[git.ipfire.org] IPFire 2.x development tree branch, next, updated. e044bc2422216610680bf3656d732dcc840de9d1 - IPFire-SCM

18 Nov 2022

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
       via  e044bc2422216610680bf3656d732dcc840de9d1 (commit)
       via  bc6227963efe10575cdb7aadfc807bd3bd968e9d (commit)
       via  35494eac83dda575ec4e9998f8295809bf9a280d (commit)
       via  c899c04b11709fee4f38e9d13449b0e53527d907 (commit)
       via  e87bc0b45638767d301ad706f5164ee2b64f5103 (commit)
       via  8a0be2033f8d932b1687df1b6515bfb72230acf2 (commit)
       via  ad7300839381a67872a1ce15f2e7d72540aa6c9c (commit)
       via  39d6705063c1e00d946bfd1c9949666b3393527e (commit)
       via  c8274d4cfa2a23ba1a4e856edd313c1215b9065b (commit)
       via  eae0cb549aaafbf34f61c3b1778c99ca0dd4ad77 (commit)
       via  362c5537afd468e479275dc4ced9363c50d25be2 (commit)
       via  3135e76ea193eb75c4b9b4315634ec418a23238f (commit)
      from  a26967c4b7c659a2fb134d4ddb9d120d3fcd3f16 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit e044bc2422216610680bf3656d732dcc840de9d1
Author: Peter Müller peter.mueller@ipfire.org
Date:   Fri Nov 11 12:15:37 2022 +0000
Core Update 172: Ship and apply OpenVPN Diffie-Hellman changes
Inspired by https://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=2ccc799f....
Cc: Erik Kapfer erik.kapfer@ipfire.org
    Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit bc6227963efe10575cdb7aadfc807bd3bd968e9d
Author: Peter Müller peter.mueller@ipfire.org
Date:   Fri Nov 11 12:15:03 2022 +0000
OpenSSL: Add ffdhe4096 Diffie-Hellman parameter
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 35494eac83dda575ec4e9998f8295809bf9a280d
Author: Peter Müller peter.mueller@ipfire.org
Date:   Fri Nov 11 12:14:37 2022 +0000
OpenVPN: Replace existing Diffie-Hellman parameter with ffdhe4096
Initial patch: https://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=2ccc799f...
Minor adjustments to make it apply to the current state of "next", and
    removal of chown operation in OpenSSL's LFS file, which would have lead
    to the Diffie-Hellman group file being writable by nobody, for which
    there is no necessity.
Fixes: #12632
    From: Erik Kapfer erik.kapfer@ipfire.org
    Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit c899c04b11709fee4f38e9d13449b0e53527d907
Author: Matthias Fischer matthias.fischer@ipfire.org
Date:   Mon Nov 7 18:54:14 2022 +0100
clamav 0.105.1: New package to resolve several CVEs
For details see:
    https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html
Fixes:
"CVE-2022-37434 - A critical severity vulnerability in the zlib library.
CVE-2022-40303 - A high severity vulnerability in the libxml2 library.
        Note: As of writing, the details of this CVE are not published.
        However, you can find additional details on other sites.
CVE-2022-40304 - A high severity vulnerability in the libxml2 library.
        Note: As of writing, the details of this CVE are not published.
        However, you can find additional details on other sites."
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
commit e87bc0b45638767d301ad706f5164ee2b64f5103
Author: Peter Müller peter.mueller@ipfire.org
Date:   Tue Nov 8 14:42:46 2022 +0000
Postfix: Update to 3.7.3
This is an urgent bugfix release, see
    https://www.postfix.org/announcements/postfix-3.7.3.html for its
    announcement.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 8a0be2033f8d932b1687df1b6515bfb72230acf2
Author: Peter Müller peter.mueller@ipfire.org
Date:   Thu Nov 10 19:31:33 2022 +0000
Tor: Disable SOCKS port if unused
Fixes: #11780
    Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit ad7300839381a67872a1ce15f2e7d72540aa6c9c
Author: Arne Fitzenreiter arne_f@ipfire.org
Date:   Thu Oct 27 10:26:39 2022 +0200
memtest: update to memtest86+ v6.00
This is now a version 64bit version that can also boot via efi.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 39d6705063c1e00d946bfd1c9949666b3393527e
Author: Peter Müller peter.mueller@ipfire.org
Date:   Fri Nov 18 13:38:29 2022 +0000
Core Update 172: Fix menu.d file permissions
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit c8274d4cfa2a23ba1a4e856edd313c1215b9065b
Author: Peter Müller peter.mueller@ipfire.org
Date:   Fri Nov 18 13:37:51 2022 +0000
configroot: menu.d files do not have to be writable by "nobody"
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit eae0cb549aaafbf34f61c3b1778c99ca0dd4ad77
Author: Peter Müller peter.mueller@ipfire.org
Date:   Fri Nov 18 13:35:17 2022 +0000
Core Update 172: Fix permissions of some library files
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 362c5537afd468e479275dc4ced9363c50d25be2
Author: Peter Müller peter.mueller@ipfire.org
Date:   Fri Nov 18 13:33:45 2022 +0000
Ensure /var/ipfire/updatexlrator/updxlrator-lib.pl is not writable by "nobody"
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 3135e76ea193eb75c4b9b4315634ec418a23238f
Author: Peter Müller peter.mueller@ipfire.org
Date:   Fri Nov 18 13:29:10 2022 +0000
configroot: Ensure connscheduler/lib.pl is not writable by "nobody"
Signed-off-by: Peter Müller peter.mueller@ipfire.org
-----------------------------------------------------------------------
Summary of changes:
 config/cdrom/grub.cfg                     |   6 +
 config/cfgroot/connscheduler-lib.pl       |  24 +++-
 config/rootfiles/common/memtest           |   2 +-
 config/rootfiles/common/openssl           |   1 +
 config/rootfiles/core/172/filelists/files |   3 +
 config/rootfiles/core/172/update.sh       |  21 +++-
 config/ssl/ffdhe4096.pem                  |  13 +++
 config/updxlrator/updxlrator-lib.pl       |  31 +++--
 html/cgi-bin/ovpnmain.cgi                 | 185 ++----------------------------
 html/cgi-bin/tor.cgi                      |   6 +-
 langs/de/cgi-bin/de.pl                    |  16 ---
 langs/en/cgi-bin/en.pl                    |  17 ---
 langs/fr/cgi-bin/fr.pl                    |  17 ---
 langs/it/cgi-bin/it.pl                    |  16 ---
 langs/tr/cgi-bin/tr.pl                    |  16 ---
 lfs/cdrom                                 |   2 +-
 lfs/clamav                                |   7 +-
 lfs/configroot                            |   2 +-
 lfs/memtest                               |  14 +--
 lfs/openssl                               |   3 +
 lfs/postfix                               |   6 +-
 lfs/squid                                 |   1 +
 22 files changed, 112 insertions(+), 297 deletions(-)
 create mode 100644 config/ssl/ffdhe4096.pem
Difference in files:

diff --git a/config/cdrom/grub.cfg b/config/cdrom/grub.cfg
index 421c0e662..50a7c2488 100644
--- a/config/cdrom/grub.cfg
+++ b/config/cdrom/grub.cfg
@@ -32,3 +32,9 @@ submenu 'Other Installation Options -->' {
    	initrd /boot/isolinux/instroot
    }
 }
+
+submenu 'Tools -->' {
+	menuentry 'memtest86+' {
+		linux /boot/isolinux/memtest
+	}
+}
diff --git a/config/cfgroot/connscheduler-lib.pl b/config/cfgroot/connscheduler-lib.pl
index f9e4e5466..0ff8e8b84 100644
--- a/config/cfgroot/connscheduler-lib.pl
+++ b/config/cfgroot/connscheduler-lib.pl
@@ -1,9 +1,23 @@
 #!/usr/bin/perl
-#
-# Library file for Connection Scheduler AddOn
-#
-# This code is distributed under the terms of the GPL
-#
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2007-2022  IPFire Team  info@ipfire.org                     #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see http://www.gnu.org/licenses/.       #
+#                                                                             #
+###############################################################################
package CONNSCHED;
diff --git a/config/rootfiles/common/memtest b/config/rootfiles/common/memtest
index 1804dfa94..7978436fd 100644
--- a/config/rootfiles/common/memtest
+++ b/config/rootfiles/common/memtest
@@ -1,2 +1,2 @@
 #usr/lib/memtest86+
-#usr/lib/memtest86+/memtest.bin
+#usr/lib/memtest86+/memtest.efi
diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl
index bb7e6f65c..ae9716eea 100644
--- a/config/rootfiles/common/openssl
+++ b/config/rootfiles/common/openssl
@@ -2,6 +2,7 @@
 #etc/ssl/certs
 #etc/ssl/ct_log_list.cnf
 #etc/ssl/ct_log_list.cnf.dist
+etc/ssl/ffdhe4096.pem
 #etc/ssl/misc
 #etc/ssl/misc/CA.pl
 #etc/ssl/misc/tsget
diff --git a/config/rootfiles/core/172/filelists/files b/config/rootfiles/core/172/filelists/files
index d73430dae..d3f270c79 100644
--- a/config/rootfiles/core/172/filelists/files
+++ b/config/rootfiles/core/172/filelists/files
@@ -1,3 +1,4 @@
+etc/ssl/ffdhe4096.pem
 usr/lib/firewall/rules.pl
 usr/local/bin/addonctrl
 usr/local/bin/openvpnctrl
@@ -6,3 +7,5 @@ srv/web/ipfire/cgi-bin/ovpnmain.cgi
 srv/web/ipfire/cgi-bin/services.cgi
 srv/web/ipfire/cgi-bin/vpnmain.cgi
 var/ipfire/backup/bin/backup.pl
+var/ipfire/connscheduler/lib.pl
+var/ipfire/updatexlrator/updxlrator-lib.pl
diff --git a/config/rootfiles/core/172/update.sh b/config/rootfiles/core/172/update.sh
index f3c77fbfb..d1137b81c 100644
--- a/config/rootfiles/core/172/update.sh
+++ b/config/rootfiles/core/172/update.sh
@@ -33,6 +33,8 @@ done
# Stop services
 /etc/rc.d/init.d/ipsec stop
+/usr/local/bin/openvpnctrl -k
+/usr/local/bin/openvpnctrl -kn2n
 /etc/rc.d/init.d/sshd stop
 /etc/rc.d/init.d/unbound stop
@@ -70,7 +72,8 @@ rm -rvf \
    /usr/lib/python3.10/site-packages/setuptools/_vendor/pyparsing.py \
    /usr/lib/python3.10/site-packages/setuptools/config.py \
    /usr/lib/python3.10/site-packages/setuptools_rust/utils.py \
-	/usr/libexec/ipsec/scepclient
+	/usr/libexec/ipsec/scepclient \
+	/var/ipfire/ca/dh1024.pem
# Remove powertop add-on, if installed
 if [ -e "/opt/pakfire/db/installed/meta-powertop" ]; then
@@ -98,11 +101,27 @@ ldconfig
 # Apply local configuration to sshd_config
 /usr/local/bin/sshctrl
+# Correct permissions of some library files
+chown -Rv root:root /var/ipfire/connscheduler/lib.pl /var/ipfire/updatexlrator/updxlrator-lib.pl /var/ipfire/menu.d/*
+
+# Replace existing OpenVPN Diffie-Hellman parameter by ffdhe4096, as specified in RFC 7919
+if [ -f /var/ipfire/ovpn/server.conf ]; then
+	sed -i 's|/var/ipfire/ovpn/ca/dh1024.pem|/etc/ssl/ffdhe4096.pem|' /var/ipfire/ovpn/server.conf
+fi
+
+if [ -f "/var/ipfire/ovpn/n2nconf/*/*.conf" ]; then
+	sed -i 's|/var/ipfire/ovpn/ca/dh1024.pem|/etc/ssl/ffdhe4096.pem|' /var/ipfire/ovpn/n2nconf/*/*.conf
+fi
+
 # Start services
 /etc/init.d/unbound start
 if grep -q "ENABLE_SSH=on" /var/ipfire/remote/settings; then
    /etc/init.d/sshd start
 fi
+if grep -q "ENABLED=on" /var/ipfire/ovpn/settings; then
+	/usr/local/bin/openvpnctrl -s
+	/usr/local/bin/openvpnctrl -sn2n
+fi
 if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then
    /etc/init.d/ipsec start
 fi
diff --git a/config/ssl/ffdhe4096.pem b/config/ssl/ffdhe4096.pem
new file mode 100644
index 000000000..3cf0fcbc0
--- /dev/null
+++ b/config/ssl/ffdhe4096.pem
@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
+7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
+nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
+8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
+iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
+zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
+-----END DH PARAMETERS-----
diff --git a/config/updxlrator/updxlrator-lib.pl b/config/updxlrator/updxlrator-lib.pl
index f66d998d6..9fbf462cc 100644
--- a/config/updxlrator/updxlrator-lib.pl
+++ b/config/updxlrator/updxlrator-lib.pl
@@ -1,16 +1,23 @@
 #!/usr/bin/perl
-#
-# This code is distributed under the terms of the GPL
-#
-# (c) 2006-2008 marco.s - http://update-accelerator.advproxy.net
-#
-# Portions (c) 2008 by dotzball - http://www.blockouttraffic.de
-#
-# dotzball 2008-05-27:
-#		move functions from all local files to one library file
-#
-# $Id: updxlrator-lib.pl,v 1.1 2008/11/29 00:00:00 marco.s Exp $
-#
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2007-2022  IPFire Team  info@ipfire.org                     #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see http://www.gnu.org/licenses/.       #
+#                                                                             #
+###############################################################################
package UPDXLT;
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index f85d610d8..dc429d90c 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -78,6 +78,7 @@ my $name;
 my $col="";
 my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local";
 my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local";
+my $dhparameter = "/etc/ssl/ffdhe4096.pem";
&General::readhash("${General::swroot}/ethernet/settings", %netsettings);
 $cgiparams{'ENABLED'} = 'off';
@@ -89,8 +90,6 @@ $cgiparams{'COMPRESSION'} = 'off';
 $cgiparams{'ONLY_PROPOSED'} = 'off';
 $cgiparams{'ACTION'} = '';
 $cgiparams{'CA_NAME'} = '';
-$cgiparams{'DH_NAME'} = 'dh1024.pem';
-$cgiparams{'DHLENGHT'} = '';
 $cgiparams{'DHCP_DOMAIN'} = '';
 $cgiparams{'DHCP_DNS'} = '';
 $cgiparams{'DHCP_WINS'} = '';
@@ -221,28 +220,6 @@ sub deletebackupcert
sub pkiconfigcheck
 {
-	# Warning if DH parameter is 1024 bit
-	if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
-		my @dhparameter = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}");
-		my $dhbit;
-
-		# Loop through the output and search for the DH bit lenght.
-		foreach my $line (@dhparameter) {
-			if ($line =~ (/(\d+)/)) {
-				# Assign match to dhbit value.
-				$dhbit = $1;
-
-				last;
-			}
-		}
-
-		# Check if the used key lenght is at least 2048 bit.
-		if ($dhbit < 2048) {
-			$cryptoerror = "$Lang::tr{'ovpn error dh'}";
-			goto CRYPTO_ERROR;
-		}
-	}
-
    # Warning if md5 is in usage
    if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
    	my @signature = &General::system_output("/usr/bin/openssl", "x509", "-noout", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
@@ -290,7 +267,7 @@ sub writeserverconf {
     print CONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n";
     print CONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n";
     print CONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n";
-    print CONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n";
+    print CONF "dh $dhparameter\n";
     my @tempovpnsubnet = split("/",$sovpnsettings{'DOVPN_SUBNET'});
     print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
     #print CONF "push "route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}"\n";
@@ -1358,102 +1335,6 @@ END
     exit (0);
###
-### Generate DH key step 2
-###
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'} && $cgiparams{'AREUSURE'} eq 'yes') {
-    # Delete if old key exists
-    if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
-        unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}";
-	}
-	# Create Diffie Hellmann Parameter
-	# The system call is safe, because all arguments are passed as an array.
-	system("/usr/bin/openssl", "dhparam", "-out", "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
-	if ($?) {
-		$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
-		unlink ("${General::swroot}/ovpn/ca/dh1024.pem");
-	}
-
-###
-### Generate DH key step 1
-###
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'}) {
-	&Header::showhttpheaders();
-	&Header::openpage($Lang::tr{'ovpn'}, 1, '');
-	&Header::openbigbox('100%', 'LEFT', '', '');
-	&Header::openbox('100%', 'LEFT', "$Lang::tr{'gen dh'}:");
-	print <<END;
-	<table width='100%'>
-	<tr>
-		<td width='20%'> </td> <td width='15%'></td> <td width='65%'></td>
-	</tr>
-	<tr>
-		<td class='base'>$Lang::tr{'ovpn dh'}:</td>
-		<td align='center'>
-		<form method='post'><input type='hidden' name='AREUSURE' value='yes' />
-		<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
-			<select name='DHLENGHT'>
-				<option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
-				<option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
-				<option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
-			</select>
-		</td>
-	</tr>
-	<tr><td colspan='4'><br></td></tr>
-	</table>
-	<table width='100%'>
-	<tr>
-		<b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}: </font></b>$Lang::tr{'dh key warn'}
-	</tr>
-	<tr>
-		<td class='base'>$Lang::tr{'dh key warn1'}</td>
-	</tr>
-	<tr><td colspan='2'><br></td></tr>
-	<tr>
-		<td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'generate dh key'}' /></td>
-		</form>
-	</tr>
-	</table>
-
-END
-	;
-	&Header::closebox();
-	print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
-	&Header::closebigbox();
-	&Header::closepage();
-	exit (0);
-
-###
-### Upload DH key
-###
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload dh key'}) {
-    unless (ref ($cgiparams{'FH'})) {
-         $errormessage = $Lang::tr{'there was no file upload'};
-         goto UPLOADCA_ERROR;
-    }
-    # Move uploaded dh key to a temporary file
-    (my $fh, my $filename) = tempfile( );
-    if (copy ($cgiparams{'FH'}, $fh) != 1) {
-        $errormessage = $!;
-	goto UPLOADCA_ERROR;
-    }
-    my @temp = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$filename");
-    if ( ! grep(/DH Parameters: ((2048|3072|4096) bit)/, @temp)) {
-        $errormessage = $Lang::tr{'not a valid dh key'};
-        unlink ($filename);
-        goto UPLOADCA_ERROR;
-    } else {
-	# Delete if old key exists
-	if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
-		unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}";
-	}
-
- 	unless(move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}")) {
-		$errormessage = "$Lang::tr{'dh key move failed'}: $!";
-		unlink ($filename);
-		goto UPLOADCA_ERROR;
-    	}
-    }
-###
 ### Upload CA Certificate
 ###
 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) {
@@ -2028,21 +1909,6 @@ END
        &cleanssldatabase();
        goto ROOTCERT_ERROR;
    }
-	# Create Diffie Hellmann Parameter
-	# The system call is safe, because all arguments are passed as an array.
-	system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
-	if ($?) {
-	    $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
-	    unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
-	    unlink ("${General::swroot}/ovpn/certs/servercert.pem");
-	    unlink ("${General::swroot}/ovpn/ca/cacert.pem");
-	    unlink ("${General::swroot}/ovpn/crls/cacrl.pem");
-	    unlink ("${General::swroot}/ovpn/ca/dh1024.pem");
-	    &cleanssldatabase();
-	    goto ROOTCERT_ERROR;
-#	} else {
-#	    &cleanssldatabase();
-	}
    goto ROOTCERT_SUCCESS;
     }
     ROOTCERT_ERROR:
@@ -2092,14 +1958,6 @@ END
    }
    print <<END;
        </select></td>
-	<tr><td class='base'>$Lang::tr{'ovpn dh'}:</td>
-		<td class='base'><select name='DHLENGHT'>
-				<option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
-				<option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
-				<option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
-			</select>
-		</td>
-	</tr>
<tr><td>&nbsp;</td>
        <td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td>
@@ -2107,16 +1965,6 @@ END
    <tr><td class='base' colspan='4' align='left'>
        <img src='/blob.gif' valign='top' alt='*' />&nbsp;$Lang::tr{'required field'}</td></tr>
    <tr><td colspan='2'><br></td></tr>
-	<table width='100%'>
-	<tr>
-		<b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}: </font></b>$Lang::tr{'ovpn generating the root and host certificates'}
-		<td class='base'>$Lang::tr{'dh key warn'}</td>
-	</tr>
-	<tr>
-		<td class='base'>$Lang::tr{'dh key warn1'}</td>
-	</tr>
-	<tr><td colspan='2'><br></td></tr>
-	<tr>
    </table>
<table width='100%'>
@@ -2681,14 +2529,14 @@ END
 ###
 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show dh'}) {
-    if (! -e "${General::swroot}/ovpn/ca/dh1024.pem") {
+    if (! -e "$dhparameter") {
    $errormessage = $Lang::tr{'not present'};
    } else {
    	&Header::showhttpheaders();
    	&Header::openpage($Lang::tr{'ovpn'}, 1, '');
    	&Header::openbigbox('100%', 'LEFT', '', '');
    	&Header::openbox('100%', 'LEFT', "$Lang::tr{'dh'}:");
-		my @output = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem");
+		my @output = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$dhparameter");
    	my $output = &Header::cleanhtml(join("", @output) ,"y");
    	print "<pre>$output</pre>\n";
    	&Header::closebox();
@@ -5447,7 +5295,7 @@ END
    print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />";
    print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";
    if (( -e "${General::swroot}/ovpn/ca/cacert.pem" &&
-	     -e "${General::swroot}/ovpn/ca/dh1024.pem" &&
+	     -e "$dhparameter" &&
         -e "${General::swroot}/ovpn/certs/servercert.pem" &&
         -e "${General::swroot}/ovpn/certs/serverkey.pem") &&
        (( $cgiparams{'ENABLED'} eq 'on') ||
@@ -5838,8 +5686,8 @@ END
     }
# Adding DH parameter to chart
-    if (-f "${General::swroot}/ovpn/ca/dh1024.pem") {
-		my @dhsubject = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem");
+    if (-f "$dhparameter") {
+		my @dhsubject = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$dhparameter");
    	my $dhsubject;
foreach my $line (@dhsubject) {
@@ -5996,25 +5844,6 @@ END
    			<td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'show crl'}' /></td>
    		</tr>
    	</table>
-
-		<br>
-
-		<table border='0' width='100%'>
-			<tr>
-				<td colspan='4'><b>$Lang::tr{'ovpn dh parameters'}</b></td>
-			</tr>
-
-			<tr>
-				<td width='40%'>$Lang::tr{'ovpn dh upload'}:</td>
-				<td width='30%'><input type='file' name='FH' size='25'>
-				<td width='30%' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'upload dh key'}'></td>
-			</tr>
-
-			<tr>
-				<td width='40%'>$Lang::tr{'ovpn dh new key'}:</td>
-				<td colspan='2' width='60%' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'generate dh key'}' /></td>
-			</tr>
-		</table>
    </form>
<br><hr>
diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi
index 539a74343..96be35102 100644
--- a/html/cgi-bin/tor.cgi
+++ b/html/cgi-bin/tor.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2021  IPFire Team  info@ipfire.org                     #
+# Copyright (C) 2007-2022  IPFire Team  info@ipfire.org                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -796,7 +796,9 @@ sub BuildConfiguration() {
    	if ($strict_nodes > 0) {
    		print FILE "StrictNodes 1\n";
    	}
-	}
+	 } else {
+		print FILE "SocksPort 0\n";
+	 }
if ($settings{'TOR_RELAY_ENABLED'} eq 'on') {
    	# Reject access to private networks.
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 110e4ccba..abfba5d5e 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -760,11 +760,6 @@
 'details' => 'Mehr',
 'device' => 'Gerät',
 'devices on blue' => 'Geräte auf BLAU',
-'dh' => 'Diffie-Hellman-Parameter',
-'dh key move failed' => 'Verschieben der Diffie-Hellman-Parameter fehlgeschlagen.',
-'dh key warn' => 'Das Erzeugen eines Diffie-Hellman-Parameters mit 2048 Bit dauert üblicherweise einige Minuten. Parameter von 3072 oder 4096 Bit Länge beanspruchen gegebenenfalls mehrere Stunden. Bitte haben Sie etwas Geduld.',
-'dh key warn1' => 'Bei schwachen Systemen oder Systeme mit wenig Entropie wird empfohlen, lange Diffie-Hellman-Parameter über die Upload-Funktion hochzuladen.',
-'dh parameter' => 'Diffie-Hellman-Parameter',
 'dhcp advopt add' => 'DHCP Option hinzufügen',
 'dhcp advopt added' => 'DHCP Option hinzugefügt',
 'dhcp advopt blank value' => 'Wert für DHCP Option darf nicht leer sein',
@@ -898,7 +893,6 @@
 'download' => 'herunterladen',
 'download ca certificate' => 'CA-Zertifikat herunterladen',
 'download certificate' => 'Datei herunterladen',
-'download dh parameter' => 'Diffie-Hellman-Parameter herunterladen',
 'download host certificate' => 'Host-Zertifikat herunterladen',
 'download new ruleset' => 'Neuen Regelsatz herunterladen',
 'download pkcs12 file' => 'PKCS12-Datei herunterladen',
@@ -1313,11 +1307,9 @@
 'fwhost wo subnet' => '(Ohne Subnetz)',
 'gateway' => 'Gateway',
 'gateway ip' => 'Gateway-IP',
-'gen dh' => 'Neuen Diffie-Hellman-Parameter erzeugen',
 'gen static key' => 'Statischen Schlüssel erzeugen',
 'generate' => 'Root/Host-Zertifikate generieren',
 'generate a certificate' => 'Erzeuge ein Zertifikat:',
-'generate dh key' => 'Diffie-Hellman Key generieren',
 'generate iso' => 'ISO erstellen',
 'generate ptr' => 'PTR erzeugen',
 'generate root/host certificates' => 'Erzeuge Root/Host-Zertifikate',
@@ -1860,7 +1852,6 @@
 'nonetworkname' => 'Kein Netzwerkname wurde eingegeben',
 'noservicename' => 'Kein Dienstname wurde eingegeben',
 'not a valid ca certificate' => 'Kein gültiges CA Zertifikat.',
-'not a valid dh key' => 'Kein gültiger Diffie-Hellman-Parameter. Es sind nur Parameter mit einer Länge von 2048, 3072 oder 4096 Bit im PKCS#3-Format erlaubt.',
 'not affected' => 'Nicht betroffen',
 'not enough disk space' => 'Nicht genügend Plattenplatz vorhanden',
 'not present' => '<B>Nicht</B> vorhanden',
@@ -1961,15 +1952,10 @@
 'ovpn connection name' => 'Verbindungs-Name',
 'ovpn crypt options' => 'Kryptografieoptionen',
 'ovpn device' => 'OpenVPN-Gerät',
-'ovpn dh' => 'Diffie-Hellman-Parameter-Länge',
-'ovpn dh new key' => 'Neuen Diffie-Hellman Parameter erstellen',
-'ovpn dh parameters' => 'Diffie-Hellman-Parameter Optionen',
-'ovpn dh upload' => 'Neuen Diffie-Hellman-Parameter hochladen',
 'ovpn dl' => 'OVPN-Konfiguration downloaden',
 'ovpn engines' => 'Krypto Engine',
 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt',
 'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske',
-'ovpn error dh' => 'Der Diffie-Hellman Parameter muss mindestens 2048 bit lang sein! <br>Bitte einen neuen Diffie-Hellman Parameter erzeugen oder hochladen, dies kann unten über den Bereich "Diffie-Hellman-Parameter Optionen" gemacht werden.</br>',
 'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird. <br>Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>',
 'ovpn generating the root and host certificates' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern.',
 'ovpn ha' => 'Hash-Algorithmus',
@@ -2270,7 +2256,6 @@
 'show ca certificate' => 'CA Zertifikat anzeigen',
 'show certificate' => 'Datei anzeigen',
 'show crl' => 'Certificate Revocation List anzeigen',
-'show dh' => 'Diffie-Hellman-Parameter anzeigen',
 'show host certificate' => 'Host-Zertifikat anzeigen',
 'show last x lines' => 'die letzten x Zeilen anzeigen',
 'show otp qrcode' => 'Zeige OTP QRCode',
@@ -2645,7 +2630,6 @@
 'upload a certificate' => 'Ein Zertifikat hochladen:',
 'upload a certificate request' => 'Eine Zertifikatsanfrage hochladen:',
 'upload ca certificate' => 'CA-Zertifikat hochladen',
-'upload dh key' => 'Diffie-Hellman-Parameter hochladen',
 'upload file' => 'Datei zum Hochladen',
 'upload new ruleset' => 'Neuen Regelsatz hochladen',
 'upload p12 file' => 'PKCS12-Datei hochladen',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 004c64b6a..bf18b22a2 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -794,12 +794,6 @@
 'details' => 'Details',
 'device' => 'Device',
 'devices on blue' => 'Devices on BLUE',
-'dh' => 'Diffie-Hellman parameters',
-'dh key move failed' => 'Diffie-Hellman parameters move failed.',
-'dh key warn' => 'Creating DH-parameters with a length of 2048 bits takes up to several minutes. Lengths of 3072 or 4096 bits might needs several hours. Please be patient.',
-'dh key warn1' => 'For weak systems or systems with little entropy, it is recommended to upload long Diffie-Hellman parameters by usage of the upload function.',
-'dh name is invalid' => 'Name is invalid, please use "dh1024.pem".',
-'dh parameter' => 'Diffie-Hellman parameters',
 'dhcp advopt add' => 'Add a DHCP option',
 'dhcp advopt added' => 'DHCP option added',
 'dhcp advopt blank value' => 'DHCP Option value cannot be empty.',
@@ -939,7 +933,6 @@
 'download apple profile' => 'Download Apple Configuration Profile',
 'download ca certificate' => 'Download CA certificate',
 'download certificate' => 'Download file',
-'download dh parameter' => 'Download Diffie-Hellman parameters',
 'download host certificate' => 'Download host certificate',
 'download new ruleset' => 'Download new ruleset',
 'download pkcs12 file' => 'Download PKCS12 file',
@@ -1358,11 +1351,9 @@
 'g.lite' => 'TO BE REMOVED',
 'gateway' => 'Gateway',
 'gateway ip' => 'Gateway IP',
-'gen dh' => 'Generate new Diffie-Hellman parameters',
 'gen static key' => 'Generate a static key',
 'generate' => 'Generate root/host zertifikate',
 'generate a certificate' => 'Generate a certificate:',
-'generate dh key' => 'Generate Diffie-Hellman parameters',
 'generate iso' => 'Generate ISO',
 'generate ptr' => 'Generate PTR',
 'generate root/host certificates' => 'Generate root/host certificates',
@@ -1911,7 +1902,6 @@
 'nonetworkname' => 'No Network Name entered',
 'noservicename' => 'No Service Name entered',
 'not a valid ca certificate' => 'Not a valid CA certificate.',
-'not a valid dh key' => 'Not a valid Diffie-Hellman parameters file. Please use a length of 2048, 3072 or 4096 bits and the PKCS#3 format.',
 'not affected' => 'Not Affected',
 'not enough disk space' => 'Not enough disk space',
 'not present' => '<b>Not</b> present',
@@ -2015,15 +2005,10 @@
 'ovpn connection name' => 'Connection Name',
 'ovpn crypt options' => 'Cryptographic options',
 'ovpn device' => 'OpenVPN device:',
-'ovpn dh' => 'Diffie-Hellman parameters length',
-'ovpn dh new key' => 'Generate new Diffie-Hellman parameters',
-'ovpn dh parameters' => 'Diffie-Hellman parameters options',
-'ovpn dh upload' => 'Upload new Diffie-Hellman parameters',
 'ovpn dl' => 'OVPN-Config Download',
 'ovpn engines' => 'Crypto engine',
 'ovpn errmsg green already pushed' => 'Route for green network is always set',
 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask',
-'ovpn error dh' => 'The Diffie-Hellman parameter needs to be in minimum 2048 bit! <br>Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".</br>',
 'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
 'ovpn generating the root and host certificates' => 'Generating the root and host certificate can take a long time.',
 'ovpn ha' => 'Hash algorithm',
@@ -2327,7 +2312,6 @@
 'show ca certificate' => 'Show CA certificate',
 'show certificate' => 'Show file',
 'show crl' => 'Show certificate revocation list',
-'show dh' => 'Show Diffie-Hellman parameters',
 'show host certificate' => 'Show host certificate',
 'show last x lines' => 'Show last x lines',
 'show lines' => 'Show lines',
@@ -2710,7 +2694,6 @@
 'upload a certificate' => 'Upload a certificate:',
 'upload a certificate request' => 'Upload a certificate request:',
 'upload ca certificate' => 'Upload CA certificate',
-'upload dh key' => 'Upload Diffie-Hellman parameters',
 'upload fcdsl.o' => 'TO BE REMOVED',
 'upload file' => 'Upload file',
 'upload new ruleset' => 'Upload new ruleset',
diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl
index e46c4fa46..bfd3f9b5e 100644
--- a/langs/fr/cgi-bin/fr.pl
+++ b/langs/fr/cgi-bin/fr.pl
@@ -799,12 +799,6 @@
 'details' => 'Détails',
 'device' => 'Périphérique',
 'devices on blue' => 'Périphériques sur BLEU',
-'dh' => 'Paramètres Diffie-Hellman',
-'dh key move failed' => 'Le déplacement des paramètres Diffie-Hellman a échoué.',
-'dh key warn' => 'La création de paramètres DH avec des longueurs de 1024 ou 2048 bits prend plusieurs minutes. Des longueurs de 3072 ou 4096 bits peuvent nécessiter plusieurs heures. Soyez patient.',
-'dh key warn1' => 'Pour des systèmes faibles ou avec peu d'entropie, il est recommandé de télécharger les paramètres Diffie-Hellman longs en utilisant la fonction de téléchargement.',
-'dh name is invalid' => 'Le nom est invalide, veuillez utiliser "dh1024.pem".',
-'dh parameter' => 'Paramètres Diffie-Hellman',
 'dhcp advopt add' => 'Ajouter une option DHCP',
 'dhcp advopt added' => 'Option DHCP ajoutée',
 'dhcp advopt blank value' => 'La valeur de l'option DHCP ne peut pas être vide.',
@@ -944,7 +938,6 @@
 'download apple profile' => 'Télécharger le profil de configuration Apple',
 'download ca certificate' => 'Télécharger le certificat CA',
 'download certificate' => 'Télécharger le certificat',
-'download dh parameter' => 'Télécharger paramètres Diffie-Hellman',
 'download host certificate' => 'Télécharger le certificat de l'hôte',
 'download new ruleset' => 'Télécharger de nouvelles règles',
 'download pkcs12 file' => 'Télécharger le fichier PKCS12',
@@ -1360,11 +1353,9 @@
 'fwhost wo subnet' => '(sans sous-réseau)',
 'gateway' => 'Passerelle ',
 'gateway ip' => 'IP passerelle',
-'gen dh' => 'Générer nouveaux paramètres Diffie-Hellman ',
 'gen static key' => 'Générer une clef statique',
 'generate' => 'Générer un certificat racine / hôte',
 'generate a certificate' => 'Générer un certificat :',
-'generate dh key' => 'Générer paramètres Diffie-Hellman',
 'generate iso' => 'Générer ISO',
 'generate ptr' => 'Générer PTR ',
 'generate root/host certificates' => 'Générer des certificats root / hôte',
@@ -1917,7 +1908,6 @@
 'nonetworkname' => 'Aucun nom de réseau saisi',
 'noservicename' => 'Aucun nom de service saisi',
 'not a valid ca certificate' => 'Le certificat CA n'est pas valide.',
-'not a valid dh key' => 'Ce n'est pas un fichier de paramètres Diffie-Hellman valide. Veuillez choisir une longueur de 1024, 2048, 3072 ou 4096 bits et le format PKCS#3.',
 'not affected' => 'Non affecté',
 'not enough disk space' => 'Pas assez d'espace sur le disque',
 'not present' => '<b>Absent</b>',
@@ -2021,15 +2011,10 @@
 'ovpn connection name' => 'Nom de la connexion ',
 'ovpn crypt options' => 'Options cryptographiques',
 'ovpn device' => 'Périphérique OpenVPN :',
-'ovpn dh' => 'Longueur de paramètres Diffie-Hellman ',
-'ovpn dh new key' => 'Générer de nouveaux paramètres Diffie-Hellman ',
-'ovpn dh parameters' => 'Options de paramètres Diffie-Hellman',
-'ovpn dh upload' => 'Mettre à jour nouveaux paramètres Diffie-Hellman ',
 'ovpn dl' => 'Télécharger Config OVPN',
 'ovpn engines' => 'Moteur Crypto',
 'ovpn errmsg green already pushed' => 'La route pour le réseau VERT est toujours activée',
 'ovpn errmsg invalid ip or mask' => 'Adresse ou masque de sous-réseau invalide',
-'ovpn error dh' => 'Le paramètre Diffie-Hellman doit être au minimum à 2048 bits ! <br>Veuillez générer ou télécharger un nouveau paramètre Diffie-Hellman, cela peut être fait ci-dessous dans la section "Options de paramètres Diffie-Hellman".</br>',
 'ovpn error md5' => 'Votre certificat hôte utilise MD5 pour la signature qui n'est plus acceptée. <br>Veuillez mettre à jour la dernière version d'IPFire et générez un nouveau certificat racine et hôte..</br><br>Tous les clients OpenVPN doivent ensuite être renouvelés!</br>',
 'ovpn generating the root and host certificates' => 'La génération du certificat racine et hôte peut prendre du temps.',
 'ovpn ha' => 'Algorithme de hashage',
@@ -2335,7 +2320,6 @@
 'show ca certificate' => 'Afficher le certificat CA',
 'show certificate' => 'Afficher le certificat',
 'show crl' => 'Montrer la liste de révocation des certificats',
-'show dh' => 'Afficher les paramètres Diffie-Hellman',
 'show host certificate' => 'Afficher le certificat hôte',
 'show last x lines' => 'Montrer les dernières x lignes',
 'show lines' => 'Montrer les lignes',
@@ -2718,7 +2702,6 @@
 'upload a certificate' => 'Envoyer un certificat :',
 'upload a certificate request' => 'Envoyer une demande de certificat :',
 'upload ca certificate' => 'Envoyer un certificat CA',
-'upload dh key' => 'Télécharger paramètres Diffie-Hellman',
 'upload file' => 'Envoyer un fichier',
 'upload new ruleset' => 'Télécharger un nouveau réglement',
 'upload p12 file' => 'Envoyer fichier PKCS12',
diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl
index cf58bea90..87a86946f 100644
--- a/langs/it/cgi-bin/it.pl
+++ b/langs/it/cgi-bin/it.pl
@@ -681,12 +681,6 @@
 'details' => 'Dettagli',
 'device' => 'Device',
 'devices on blue' => 'Devices on Blu',
-'dh' => 'Diffie-Hellman parameters',
-'dh key move failed' => 'Diffie-Hellman parameters move failed.',
-'dh key warn' => 'Creating DH-parameters with lengths of 1024 or 2048 bits takes up to several minutes. Lengths of 3072 or 4096 bits might needs several hours. Please be patient.',
-'dh key warn1' => 'For weak systems or systems with little entropy, it is recommended to upload long Diffie-Hellman parameters by usage of the upload function.',
-'dh name is invalid' => 'Name is invalid, please use "dh1024.pem".',
-'dh parameter' => 'Diffie-Hellman parameters',
 'dhcp advopt add' => 'Aggiungere un opzione DHCP',
 'dhcp advopt added' => 'Opzione DHCP aggiunto',
 'dhcp advopt blank value' => 'DHCP opzione non può essere vuoto.',
@@ -796,7 +790,6 @@
 'download' => 'download',
 'download ca certificate' => 'Download CA certificate',
 'download certificate' => 'Download certificate',
-'download dh parameter' => 'Download Diffie-Hellman parameters',
 'download host certificate' => 'Download host certificate',
 'download new ruleset' => 'Scarica il nuovo set di regole',
 'download pkcs12 file' => 'Download PKCS12 file',
@@ -1158,11 +1151,9 @@
 'g.lite' => 'TO BE REMOVED',
 'gateway' => 'Gateway',
 'gateway ip' => 'Gateway IP',
-'gen dh' => 'Generate new Diffie-Hellman parameters',
 'gen static key' => 'Generate a static key',
 'generate' => 'Generate root/host zertifikate',
 'generate a certificate' => 'Generate a certificate:',
-'generate dh key' => 'Generate Diffie-Hellman parameters',
 'generate iso' => 'Genera file ISO',
 'generate root/host certificates' => 'Generate root/host certificates',
 'generate tripwire keys and init' => 'generate tripwire keys and init',
@@ -1594,7 +1585,6 @@
 'nonetworkname' => 'No Network Name entered',
 'noservicename' => 'No Service Name entered',
 'not a valid ca certificate' => 'Not a valid CA certificate.',
-'not a valid dh key' => 'Not a valid Diffie-Hellman parameters file. Please use a length of 1024, 2048, 3072 or 4096 bits and the PKCS#3 format.',
 'not enough disk space' => 'Spazio su disco insufficiente',
 'not present' => '<b>Non</b> presente',
 'not running' => 'not running',
@@ -1684,10 +1674,6 @@
 'ovpn config' => 'OVPN-Config',
 'ovpn crypt options' => 'Cryptographic options',
 'ovpn device' => 'OpenVPN device:',
-'ovpn dh' => 'Diffie-Hellman parameters length',
-'ovpn dh new key' => 'Generate new Diffie-Hellman parameters',
-'ovpn dh parameters' => 'Diffie-Hellman parameters options',
-'ovpn dh upload' => 'Upload new Diffie-Hellman parameters',
 'ovpn dl' => 'OVPN-Config Download',
 'ovpn engines' => 'Crypto engine',
 'ovpn errmsg green already pushed' => 'Route for Verde network is always set',
@@ -1958,7 +1944,6 @@
 'show ca certificate' => 'Show CA certificate',
 'show certificate' => 'Show file',
 'show crl' => 'Show certificate revocation list',
-'show dh' => 'Show Diffie-Hellman parameters',
 'show host certificate' => 'Show host certificate',
 'show last x lines' => 'Show last x lines',
 'show lines' => 'Show lines',
@@ -2298,7 +2283,6 @@
 'upload a certificate' => 'Upload a certificate:',
 'upload a certificate request' => 'Upload a certificate request:',
 'upload ca certificate' => 'Upload CA certificate',
-'upload dh key' => 'Upload Diffie-Hellman parameters',
 'upload fcdsl.o' => 'TO BE REMOVED',
 'upload file' => 'Upload file',
 'upload new ruleset' => 'Upload new ruleset',
diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl
index bc2eead9a..ad5567ce1 100644
--- a/langs/tr/cgi-bin/tr.pl
+++ b/langs/tr/cgi-bin/tr.pl
@@ -746,12 +746,6 @@
 'details' => 'Detaylar',
 'device' => 'Aygıt',
 'devices on blue' => 'Mavi üzerindeki aygıtlar',
-'dh' => 'Diffie-Hellman parametreleri',
-'dh key move failed' => 'Diffie-Hellman parametreleri taşınamadı.',
-'dh key warn' => '1024 veya 2048 bit uzunluğundaki Diffie-Hellman parametrelerini oluşturma birkaç dakika sürebilir. 3072 veya 4096 bit uzunluğundaki parametreleri oluşturmak ise birkaç saate ihtiyaç olabilir. Lütfen sabırlı olun.',
-'dh key warn1' => 'Zayıf veya entropileri küçük olan sistemler için bu yükleme fonksiyonun kullanımı ile uzun Diffie-Hellman parametrelerini yükleme tavsiye edilir.',
-'dh name is invalid' => 'Geçersiz ad, lütfen "dh1024.pem" şeklinde kullanın.',
-'dh parameter' => 'Diffie-Hellman parametreleri',
 'dhcp advopt add' => 'DHCP seçeneği ekle',
 'dhcp advopt added' => 'DHCP seçeneği eklendi',
 'dhcp advopt blank value' => 'DHCP seçeneği değeri boş olamaz.',
@@ -868,7 +862,6 @@
 'download' => 'İndir',
 'download ca certificate' => 'CA sertifikası indir',
 'download certificate' => 'Sertifika indir',
-'download dh parameter' => 'Diffie-Hellman parametrelerini indir',
 'download host certificate' => 'Ana bilgisayar belgesi indir',
 'download new ruleset' => 'Yeni Kural Kümesi İndir',
 'download pkcs12 file' => 'PKCS12 dosyasını indir',
@@ -1269,11 +1262,9 @@
 'g.lite' => 'KALDIRILACAK',
 'gateway' => 'Ağ geçidi',
 'gateway ip' => 'Ağ Geçidi IP Adresi',
-'gen dh' => 'Yeni Diffie-Hellman parametrelerini oluşturun',
 'gen static key' => 'Statik bir anahtar oluştur',
 'generate' => 'Yönetici/Sunucu Sertifikası Oluştur',
 'generate a certificate' => 'Sertifika oluştur:',
-'generate dh key' => 'Diffie-Hellman parametrelerini oluşturun',
 'generate iso' => 'ISO oluştur',
 'generate root/host certificates' => 'Yönetici/Sunucu Sertifikası Oluştur',
 'generate tripwire keys and init' => 'tripwire anahtarları ve init oluştur',
@@ -1731,7 +1722,6 @@
 'nonetworkname' => 'Ağ adı girilmedi',
 'noservicename' => 'Hizmet adı girilmedi',
 'not a valid ca certificate' => 'Geçerli bir CA sertifikası değil.',
-'not a valid dh key' => 'Geçerli bir Diffie-Hellman parametre dosyası yok. 1024, 2048, 3072 veya 4096 bit uzunluğunda ve PKCS#3 biçimini kullanın.',
 'not enough disk space' => 'Yeterli disk alanı yok',
 'not present' => 'Mevcut <b>değil</b>',
 'not running' => 'çalışmıyor',
@@ -1828,10 +1818,6 @@
 'ovpn config' => 'OVPN-Yapılandırması',
 'ovpn crypt options' => 'Şifreleme seçenekleri',
 'ovpn device' => 'OpenVPN aygıtı:',
-'ovpn dh' => 'Diffie-Hellman parametre uzunluğu',
-'ovpn dh new key' => 'Yeni Diffie-Hellman parametrelerini oluşturun',
-'ovpn dh parameters' => 'Diffie-Hellman parametre seçenekleri',
-'ovpn dh upload' => 'Yeni Diffie-Hellman parametreleri yükle',
 'ovpn dl' => 'OVPN-Yapılandırması İndir',
 'ovpn engines' => 'Şifreleme motoru',
 'ovpn errmsg green already pushed' => 'Yeşil ağ için her zaman bir yol ayarla',
@@ -2111,7 +2097,6 @@
 'show ca certificate' => 'CA sertifikalarını göster',
 'show certificate' => 'Sertifika göster',
 'show crl' => 'Sertifika İptal Listesini Göster',
-'show dh' => 'Diffie-Hellman parametrelerini göster',
 'show host certificate' => 'Ana bilgisayar sertifikalarını göster',
 'show last x lines' => 'Son x satırlarını göster',
 'show lines' => 'Satırları göster',
@@ -2462,7 +2447,6 @@
 'upload a certificate' => 'Sertifika yükle:',
 'upload a certificate request' => 'Sertifika isteği yükle:',
 'upload ca certificate' => 'CA Sertifikası Yükle',
-'upload dh key' => 'Diffie-Hellman parametreleri yükle',
 'upload fcdsl.o' => 'KALDIRILACAK',
 'upload file' => 'Dosya yükle',
 'upload new ruleset' => 'Yeni kurallar yükle',
diff --git a/lfs/cdrom b/lfs/cdrom
index a47faa49e..f4e6e050c 100644
--- a/lfs/cdrom
+++ b/lfs/cdrom
@@ -199,7 +199,7 @@ endif
ifeq "$(HAS_MEMTEST)" "1"
    # Install memtest
-	cp /usr/lib/memtest86+/memtest.bin $(DIR_TMP)/cdrom/boot/isolinux/memtest
+	cp /usr/lib/memtest86+/memtest.efi $(DIR_TMP)/cdrom/boot/isolinux/memtest
 endif
ifeq "$(HAS_IPXE)" "1"
diff --git a/lfs/clamav b/lfs/clamav
index 987c0453a..1cd15ea27 100644
--- a/lfs/clamav
+++ b/lfs/clamav
@@ -27,14 +27,15 @@ include Config
 SUMMARY    = Antivirus Toolkit
VER        = 0.105.1
+SUBVER     = -2
THISAPP    = clamav-$(VER)
-DL_FILE    = $(THISAPP).tar.gz
+DL_FILE    = $(THISAPP)$(SUBVER).tar.gz
 DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = clamav
-PAK_VER    = 62
+PAK_VER    = 63
DEPS       =
@@ -50,7 +51,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = be46d9afd76fb536d7de7363a45d38fef6a5983011e3cd0dcc25c2a209c8d37a2bbe1f7f4a5694152cabf622ef83e072b892ae12ba404da1955bb5b654e5216d
+$(DL_FILE)_BLAKE2 = 09e67f4ae4f9689e634aa18cd672b16d8a4cb8b3923527c7c92ffa264b415dc49b5ee82ceaa518cf701a910b49a344753c7d0de894a772b0b871e492c95d60f4
install : $(TARGET)
diff --git a/lfs/configroot b/lfs/configroot
index f278ccf77..ef92f5f08 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -169,7 +169,7 @@ $(TARGET) :
    # Configroot permissions
    chown -Rv	nobody:nobody	$(CONFIG_ROOT)
    chown		root:root	$(CONFIG_ROOT)
-	for i in backup/exclude.user backup/include.user *.pl addon-lang/ langs/ ; do \
+	for i in backup/exclude.user backup/include.user connscheduler/lib.pl *.pl addon-lang/ langs/ menu.d/; do \
             chown -Rv root:root $(CONFIG_ROOT)/$$i; \
    done
    chown -Rv root:root $(CONFIG_ROOT)/*/bin
diff --git a/lfs/memtest b/lfs/memtest
index 7e5ac895f..ae87558de 100644
--- a/lfs/memtest
+++ b/lfs/memtest
@@ -24,9 +24,9 @@
include Config
-VER        = 5.01
+VER        = 6.00
-THISAPP    = memtest86+-$(VER)
+THISAPP    = memtest86plus-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
 DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
@@ -41,7 +41,8 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = ef63eaabaf6d3d27b85c73618c692dd61cce52f3670a57958d181623888bdc3aa538855da9a82ec2ab70b180938e3df99f0b06f606b2d6f64e8aabbe781b3050
+$(DL_FILE)_BLAKE2 = bba26dab7165239fe95dc7f174e5f876f47421008ca6201bc57549598f512df56a6a0ca71f8c2c26c01188d243b58ab6ddd525cf01f0dece0cdb61a6acf38685
+
install : $(TARGET)
@@ -71,11 +72,8 @@ $(subst %,%_BLAKE2,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
    @$(PREBUILD)
    @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
+	cd $(DIR_APP)/build64 && make memtest.efi
    -mkdir -p /usr/lib/memtest86+
-
-	# 64bit only systems cannot link mentest without 32bit gcc libs
-	# so we use the precompiled binary from memtest author
-	cd $(DIR_APP) && cp -f precomp.bin /usr/lib/memtest86+/memtest.bin
-
+	cd $(DIR_APP)/build64 && cp -f memtest.efi /usr/lib/memtest86+/memtest.efi
    @rm -rf $(DIR_APP)
    @$(POSTBUILD)
diff --git a/lfs/openssl b/lfs/openssl
index 28a92a6b3..0431203f0 100644
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -123,5 +123,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
    cd $(DIR_APP) && make install
    install -m 0644 $(DIR_SRC)/config/ssl/openssl.cnf /etc/ssl
+	# Install RFC 7919 defined standard group ffdhe4096
+	install -m 0644 $(DIR_SRC)/config/ssl/ffdhe4096.pem /etc/ssl
+
    @rm -rf $(DIR_APP)
    @$(POSTBUILD)
diff --git a/lfs/postfix b/lfs/postfix
index 9c028ad7c..0a078b8d2 100644
--- a/lfs/postfix
+++ b/lfs/postfix
@@ -26,7 +26,7 @@ include Config
SUMMARY    = A fast, secure, and flexible mailer
-VER        = 3.7.2
+VER        = 3.7.3
THISAPP    = postfix-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -34,7 +34,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = postfix
-PAK_VER    = 37
+PAK_VER    = 38
DEPS       =
@@ -70,7 +70,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 3f7aaba222b64274f756ea37b8ac06c29469d9183879deb4942a709d75783f4a8ca81204971b6658aba4b5bea46ed9c21b14e1f8fc6b613f257acd3aad16c170
+$(DL_FILE)_BLAKE2 = 005abf49b27e59bd3e3251e345df4da0c830314c4d4478aee11057163166afa1a0159017c46bead6572d29d9738a18e1a42a0b72fe260facd3ad77f8ed309271
install : $(TARGET)
diff --git a/lfs/squid b/lfs/squid
index 08eb9965d..7a7b775ff 100644
--- a/lfs/squid
+++ b/lfs/squid
@@ -170,6 +170,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
chown -R nobody:nobody /var/ipfire/updatexlrator
    chown -R root:root /var/ipfire/updatexlrator/bin
+	chown root:root /var/ipfire/updatexlrator/updxlrator-lib.pl
    chown nobody.squid /var/updatecache
    chown nobody.squid /var/updatecache/download
    chown nobody.squid /var/updatecache/metadata
hooks/post-receive
--
IPFire 2.x development tree

    