IPFire 2.19 - Core Update 120 released

The IPFire Project ipfire-announce at lists.ipfire.org
Mon Apr 30 15:27:11 BST 2018


This is the official release announcement for IPFire 2.19 – Core Update 120. We
are excited that it is package with a large number of features that will
increase security of the entire system, increase performance of some
cryptographic operations as well as fixing a number of smaller bugs.

Thanks for the people who contributed to this Core Update by submitting their
patches [1] and please help us to support everyone’s work with your donation

RAM-only Proxy

In some installations it might be desirable to only let the proxy cache objects
in memory and not on disk. Especially when Internet connectivity is fast and
storage is slow this is most useful.

The web UI now allows to set the disk cache size to zero which will disable the
disk cache entirely. Thanks to Daniel for working on this.

OpenVPN 2.4

IPFire has migrated to OpenVPN 2.4 which introduces new ciphers of the AES-GCM
class which will increase throughput on systems that have hardware acceleration
for it. The update also brings various other smaller improvements.

Erik has been working on integration this which has required some work under the
hood but is compatible with any previous configurations for both roadwarrior
connections and net-to-net connections.

Improved Cryptography

Cryptography is one of the foundations to a secure system. We have updated the
distribution to use the latest version of the OpenSSL cryptography library
(version 1.1.0). This comes with a number of new ciphers and major refacturing
of the code base has been conducted.

With this change, we have decided to entirely deprecate SSLv3 and the web user
interface will require TLSv1.2 which is also the default for many other
services. We have configured a hardened list of ciphers which only uses recent
algorithms and entirely removes broken or weak algorithms like RC4, MD5 and so

Please check before this update if you are relying on any of those, and upgrade
your dependent systems.

Various packages in IPFire had to be patched to be able to use the new library.
This major work was necessary to provide IPFire with the latest cryptography,
migrate away from deprecated algorithms and take advantage of new technology.
For example the ChaCha20-Poly1305 ciphersuite is available which performs faster
on mobile devices.

The old version of the OpenSSL library (1.0.2) is still left in the system for
compatibility reasons and will continue to be maintained by us for a short
while. Eventually, this will be removed entirely, so please migrate any custom-
built add-ons away from using OpenSSL 1.0.2.


* Pakfire has now learned which mirror servers support HTTPS and will
  automatically contact them over HTTPS. This improves privacy.
* We have also started phase one of our planned Pakfire key rollover.
* Path MTU Discovery has been disabled in the system. This has continuously
  created issues with the stability of IPsec tunnels that have chosen paths over
  networks that were incorrectly configured.
* The QoS template could miscalculate the bandwidth which has now been fixed
  that the sum of the guaranteed bandwidth over all classes does not exceed 100%
* Updated packages: bind 9.11.3, curl 7.59.0, dmidecode 3.1, gnupg 1.4.22,
  hdparm 9.55, logrotate 3.14.0, Net-SSLeay 1.82, ntp 4.2.8p11, openssh 7.6p1,
  python-m2crypto 0.27.0, unbound 1.7.0, vnstat 1.18


These add-ons have been updated: clamav 0.99.4, htop 2.1.0, krb5 1.15.2, ncat
7.60, nano 2.9.4, rsync 3.1.3, tor, wio 1.3.2

* asterisk’s documentation is now included in the package which has been missing
  earlier and rendered asterisk unable to start

[1] https://wiki.ipfire.org/devel/submit-patches
[2] https://www.ipfire.org/donate

More information about the IPFire-Announce mailing list