IPFire 2.19 - Core Update 115 released

The IPFire Project ipfire-announce at lists.ipfire.org
Thu Nov 2 21:21:14 CET 2017


Hello Community,

finally, we are releasing the long-awaited IPFire 2.19 – Core Update 115 which
brings the shiny new Captive Portal and various security and performance
improvements as well as fixing security vulnerabilities.

This is a large Core Update with a huge number of changes and to support our
efforts to develop new features and maintain the existing system as well as
constantly improving it, we would like to ask you to donate [1]!

Captive Portal

The new IPFire Captive Portal comes pre-installed on every IPFire system and
allows easy access control for wireless and even wired networks. It is simple
and very easy to set with only a few configuration options. That makes it
versatile for many adminstrators and also very simple for all users.

It comes with two configuration modes: The default mode asks the user to accept
terms and conditions. After doing so, access to the network is granted for a
configurable time. After the time has expired, Internet access is blocked again

Optionally you can generate coupons that allow access for one device for a set
time. Those coupons can also be exported as a PDF document and being printed so
that they can be handed out easily at a hotel reception for example.

Although, Germany has just abolished the controversial law that made the
subscriber of on Internet connection liable for everything anyone does over that
connection (Störerhaftung), this is still a great feature for 2017 where WiFi
networks in hotels, cafes and everywhere else are a must. It allows to only give
access to the people who booked a room in your hotel, or bought a cup of coffee
in your cafe. That will keep the WiFi from being overloaded and it will be fast
for everyone.

The full documentation can be found on our wiki [2].

Thanks go to all the people of our community who have worked on this for a very
long time.

Security Improvements

The web user interface has been hardened by a series of patches from Peter

* When establishing a new TLS connection, ECDSA is now preferred over RSA which
  makes the TLS handshake much faster and uses less resources on the client and
  server. It is also considered to be stronger to brute-force.
* An additional ECDSA key is now generated in addition to the existing RSA key
  which improves security of any TLS connections to the web user interface.
* Previously, some attacks were possible to make the web browser submit login
  credentials via HTTP without encryption. The apache configuration has been
  changed to never ask for login without establishing a TLS connection before.
* A smaller information leak has also been fixed where anyone could access the
  credits.cgi page which revealed the version information of the installed

These changes require to restart the web server that runs the web user
interface. This happens automatically during the installation of this Core
Update but might render the web user interface unavailable for a short moment.

OpenVPN Configuration Updates

The OpenVPN project has deprecated some configuration options. This has been
updated in IPFire as well which will now generate new configuration files when
ever a new certificate has been issued. The old configuration files and
certificates will remain but won’t be compatible with OpenVPN 2.5 any more.
There is no need for action right now, but old connections might not work with
clients that run a newer version of OpenVPN in the future. New connections will
work fine with any recent and future version of OpenVPN.

Thanks for Erik for sending in a patch for this.


* The WiFi access point add-on has already been patched against the KRACK
  attacks on the day those were announced. The wpa_supplicant package which
  implements the WiFi client feature of IPFire has been patched in this release
  against those attacks.
* IPsec VPNs that use Curve25519 would not want to come up after installing the
  previous Core Update. This has been fixed now.
* Updated packages: logrotate 3.13.0, openvpn 2.3.18, unbound 1.6.7
* Some files that have been unused for a very long time have been cleaned up.
* All downloads of the project’s ISO files are now done over HTTPS.

Updated Add-Ons

* tor 3.1.7

[1] https://www.ipfire.org/donate
[2] https://wiki.ipfire.org/en/configuration/network/captive

More information about the IPFire-Announce mailing list