bpfire

mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-19 23:43:00 +02:00

Author	SHA1	Message	Date
Peter Müller	a12d488682	ClamAV: update to 0.99.4 Update ClamAV to 0.99.4 which fixes four security issues and compatibility issues with GCC 6 and C++ 11. The release note can be found here: http://blog.clamav.net/2018/03/clamav-0994-has-been-released.html Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-03-05 15:11:55 +00:00
Michael Tremer	568a227bd3	vpnmain.cgi: Fix reading common names from certificates OpenSSL has changed the output of the subject lines of certificates. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-03-01 19:59:14 +00:00
Michael Tremer	63b515dc26	apache: Require TLSv1.2 for access to the web user interface This will work fine for FF 27 or newer, Chrome 30 or newer, IE 11 on Windows 7 or newer, Opera 17 or newer, Safari 9 or newer, Android 5.0 or newer and Java 8 or newer Since IPFire is not supposed to host any other applications and all have been removed in the last few Core Updates, only the web user interface is served over HTTPS here. We clearly prefer security over compatibility. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-28 11:55:35 +00:00
Peter Müller	464426d363	change Apache TLS cipher list to "Mozilla Modern" Change the TLS cipher list of Apache to "Mozilla Modern". ECDSA is preferred over RSA to save CPU time on both server and client. Clients without support for TLS 1.2 and AES will experience connection failures. Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-28 11:54:08 +00:00
Michael Tremer	263d1e6484	openssl: Apply ciphers patch before running Configure This works just fine here. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-28 11:49:47 +00:00
Peter Müller via Development	5929493445	set OpenSSL 1.1.0 DEFAULT cipher list to secure value Only use secure cipher list for the OpenSSL DEFAULT list: * ECDSA is preferred over RSA since it is faster and more scalable * TLS 1.2 suites are preferred over anything older * weak ciphers such as RC4 and 3DES have been eliminated * AES-GCM is preferred over AES-CBC (known as "mac-then-encrypt" problem) * ciphers without PFS are moved to the end of the cipher list This patch leaves AES-CCM, AES-CCM8 and CHACHA20-POLY1305 suites where they are since they are considered secure and there is no need to change anything. The DEFAULT cipher list is now (output of "openssl ciphers -v"): ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM8(256) Mac=AEAD ECDHE-ECDSA-AES256-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-CCM8 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM8(128) Mac=AEAD ECDHE-ECDSA-AES128-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=Camellia(256) Mac=SHA384 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=Camellia(128) Mac=SHA256 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(256) Mac=SHA384 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(128) Mac=SHA256 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD DHE-RSA-AES256-CCM8 TLSv1.2 Kx=DH Au=RSA Enc=AESCCM8(256) Mac=AEAD DHE-RSA-AES256-CCM TLSv1.2 Kx=DH Au=RSA Enc=AESCCM(256) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-CCM8 TLSv1.2 Kx=DH Au=RSA Enc=AESCCM8(128) Mac=AEAD DHE-RSA-AES128-CCM TLSv1.2 Kx=DH Au=RSA Enc=AESCCM(128) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA256 DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA256 ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1 AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD AES256-CCM8 TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM8(256) Mac=AEAD AES256-CCM TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM(256) Mac=AEAD AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD AES128-CCM8 TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM8(128) Mac=AEAD AES128-CCM TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM(128) Mac=AEAD AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 CAMELLIA256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA256 AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 CAMELLIA128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA256 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1 This has been discussed at 2017-12-04 (https://wiki.ipfire.org/devel/telco/2017-12-04) and for a similar patch written for OpenSSL 1.0.x. Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-28 11:45:03 +00:00
Michael Tremer	e707599d2c	core120: Call openvpnctrl with full path Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-28 10:48:29 +00:00
Michael Tremer	ca4c354e08	Bump release of all packages linked against OpenSSL Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-26 16:28:16 +00:00
Michael Tremer	d192815e83	core120: Ship everything that is linked against OpenSSL This will make sure that everything is using the new version of the library. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-26 16:22:32 +00:00
Michael Tremer	1c0cfaa594	Disable Path MTU discovery This seems to be a failed concept and causes issues with transferring large packets through an IPsec tunnel connection. This configures the kernel to still respond to PMTU ICMP discovery messages, but will not try this on its own. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-26 15:37:49 +00:00
Michael Tremer	f0e308ab2f	core120: Fix typo in initscript name Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-26 15:34:10 +00:00
Michael Tremer	61fcd32f15	Rootfile update Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-26 13:06:34 +00:00
Michael Tremer	0eccedd1c8	dhcp: Allow adding extra DHCP interfaces Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-26 11:12:20 +00:00
Erik Kapfer via Development	39d11d265e	OpenVPN: Ship missing OpenSSL configuration file for update Core 115 delivered a patch which prevents the '--ns-cert-type server is deprecated' message and introduced also '--remote-cert-tls server' --> https://patchwork.ipfire.org/patch/1441/ whereby the changed ovpn.cnf has not been delivered. Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-26 10:15:30 +00:00
Erik Kapfer via Development	52f61e496d	OpenVPN: New AES-GCM cipher for N2N and RW AES-GCM 128, 196 and 256 bit has been added to Net-to-Net and Roadwarrior section. HMAC selection for N2N will be disabled if AES-GCM is used since GCM provides an own message authentication (GMAC). 'auth *' line in N2N.conf will be deleted appropriately if AES-GCM is used since '--tls-auth' is not available for N2N. HMAC selection menu for Roadwarriors is still available since '--tls-auth' is available for RWs which uses the configuered HMAC even AES-GCM has been applied. Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-25 19:31:30 +00:00
Michael Tremer	87484f5c78	openssl-compat: Do not try to apply missing padlock patch Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-22 18:52:03 +00:00
Michael Tremer	b9c56c9e9c	openssl-compat: Add missing library path Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-22 18:50:38 +00:00
Michael Tremer	8b080ef12b	core120: Remove deprecated sshd configuration option This just created a warning and is now dropped Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-21 13:06:22 +00:00
Michael Tremer	c2646dff80	Revert "wget: Link against GnuTLS instead of OpenSSL" This reverts commit `a46b159a8d`. wget 1.19.4 supports linking against OpenSSL 1.1.0. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-21 12:55:36 +00:00
Michael Tremer	c8e4391ecc	core120: Remove forgotten PHP file Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-21 12:41:05 +00:00
Michael Tremer	53929f5ae8	core120: Ship updated OpenSSL 1.1.0 Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-21 12:39:55 +00:00
Michael Tremer	9434bffaf2	Merge branch 'openssl-11' into next	2018-02-21 12:21:10 +00:00
Michael Tremer	cb8a6bf5a4	Start Core Update 120 Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-21 12:20:57 +00:00
Michael Tremer	83d6101b9d	core119: Reload apache after configuration changes Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-21 12:06:02 +00:00
Peter Müller	51bf74a1c8	disable Apache server signature Sending the server signature is unnecessary and might leak some internal information (although ServerTokens is already set to "Prod"). Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-21 12:06:02 +00:00
Michael Tremer	3f42cf5cb9	backup: Don't backup apache configuration, keys only In the past the apache configuration was part of the backup and may have been restored after Core Update 118 was installed with PHP being dropped amongst other things. This patch will make sure that only keys are being backuped. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-21 12:06:02 +00:00
Michael Tremer	bbe8e248fe	Rootfile update Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-20 20:10:30 +00:00
Michael Tremer	ea3b9a4f88	strongswan: Update to 5.6.2 Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS signatures that was caused by insufficient input validation. One of the configurable parameters in algorithm identifier structures for RSASSA-PSS signatures is the mask generation function (MGF). Only MGF1 is currently specified for this purpose. However, this in turn takes itself a parameter that specifies the underlying hash function. strongSwan's parser did not correctly handle the case of this parameter being absent, causing an undefined data read. This vulnerability has been registered as CVE-2018-6459. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-19 23:46:17 +00:00
Michael Tremer	a261cb06c6	IPsec: Try to restart always-on tunnels immediately When a tunnel that is in always-on configuration closes unexpectedly, we can instruct strongSwan to restart it immediately which is precisely what we do now. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-19 23:46:17 +00:00
Michael Tremer	2ec7a53b3e	Rootfile update for armv5tel Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-17 18:55:38 +00:00
Michael Tremer	e36a7e3cf2	haproxy: Link against libatomic on ARM Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-17 13:36:37 +00:00
Michael Tremer	429af17883	i2c-tools: New package Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-16 20:01:55 +00:00
Michael Tremer	0f354672a2	flac: Update to 1.3.2 The previous version fails to build on i586 Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-16 19:14:33 +00:00
Michael Tremer	a1a5dd5566	Rootfile update Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-15 19:34:50 +00:00
Erik Kapfer	a4fd232541	OpenVPN: Added needed directive for v2.4 update script-security: The support for the 'system' flag has been removed due to security implications with shell expansions when executing scripts via system() call. For more informations: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage . ncp-disable: Negotiable crypto parameters has been disabled for the first. Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-15 10:41:41 +00:00
Michael Tremer	4ef4d82baa	core119: Ship changed proxy.cgi Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-14 22:23:20 +00:00
Bernhard Held	a2b2ac7854	proxy.cgi: remove excessive newlines in generated proxy.pac Remove excessive newlines in generated proxy.pac Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-14 22:22:49 +00:00
Michael Tremer	0642dc8923	Rootfile update Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-13 21:07:04 +00:00
Michael Tremer	eb93869763	Bump toolchain version Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-13 16:35:08 +00:00
Michael Tremer	1633e0146c	Rootfile update for glibc on i586 Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-13 16:34:55 +00:00
Michael Tremer	909ba0ad4a	nagios-plugins: Update rootfiles Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-13 16:30:24 +00:00
Michael Tremer	e75dd42577	postfix: Update rootfile Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-13 16:20:55 +00:00
Michael Tremer	97b5588cf3	zlib: Fix name of logfile in toolchain build Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-13 10:24:04 +00:00
Michael Tremer	05551f7bdb	sslh: Build without tcpwrappers Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-13 10:23:54 +00:00
Michael Tremer	54d5414848	toolchain: Add zlib ccache needs this and usually comes with an own bundled version but fails to build in version 3.4.1. Since this is a small library only and we really want ccache to use compression, we will build this indepently and let ccache use it from the system. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-12 14:24:12 +00:00
Michael Tremer	d8ac9a162c	Bump toolchain version Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-12 13:07:38 +00:00
Michael Tremer	2dd9f3b379	Cleanup toolchain scripts No functional changes, just some tidy up Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-12 12:44:37 +00:00
Michael Tremer	d32233aa1b	ccache: Update to 3.4.1 Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-12 12:12:08 +00:00
Michael Tremer	71196131be	PAM: Drop shipped configuration This is outdated, broken and has hardcoded passwords. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-12 12:09:22 +00:00
Michael Tremer	71cf8c8a6f	Drop perl-DBD-mysql This package is not used by anything and depends on MySQL which has been dropped, too. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-12 12:07:29 +00:00

1 2 3 4 5 ...

11498 Commits