As suggested by Oliver "giller" Fieker <oli@new-lan.de>
in bug 10592 I added the functionality to use the squid as ram-only cache.
Further it defines the maximum_object_size_in_memory
as 2% of the in the webif defined "Memory cache size".
The maximum_object_size_in_memory should have a useful
size of the defined memory cache and I don't want to
create another variable which muste be fulled in by the user.
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Suggested-by: Oliver "giller" Fieker <oli@new-lan.de>
Suggested-by: Kim Wölfel <xaver4all@gmx.de>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
DNSSEC-validating nameservers return an "ad" (Authenticated Data)
flag in the DNS response header. This can be used as a negative
indicator for DNSSEC validation: In case a nameserver does not
return the flag, but failes to look up a domain with an invalid
signature, it does not support DNSSEC validation.
This makes it easier to detect nameservers which do not fully
comply to the RFCs or try to tamper DNS queries.
See bug #11595 (https://bugzilla.ipfire.org/show_bug.cgi?id=11595) for further details.
The second version of this patch avoids unnecessary usage of
grep. Thanks to Michael Tremer for the hint.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This will work fine for FF 27 or newer, Chrome 30 or newer,
IE 11 on Windows 7 or newer, Opera 17 or newer, Safari 9 or
newer, Android 5.0 or newer and Java 8 or newer
Since IPFire is not supposed to host any other applications and
all have been removed in the last few Core Updates, only the web
user interface is served over HTTPS here. We clearly prefer
security over compatibility.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Change the TLS cipher list of Apache to "Mozilla Modern".
ECDSA is preferred over RSA to save CPU time on both server
and client. Clients without support for TLS 1.2 and AES will
experience connection failures.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This seems to be a failed concept and causes issues with transferring
large packets through an IPsec tunnel connection.
This configures the kernel to still respond to PMTU ICMP discovery
messages, but will not try this on its own.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
AES-GCM 128, 196 and 256 bit has been added to Net-to-Net and Roadwarrior section.
HMAC selection for N2N will be disabled if AES-GCM is used since GCM provides an own message authentication (GMAC).
'auth *' line in N2N.conf will be deleted appropriately if AES-GCM is used since '--tls-auth' is not available for N2N.
HMAC selection menu for Roadwarriors is still available since '--tls-auth' is available for RWs
which uses the configuered HMAC even AES-GCM has been applied.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Sending the server signature is unnecessary and might leak
some internal information (although ServerTokens is already
set to "Prod").
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
In the past the apache configuration was part of the backup
and may have been restored after Core Update 118 was installed
with PHP being dropped amongst other things.
This patch will make sure that only keys are being backuped.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS
signatures that was caused by insufficient input validation.
One of the configurable parameters in algorithm identifier
structures for RSASSA-PSS signatures is the mask generation
function (MGF). Only MGF1 is currently specified for this purpose.
However, this in turn takes itself a parameter that specifies
the underlying hash function. strongSwan's parser did not
correctly handle the case of this parameter being absent,
causing an undefined data read.
This vulnerability has been registered as CVE-2018-6459.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
When a tunnel that is in always-on configuration closes
unexpectedly, we can instruct strongSwan to restart it
immediately which is precisely what we do now.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
script-security: The support for the 'system' flag has been removed due to security implications
with shell expansions when executing scripts via system() call.
For more informations: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage .
ncp-disable: Negotiable crypto parameters has been disabled for the first.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
ccache needs this and usually comes with an own bundled
version but fails to build in version 3.4.1.
Since this is a small library only and we really want
ccache to use compression, we will build this indepently
and let ccache use it from the system.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
