OPNsense Forum
Archive => 16.1 Legacy Series => Topic started by: chemlud on June 08, 2016, 11:53:57 am
-
Hi!
On 16.1.16 i386 nano I changed from openSSL to libreSSL "flavour" in the general settings, did a reboot, but afterward in the Dasboard I still see the openSSL version, not libreSSL. How to verify which SSL I'm currently using?
Update:
OOpppps, sorry, I pressed the UPDATE button and saw that libreSSL was not already installed, so doing my homework now ;-)
-
Yes, sorry, the new firmware GUI improvements will make this clearer with 16.7 onwards. The FreeBSD ports ecosystem requires to separate repositories to make OpenSSL and LibreSSL work.
-
...with libreSSL (even after another reboot) my openVPN tunnel to a pfsense 2.3.1_1 server (pre-shared key) did not come back. Switched back to openSSL for the while, tunnel back to normal.
Coincidence or might it be related to libreSSL and openSSL not playing nice together?
-
It sounds like the latter, which would be a bug. What ciphers/algos are used?
I do hope this is not a regression from LibreSSL 2.2 -> 2.3, but I'm thinking you didn't run 2.2.x previously, right? Since 16.1.16, we have the newer LibreSSL.
-
Peer-to-peer, UDP, tun
AES-256-CBC
SHA512
More info needed? :-)
No, never tried LibreSSL before...
-
I don't know yet. Took a peek at the release notes for 2.3, but nothing serious.
Changing cipher/hash to see if that makes a difference would help narrow it down, but only if you have some time to play with it.
Is this a pfSense with AESNI support on the other side?
-
nope, an Openvox IPC110 with i386 full from one of these notorious dealers ;-)
-
The only thing that I can come up with here is that the LibreSSL i386 build is misbehaving. They do have lots of tests, but from current experiences with OpenBSD i386 it can lag behind in care.
It's probably out of the question to run a LibreSSL test with amd64, but it would be needed to confirm before reporting it upstream.