Despite being currently busy with an IPFire 3 hackathon, we found the time to release the next Core Update for testing: IPFire 2.27 - Core Update 172. It comes with cryptography improvements for IPsec and OpenVPN, as well as security improvements under the hood, a plethora of package updates and various bugs fixed across the place.
Future-proofing VPN cryptography
This Core Update updates the key lengths of host certificates for both IPsec and OpenVPN clients/peers to 4,096 bit RSA, since the previous default of 2,048 bit is no longer recommended for long-term security purposes.
Both IPsec and OpenVPN root CA length has always been 4,096 bit, as has the key pair generated for IPFire's web interface - no action is required on that front. Unfortunately, existing IPsec/OpenVPN client/peer configurations cannot be migrated automatically, and have to be phased-out manually. Thanks to the respective CA certificates not requiring an update, complete disruptions of VPN infrastructure can, however, be avoided.
OpenVPN is automatically reconfigured to use a secure Diffie-Hellman parameter, both of sufficient length of 4,096 bit and standardized (see RFC 7919, section A.3, bug #12632). All OpenVPN clients and peers will automatically benefit from this cryptography improvement; no manual action is required. This also obsoletes the necessity of generating or uploading Diffie-Hellman parameters while configuring OpenVPN, saving a lot of time, as the generation of such parameters could have taken hours on slower hardware.
For early 2023, we anticipate post-quantum cryptography (PQC) to land in IPFire for IPsec, for which there is a strong (and growing) need, thanks to so-called "capture now, decrypt later" attacks endangering the confidentiality of information with long-term secrecy demand, such as biometric and health data.
- IPFire's trust store has been updated to incorporate Mozilla's decision to distrust the root certificates of TrustCor Systems S. DE R.L.
- Displaying the status and actions of add-ons whose service names differed from their package names is fixed (#12935). The same page has also seen some translation improvements.
- Certificate Revocation Lists (CRLs) of OpenVPN are now properly backed up and reloaded before OpenVPN is (re-)started.
- Adolf Belka submitted a massive patchset for updating Python.
- Roberto Peña updated and improved the Spanish translation of IPFire's web interface.
- Some unnecessary files from
linux-firmwareare no longer shipped and automatically removed from existing installations to keep the system as lean as possible.
- Various file permissions have been tightened as a defense in-depth measure.
- The obsolete
gnu-netcatadd-on has been dropped.
- Updated packages:
nano7.0, OpenSSH 9.1p1, OpenSSL 1.1.1s, OpenVPN 2.5.8,
- Updated add-ons:
sdl22.26.0, Tor 0.4.7.12
As always, we thank all people contributing to this release in whatever shape and form. Please help testing this update, especially if you are using exotic hardware, uncommon network setups, or add-ons, and provide feedback - which is absolutely essential to us.