The changes introduced due to #12091 caused IPsec ESP to be invalid if PFS ciphers were selected. Code has to read "!$pfs" instead of just "$pfs", as it should trigger for ciphers _without_ Perfect Forward Secrecy.
Fixes #12099
Signed-off-by: Peter Müller peter.mueller@ipfire.org Cc: Michael Tremer michael.tremer@ipfire.org --- html/cgi-bin/vpnmain.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index fbc274919..750b69b1d 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -3338,7 +3338,7 @@ sub make_algos($$$$$) { push(@algo, $int); }
- if ($pfs || $grp eq "none") { + if (!$pfs || $grp eq "none") { # noop } elsif ($grp =~ m/^e(.*)$/) { push(@algo, "ecp$1");
Oops. Yes.
Weirdly, someone confirmed that this patch works for them…
On 17 Jun 2019, at 15:08, Peter Müller peter.mueller@ipfire.org wrote:
The changes introduced due to #12091 caused IPsec ESP to be invalid if PFS ciphers were selected. Code has to read "!$pfs" instead of just "$pfs", as it should trigger for ciphers _without_ Perfect Forward Secrecy.
Fixes #12099
Signed-off-by: Peter Müller peter.mueller@ipfire.org Cc: Michael Tremer michael.tremer@ipfire.org
html/cgi-bin/vpnmain.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index fbc274919..750b69b1d 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -3338,7 +3338,7 @@ sub make_algos($$$$$) { push(@algo, $int); }
if ($pfs || $grp eq "none") {
if (!$pfs || $grp eq "none") { # noop } elsif ($grp =~ m/^e(.*)$/) { push(@algo, "ecp$1");-- 2.16.4
Hello Michael,
could you merge the change into "next", too?
So it won't be overwritten with the next Core Update...
Thanks, and best regards, Peter Müller
Oops. Yes.
Weirdly, someone confirmed that this patch works for them…
On 17 Jun 2019, at 15:08, Peter Müller peter.mueller@ipfire.org wrote:
The changes introduced due to #12091 caused IPsec ESP to be invalid if PFS ciphers were selected. Code has to read "!$pfs" instead of just "$pfs", as it should trigger for ciphers _without_ Perfect Forward Secrecy.
Fixes #12099
Signed-off-by: Peter Müller peter.mueller@ipfire.org Cc: Michael Tremer michael.tremer@ipfire.org
html/cgi-bin/vpnmain.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index fbc274919..750b69b1d 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -3338,7 +3338,7 @@ sub make_algos($$$$$) { push(@algo, $int); }
if ($pfs || $grp eq "none") {
if (!$pfs || $grp eq "none") { # noop } elsif ($grp =~ m/^e(.*)$/) { push(@algo, "ecp$1");-- 2.16.4
-
Michael Tremer -
Peter Müller