OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • Dynamic DNS Hardening on 17.1.2+
« previous next »
  • Print
Pages: [1]

Author Topic: Dynamic DNS Hardening on 17.1.2+  (Read 2152 times)

fabian

  • Hero Member
  • *****
  • Posts: 2768
  • Karma: 199
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Dynamic DNS Hardening on 17.1.2+
« on: March 03, 2017, 07:48:19 pm »
Dear OPNsense users,

on a pull request we got, we found out, that dynamic DNS is having TLS certificate checks disables on most services.
I have tried some of them if the certificate of the service is trusted*.
First of all the good news - most of the tested services are trusted. But there is a downside: Some services experience issues when you use LibreSSL. The Bug is already fixed in LibreSSL but it did not went upstream yet as a production release.

I have enabled the certificate checks again on some services and this will go into the beta series of 17.7 and will be finally released then. In mean time we would be glad to hear some feedback if the patch is working. You may install it on your device via
Code: [Select]
opnsense-patch f0f65fc
Find the full commit here to see which services are affected:
https://github.com/opnsense/core/commit/f0f65fc9ad1d7750bf1cb50d470accab93a9afd5

Stay safe

Fabian


* tried to use cURL on the command line which should use the same trust store as the scripts of OPNsense.
If you want to test the connection by yourself, run
Code: [Select]
curl -v "https://example.com" -v is for verbose, so the shell will show the result of the HTTPS handshake.

Edit: removed dot from command
« Last Edit: March 03, 2017, 09:53:03 pm by fabian »
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • Dynamic DNS Hardening on 17.1.2+
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2