templates/config/plugins/resolve.conf #usr/share/strongswan/templates/config/plugins/revocation.conf #usr/share/strongswan/templates/config/plugins/sha1.conf diff --git a/lfs/strongswan b/lfs/strongswan index e2ecf83c7..102c24724 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@ include Config -VER = 5.6.2 +VER = 5.6.3 THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 46aa3aa18fbc4bd528f9a0345ce79913 +$(DL_FILE)_MD5 = a6a28eeb22aa58080a7581771a5b63f9 install : $(TARGET) -- 2.16.4

1 0

[PATCH 1/3] update cryptography settings in StrongSwan LFS file
by Peter Müller 30 Jun '18

30 Jun '18

The RC2 plugin was never supported by the WebUI and is insecure, so it became obsolete here. To support new ChaCha20/Poly1305, the corresponding module needs to be enabled. Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> --- lfs/strongswan | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lfs/strongswan b/lfs/strongswan index 58f8c5e9b..e2ecf83c7 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -92,8 +92,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --enable-eap-peap \ --enable-eap-mschapv2 \ --enable-eap-identity \ + --enable-chapoly \ --disable-padlock \ - --disable-chapoly \ + --disable-rc2 \ $(CONFIGURE_OPTIONS) cd $(DIR_APP) && make $(MAKETUNING) -- 2.16.4

1 0

[PATCH] update GeoIP.dat database
by Peter Müller 30 Jun '18

30 Jun '18

There are two GeoIP databases used in IPFire: One for firewall rules, which is downloaded and installed automatically, and a second one ("GeoIP.dat") for WebUI lookups via the Perl interface. The latter one is not updated automatically and was outdated. libloc will make things much easier here... Fixes #11777. Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> --- lfs/GeoIP | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/GeoIP b/lfs/GeoIP index 3e79da544..013da0e52 100644 --- a/lfs/GeoIP +++ b/lfs/GeoIP @@ -25,7 +25,7 @@ include Config VER = 1.25 -DATVER = 07012017 +DATVER = 30062018 THISAPP = Geo-IP-PurePerl-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -43,7 +43,7 @@ $(DL_FILE) = $(DL_FROM)/$(DL_FILE) GeoIP.dat-$(DATVER).gz = $(DL_FROM)/GeoIP.dat-$(DATVER).gz $(DL_FILE)_MD5 = a47a1b71f7cd7c46cca9efcc448e0726 -GeoIP.dat-$(DATVER).gz_MD5 = fac676d18785585568312f30b7851657 +GeoIP.dat-$(DATVER).gz_MD5 = d538e57ad9268fdc7955c6cf9a37c4a9 install : $(TARGET) -- 2.16.4

1 0

[PATCH] libgcrypt: update to 1.8.3
by Peter Müller 30 Jun '18

30 Jun '18

Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> --- config/rootfiles/common/libgcrypt | 2 +- lfs/libgcrypt | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/config/rootfiles/common/libgcrypt b/config/rootfiles/common/libgcrypt index e67fae932..e46507d46 100644 --- a/config/rootfiles/common/libgcrypt +++ b/config/rootfiles/common/libgcrypt @@ -6,7 +6,7 @@ #usr/lib/libgcrypt.la #usr/lib/libgcrypt.so usr/lib/libgcrypt.so.20 -usr/lib/libgcrypt.so.20.2.2 +usr/lib/libgcrypt.so.20.2.3 #usr/share/aclocal/libgcrypt.m4 #usr/share/info/gcrypt.info #usr/share/man/man1/hmac256.1 diff --git a/lfs/libgcrypt b/lfs/libgcrypt index 3fba2797d..e7c387ceb 100644 --- a/lfs/libgcrypt +++ b/lfs/libgcrypt @@ -24,7 +24,7 @@ include Config -VER = 1.8.2 +VER = 1.8.3 THISAPP = libgcrypt-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = cfb0b5c79eab07686b6898160a407139 +$(DL_FILE)_MD5 = 3139c2402e844985a67fb288a930534d install : $(TARGET) -- 2.16.4

1 0

[PATCH] hide kernel addresses in /proc
by Peter Müller 30 Jun '18

30 Jun '18

Make sure kernel address space is hidden from files somewhere in /proc . This reduces attack surface and partially addresses #11659. Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> --- config/etc/sysctl.conf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index f3897c3c7..011c4287e 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -42,3 +42,9 @@ net.netfilter.nf_conntrack_acct=1 net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 + +# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). +kernel.kptr_restrict = 1 + +# Avoid kernel memory address exposures via dmesg. +kernel.dmesg_restrict = 1 -- 2.16.4

1 0

[PATCH 1/2] guardian.cgi: Remove support for owncloud
by Stefan Schantl 27 Jun '18

27 Jun '18

Owncloud as an addon has been dropped for IPFire. As a result of this, we do not need this code anymore. Fixes #11572. Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> --- html/cgi-bin/guardian.cgi | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/html/cgi-bin/guardian.cgi b/html/cgi-bin/guardian.cgi index e15501ef5..6144aca02 100644 --- a/html/cgi-bin/guardian.cgi +++ b/html/cgi-bin/guardian.cgi @@ -52,7 +52,6 @@ my $ignorefile ='/var/ipfire/guardian/guardian.ignore'; # file locations on IPFire systems. my %module_file_locations = ( "HTTPD" => "/var/log/httpd/error_log", - "OWNCLOUD" => "/var/owncloud/data/owncloud.log", "SNORT" => "/var/log/snort/alert", "SSH" => "/var/log/messages", ); @@ -65,11 +64,6 @@ our %mainsettings = (); &General::readhash("${General::swroot}/main/settings", \%mainsettings); &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); -# Pakfire meta file for owncloud. -# (File exists when the addon is installed.) -my $owncloud_meta = "/opt/pakfire/db/installed/meta-owncloud"; - - # File declarations. my $settingsfile = "${General::swroot}/guardian/settings"; my $ignoredfile = "${General::swroot}/guardian/ignored"; @@ -96,11 +90,6 @@ $settings{'GUARDIAN_FIREWALL_ACTION'} = 'DROP'; $settings{'GUARDIAN_LOGFILE'} = '/var/log/guardian/guardian.log'; $settings{'GUARDIAN_SNORT_PRIORITY_LEVEL'} = '3'; -# Default settings for owncloud if installed. -if ( -e "$owncloud_meta") { - $settings{'GUARDIAN_MONITOR_OWNCLOUD'} = 'off'; -} - my $errormessage = ''; &Header::showhttpheaders(); @@ -561,17 +550,7 @@ END <td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_HTTPD' value='on' $checked{'GUARDIAN_MONITOR_HTTPD'}{'on'} /> / <input type='radio' name='GUARDIAN_MONITOR_HTTPD' value='off' $checked{'GUARDIAN_MONITOR_HTTPD'}{'off'} /> off</td> </tr> -END - # Display owncloud checkbox when the addon is installed. - if ( -e "$owncloud_meta" ) { - print"<tr>\n"; - print"<td width='25%' class='base'>$Lang::tr{'guardian block owncloud brute-force'}</td>\n"; - print"<td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_OWNCLOUD' value='on' $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'on'} /> /\n"; - print"<input type='radio' name='GUARDIAN_MONITOR_OWNCLOUD' value='off' $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'off'} /> off</td>\n"; - print"</tr>\n"; - } - print <<END; <tr> <td colspan='2'><br></td> </tr> -- 2.17.1

1 1

[PATCH] OpenVPN: Clarify fundamental crypto errors but also warnings in WUI
by Erik Kapfer 27 Jun '18

27 Jun '18

Since OpenVPN-2.4.x, a lot of changes has been introduced. This patch should help the users for better understanding of errors in the cryptography. It includes also potential warnings for upcoming changes and needed adjustments in the system. This can also be extended in the future for upcoming configuration changes. Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org> --- html/cgi-bin/ovpnmain.cgi | 53 ++++++++++++++++++++++++++++++++++++++++++++++- langs/de/cgi-bin/de.pl | 5 +++++ langs/en/cgi-bin/en.pl | 5 +++++ 3 files changed, 62 insertions(+), 1 deletion(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 4bc3473..c9d36d7 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -64,6 +64,8 @@ my %cahash=(); my %selected=(); my $warnmessage = ''; my $errormessage = ''; +my $cryptoerror = ''; +my $cryptowarning = ''; my %settings=(); my $routes_push_file = ''; my $confighost="${General::swroot}/fwhosts/customhosts"; @@ -1069,7 +1071,42 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General close(CLIENTCONF); } - + +### +### Check for cryptography problems +### + +# Warning if DH parameter is 1024 bit +if (-f "${General::swroot}/ovpn/ca/dh1024.pem") { + my $dhlenght = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/dh1024.pem`; + if ($dhlenght =~ /1024 bit/) { + $cryptoerror = "$Lang::tr{'ovpn error dh'}"; + goto CRYPTO_ERROR; + } +} + +# Warning if md5 is in usage +if (-f "${General::swroot}/ovpn/certs/servercert.pem") { + my $signature = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($signature =~ /md5WithRSAEncryption/) { + $cryptoerror = "$Lang::tr{'ovpn error md5'}"; + goto CRYPTO_ERROR; + } +} + +CRYPTO_ERROR: + +# Warning if certificate is not compliant to RFC3280 TLS rules +if (-f "${General::swroot}/ovpn/openssl/ovpn.cnf") { + my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($extendkeyusage =~ /TLS Web Server Authentication/) { + $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}"; + goto CRYPTO_WARNING; + } +} + +CRYPTO_WARNING: + ### ### Save main settings ### @@ -5135,6 +5172,20 @@ END &Header::closebox(); } + if ($cryptoerror) { + &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto error'}); + print "<class name='base'>$cryptoerror"; + print " </class>"; + &Header::closebox(); + } + + if ($cryptowarning) { + &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto warning'}); + print "<class name='base'>$cryptowarning"; + print " </class>"; + &Header::closebox(); + } + if ($warnmessage) { &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'}); print "$warnmessage<br>"; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 630d9b2..e1e9c97 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -661,6 +661,8 @@ 'credits' => 'Credits', 'crl' => 'Certificate Revocation List', 'cron server' => 'Cron-Server', +'crypto error' => 'Kryptografiefehler', +'crypto warning' => 'Kryptografiewarnungen', 'current' => 'Aktuell', 'current aliases' => 'Aktuelle Alias-Adresse', 'current class' => 'Aktuelle Klasse', @@ -1817,6 +1819,8 @@ 'ovpn engines' => 'Krypto Engine', 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt', 'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske', +'ovpn error dh' => 'Der Diffie-Hellman Parameter muss mindestens 2048 bit lang sein! <br>Bitte einen neuen Diffie-Hellman Parameter erzeugen oder hochladen, dies kann unten über den Bereich "Diffie-Hellman-Parameter Optionen" gemacht werden.</br>', +'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird. <br>Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>', 'ovpn generating the root and host certificates' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern.', 'ovpn ha' => 'Hash-Algorithmus', 'ovpn hmac' => 'HMAC-Optionen', @@ -1841,6 +1845,7 @@ 'ovpn subnet' => 'OpenVPN-Subnetz:', 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.', 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ', +'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform. <br>Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Fragmentgrösse', 'ovpn_mssfix' => 'MSSFIX-Grösse', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 8ec5bf4..d3847c9 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -682,6 +682,8 @@ 'credits' => 'Credits', 'crl' => 'Certificate Revocation List', 'cron server' => 'CRON Server', +'crypto error' => 'Cryptographic error', +'crypto warning' => 'Cryptographic warning', 'current' => 'Current', 'current aliases' => 'Current aliases', 'current class' => 'Current class', @@ -1850,6 +1852,8 @@ 'ovpn engines' => 'Crypto engine', 'ovpn errmsg green already pushed' => 'Route for green network is always set', 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask', +'ovpn error dh' => 'The Diffie-Hellman parameter needs to be in minimum 2048 bit! <br>Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".</br>', +'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>', 'ovpn generating the root and host certificates' => 'Generating the root and host certifictae can take a long time.', 'ovpn ha' => 'Hash algorithm', 'ovpn hmac' => 'HMAC options', @@ -1874,6 +1878,7 @@ 'ovpn subnet' => 'OpenVPN subnet:', 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', +'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant. <br>Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>', 'ovpn_fastio' => 'Fast-IO', 'ovpn_mssfix' => 'MSSFIX Size', 'ovpn_mtudisc' => 'MTU-Discovery', -- 2.7.4

1 1

[PATCH] unbound: Update to 1.7.3
by Matthias Fischer 25 Jun '18

25 Jun '18

For details see: http://www.unbound.net/download.html Best, Matthias Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- config/rootfiles/common/unbound | 2 +- lfs/unbound | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound index af089054c..f3172f028 100644 --- a/config/rootfiles/common/unbound +++ b/config/rootfiles/common/unbound @@ -11,7 +11,7 @@ etc/unbound/unbound.conf #usr/lib/libunbound.la #usr/lib/libunbound.so usr/lib/libunbound.so.2 -usr/lib/libunbound.so.2.5.10 +usr/lib/libunbound.so.2.5.11 #usr/lib/pkgconfig/libunbound.pc usr/sbin/unbound usr/sbin/unbound-anchor diff --git a/lfs/unbound b/lfs/unbound index 4adc1a00c..b4c1b02f3 100644 --- a/lfs/unbound +++ b/lfs/unbound @@ -24,7 +24,7 @@ include Config -VER = 1.7.2 +VER = 1.7.3 THISAPP = unbound-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 1f4fd7e5032a9c5658cbde2c83f5f3be +$(DL_FILE)_MD5 = ea45068fb27ef358f581227b99645525 install : $(TARGET) -- 2.18.0

1 0

[PATCH] OpenVPN: Update to version 2.4.6
by Erik Kapfer 21 Jun '18

21 Jun '18

Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org> --- lfs/openvpn | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/openvpn b/lfs/openvpn index 5bd9da7..819ff05 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -24,7 +24,7 @@ include Config -VER = 2.4.5 +VER = 2.4.6 THISAPP = openvpn-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = c510ad3c8fce738c678dbcc54367c945 +$(DL_FILE)_MD5 = 3a1f3f63bdaede443b4df49957df9405 install : $(TARGET) -- 2.7.4

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Development June 2018