Today, IPFire 2.13 Core Update 72 and the crowd-funded Tor add-on have been released.
The Core Update comes with a lot of feature enhancements for IPsec, smaller fixes for OpenVPN and fixed two denial-of-service attacks in the Squid web proxy.
strongswan, the software package that is responsible for IPsec VPN connections, has been updated to version 5.1.0. This is a major version, which fixes various kinds of bugs and also fixes a denial-of-service bug, which is of very little priority for IPFire users (CVE-2013-5013).
Elliptic Curve Cryptography
It is now possible to use Elliptic Curve Cryptography (ECC) groups in the Internet Key Exchange (IKE) protocols in addition to the previously defined Diffie-Hellman groups. Advantages of using these include better efficiency because the underlying integer arithmetic is much faster than the binary field arithmetic MODP uses. Also ECC requires much smaller keys in order to achieve the same level of security than the Diffie-Hellman algorithm does. Therefore less entropy is consumed.
Smaller default keys
As it has often been pointed out, it is a problem to gather enough entropy on some computers. This makes it hard to do a proper key exchange, because you need to generate keys for that which are of a certain length of random data. The default settings for the key length have been very high since IPFire 2.13 and are now lowered, because of the reasons above. Instead of 8192 bits, the highest selected MODP group uses 4096 bits long keys.
More technical reasons are to be found in the comments of #10396.
squid Web Proxy server
The squid web proxy server has got two denial-of-service issues that are fixed in this Core Update. It was able to crash the cache manager when authenticating and it was possible to crash the entire proxy server with requests with over-long domain names (more information about this).
The OpenVPN GUI does now more precise validation of the subnet that is used as a transfer network for OpenVPN N2N connections. Incorrect data let the openvpnctrl binary crash when a new connection was started and no firewall rules were added.
It is now permitted to leave the “remote” field empty on a N2N server site, which makes creating connections with clients from dynamic IP addresses easier.
OpenVPN client connections with more than one space character in their names work again.
- snort has been enabled to decode packets from non-Ethernet devices again.
- Dynamic DNS supports all-inkl.com now.
- This update comes with all the requirements you need for Tor.
Tor – Protecting Online Anonymity
The Tor add-on is finally released together with Core Update 72, which you need to install first if you want to use Tor. Please make sure to reboot your IPFire system after the Tor add-on has been installed.
Documentation about this add-on can be found on our wiki: Tor documentation
We would like to thank all the people who contributed to this wish on the IPFire wishlist. If you want to, there are other things you can support, so those get implemented soon, too!
Please note a deprecation warning for Xen 3.x users!