[PATCH] vpnmain.cgi: Fix writing ESP settings for PFS ciphers

Peter Müller peter.mueller at ipfire.org
Wed Jun 19 21:38:00 BST 2019


Hello Michael,

could you merge the change into "next", too?

So it won't be overwritten with the next Core Update...

Thanks, and best regards,
Peter Müller

> Oops. Yes.
> 
> Weirdly, someone confirmed that this patch works for them…
> 
>> On 17 Jun 2019, at 15:08, Peter Müller <peter.mueller at ipfire.org> wrote:
>>
>> The changes introduced due to #12091 caused IPsec ESP
>> to be invalid if PFS ciphers were selected. Code has
>> to read "!$pfs" instead of just "$pfs", as it should trigger
>> for ciphers _without_ Perfect Forward Secrecy.
>>
>> Fixes #12099
>>
>> Signed-off-by: Peter Müller <peter.mueller at ipfire.org>
>> Cc: Michael Tremer <michael.tremer at ipfire.org>
>> ---
>> html/cgi-bin/vpnmain.cgi | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
>> index fbc274919..750b69b1d 100644
>> --- a/html/cgi-bin/vpnmain.cgi
>> +++ b/html/cgi-bin/vpnmain.cgi
>> @@ -3338,7 +3338,7 @@ sub make_algos($$$$$) {
>> 						push(@algo, $int);
>> 					}
>>
>> -					if ($pfs || $grp eq "none") {
>> +					if (!$pfs || $grp eq "none") {
>> 						# noop
>> 					} elsif ($grp =~ m/^e(.*)$/) {
>> 						push(@algo, "ecp$1");
>> -- 
>> 2.16.4
> 

-- 
The road to Hades is easy to travel.
	-- Bion of Borysthenes


More information about the Development mailing list