Hello Adolf,
On 31 May 2023, at 16:07, Adolf Belka adolf.belka@ipfire.org wrote:
Hi All,
I have a blocking bug.
I took a long time to consider this, but came to conclusion that this is probably not a blocking bug, as there is a workaround available.
It is bad nonetheless. Thank you for finding this!
On 29/05/2023 23:34, Adolf Belka wrote:
On 26/05/2023 16:28, Michael Tremer wrote:
Thank you very much for letting me know. I wasn’t aware at all.
I reverted those changes in next and if the build goes through I will merge the branch back into master again.
Just as a reminder the reversion changes went through on next but are not yet reverted in master. This needs to be done before CU175 is released otherwise n2n connections will fail to work properly.
The reversions have been applied to master (Core Update 175) and I did an update but have found that the n2n connection when the end that had the client upload has stopped working. This is definitely not because of bug#11048 as all of that has been reverted (confirmed by looking at the ovpnmain.cgi file)
I have realised that what is happening is the same as for the insecure roadwarrior certificate that was created with openssl-1.1.1x would not work with openssl-3.x. I fixed that with the addition of the legacy option into the openssl command for that client package download.
The same thing is happening with the n2n connection. I will find the command that access the .p12 file in the zip package and add the legacy option to that. Presuming it works I will raise and submit a patch to fix it.
I understand this as that any server connection that has been created on <=174 cannot be imported on 175. The other way around would work.
I suppose we can ask people to update all peers in that VPN to be up to date which resolves this problem for that case. However, since connections might have been created in the past and being (re-)imported we will still need to fix this problem for good.
Instead of searching for all places where we call “openssl” and add the -legacy switch, we should generally enable this in OpenSSL’s configuration file, so that we won’t forget any places. As far as I can see this only affects any PKCS12 files, which means that IPsec is not affected. Is that a correct assumption?
I will also raise a bug for it and assign myself to it.
Please copy me in the bug report.
Best, -Michael
Regards,
Adolf.
Regards, Adolf.
-Michael
On 26 May 2023, at 14:33, Adolf Belka adolf.belka@ipfire.org wrote:
Hi,
On 24/05/2023 11:02, Michael Tremer wrote:
Hello,
On 24 May 2023, at 09:47, Adolf Belka adolf.belka@ipfire.org wrote:
Hi Michael,
On 24/05/2023 10:07, Michael Tremer wrote: > It looks like we might not want to release the forthcoming Core Update before this. > > I did not hear any rumours about what might be the issue, but I would say that it wouldn’t hurt us to wait. > > What other outstanding issues do we have that are currently blocking the update? > The fix for Bug#13117 has been merged into master so that is no longer blocking.
As mentioned to Peter, I recommend reverting my fix for Bug#11048 as some issues were found by myself (missed in my own testing) plus from other testers reporting in the forum. I am making progress on this but there are still some bits outstanding. The bug has been around for a long time so it won't hurt for it to wait till Core Update 176.
Okay. Let’s rather have the right fix than a quick one. I agree!
The reversion of the update.sh script was done two days ago but there are 4 other commits for the same bug fix that also need to be reverted.
https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=762c88ec4d85e3a4f7265b88... https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=82822934ba769bca4235cd2a... https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=070abb0d011ff71e5aefd170... https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=18bece0edbd817933f48fdbf...
just to make sure that those don't get missed.
Regards, Adolf.
I haven't found anything else that was a problem and I haven't seen any other issues mentioned in the forum that look to be caused by CU175.
That sounds good then!
Regards, Adolf. > -Michael > >> Begin forwarded message: >> >> From: Tomas Mraz tomas@openssl.org >> Subject: Forthcoming OpenSSL Releases >> Date: 24 May 2023 at 05:06:12 BST >> To: "openssl-project@openssl.org" openssl-project@openssl.org, "openssl-users@openssl.org" openssl-users@openssl.org, openssl-announce@openssl.org >> Reply-To: openssl-users@openssl.org >> >> The OpenSSL project team would like to announce the forthcoming release >> of OpenSSL versions 3.0.9, 1.1.1u and 1.0.2zh. Note that OpenSSL 1.0.2 >> is End Of Life and so 1.0.2zh will be available to premium support >> customers only. >> >> These releases will be made available on Tuesday 30th May 2023 >> between 1300-1700 UTC. >> >> These are security-fix releases. The highest severity issue fixed in >> each of these three releases is Moderate: >> >> https://www.openssl.org/policies/secpolicy.html >> >> Yours >> The OpenSSL Project Team >> >
-- Sent from my laptop