[PATCH] vpnmain.cgi: Fix writing ESP settings for PFS ciphers

Michael Tremer michael.tremer at ipfire.org
Mon Jun 17 16:31:52 BST 2019


Oops. Yes.

Weirdly, someone confirmed that this patch works for them…

> On 17 Jun 2019, at 15:08, Peter Müller <peter.mueller at ipfire.org> wrote:
> 
> The changes introduced due to #12091 caused IPsec ESP
> to be invalid if PFS ciphers were selected. Code has
> to read "!$pfs" instead of just "$pfs", as it should trigger
> for ciphers _without_ Perfect Forward Secrecy.
> 
> Fixes #12099
> 
> Signed-off-by: Peter Müller <peter.mueller at ipfire.org>
> Cc: Michael Tremer <michael.tremer at ipfire.org>
> ---
> html/cgi-bin/vpnmain.cgi | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
> index fbc274919..750b69b1d 100644
> --- a/html/cgi-bin/vpnmain.cgi
> +++ b/html/cgi-bin/vpnmain.cgi
> @@ -3338,7 +3338,7 @@ sub make_algos($$$$$) {
> 						push(@algo, $int);
> 					}
> 
> -					if ($pfs || $grp eq "none") {
> +					if (!$pfs || $grp eq "none") {
> 						# noop
> 					} elsif ($grp =~ m/^e(.*)$/) {
> 						push(@algo, "ecp$1");
> -- 
> 2.16.4



More information about the Development mailing list