[PATCH] vpnmain.cgi: Fix writing ESP settings for PFS ciphers

Peter Müller peter.mueller at ipfire.org
Mon Jun 17 15:08:00 BST 2019


The changes introduced due to #12091 caused IPsec ESP
to be invalid if PFS ciphers were selected. Code has
to read "!$pfs" instead of just "$pfs", as it should trigger
for ciphers _without_ Perfect Forward Secrecy.

Fixes #12099

Signed-off-by: Peter Müller <peter.mueller at ipfire.org>
Cc: Michael Tremer <michael.tremer at ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index fbc274919..750b69b1d 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -3338,7 +3338,7 @@ sub make_algos($$$$$) {
 						push(@algo, $int);
 					}
 
-					if ($pfs || $grp eq "none") {
+					if (!$pfs || $grp eq "none") {
 						# noop
 					} elsif ($grp =~ m/^e(.*)$/) {
 						push(@algo, "ecp$1");
-- 
2.16.4


More information about the Development mailing list