OPNsense Forum
Archive => 15.1 Legacy Series => Topic started by: franco on February 22, 2015, 11:24:10 am
-
Hello again,
with the bulk load of 15.1.6.1 out of the way, it’s time to bikeshed about our favourite topic: security. We have now have images and packages built against LibreSSL on amd64 (i386 possible if there are requests—speak up). They are fully compatible with the standard images and you will be able switch back and forth with a wee bit of command line trickery as new stable versions get released. So far we’ve had no visible issues although we would love to know if you run into any issues.
The images can be found here:
https://pkg.opnsense.org/snapshots/
To upgrade your existing amd64 installation (hopefully 15.1.6.1) you need to drop to the command line and install your favourite editor(s):
# pkg install vim-lite joe nano
Edit /usr/local/etc/pkg/repos/OPNsense.conf and replace “latest” with “libressl”. Save and exit.
In the GUI, run the firmware upgrade. It should upgrade you to opnsense 15.1.6.1_1 (no, that’s not a joke). If you upgraded from below 15.1.6, please update the base system afterwards using:
# opnsense-update && reboot
Switching back to OpenSSL is done by reediting the OPNsense.conf file, but you might be stuck since the OpenSSL version is “older”. The following might work after editing the file:
# pkg upgrade -fy
# pkg autoremove
# reboot
Please write in with your feedback, both bad and good.
Until then,
Franco
-
This is only important if you use SSL to use the WebConfigurator, or in general?
For my home use I don't use SSL connections to my firewall or NAS. I don't have a private certificate and would therefore allow a self signed certificate. Which doesn't make sense to me.
-
It is a general security thing. OpenSSL is used for crypto and hashing in a wide range of software. Here is what happens when you try to delete libressl from the release:
# pkg delete -n libressl
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 28 packages (of 0 packages in the universe):
Installed packages to be REMOVED:
libressl-2.1.3
libevent2-2.0.22_1
curl-7.40.0
voucher-0.1_4
strongswan-5.2.2
relayd-5.5.20140810_1
python27-2.7.9_1
php56-openssl-5.6.6
openvpn-2.3.6_1
openssh-portable-6.7.p1_1,1
ntp-4.2.8p1
mpd5-5.7_1
mpd4-4.4.1_2
miniupnpd-1.9_1,1
lighttpd-1.4.35_5
ipmitool-1.8.14_1
bind99-9.9.6P2
openldap-client-2.4.40_1
nettle-2.7.1
libssh2-1.4.3_5,2
git-2.3.0
check_reload_status-0.0.3_1
ifstated-5.1,3
php56-curl-5.6.6
opnsense-15.1.6.1_1
php56-ldap-5.6.6
dnsmasq-2.72,1
pecl-ssh2-0.12
With a total of 131 packages that's over 20% of dependencies.
-
Alright, I don't mind testing but will need a i386 version then.
The net6501 is 32 bit with some 64 bit extenstions, so can't boot 64 bit.
-
I just switched and seems OK at first glance,
To be fair I am not using it as my main gateway (that is still an OpenBSD box) but infront of my virtual test env.
So far so good.
-
Thanks guys, that's highly appreciated.
i386 variant will hit the mirror tonight or tomorrow morning.
-
Cool. Just need to be able to get it booting.
Will open a topic on that.
-
Downloaded and installed (AMD Athlon 5350 on Asus AM1M-A, 4Gb ECC unb DDR3).
System logs (Gateway section) complains:
Feb 22 17:04:15 OPNsense apinger: SIGHUP received, reloading configuration.
Feb 22 17:03:43 OPNsense apinger: SIGHUP received, reloading configuration.
Feb 22 16:56:58 OPNsense apinger: SIGHUP received, reloading configuration.
Feb 22 16:56:31 OPNsense apinger: Starting Alarm Pinger, apinger(18779)
Feb 22 16:55:01 OPNsense apinger: No usable targets found, exiting
Feb 22 16:55:01 OPNsense apinger: Starting Alarm Pinger, apinger(14594
other than that in logs, everything I am using (basic fw, DHCP4, upnp) seems to work.
I predict there is going to be an issue with PowerD but it's issue of a FreeBSD itself (AM1 platforms crash after turning on cpu power management)
-
I will also need an i386 version. Right now I'm limited to i386 until I can sort out why FreeBSD doesn't like my test PowerEdge server :(
-
I managed to screw up the i386 ports build twice in a row. Images tonight.
shaqan: The apinger issue seems unrelated. Must be something with the networking setup instead?
-
Updated my KVM to the LibreSSL version, worked without problems.
I'm getting a lot of those but I think they are there since 15.1.6.1:
Feb 23 14:13:16 getty[7118]: getty: unknown gettytab entry 'al.Pc'
Feb 23 14:13:16 getty[7118]: getty: unknown gettytab entry 'al.Pc'
Feb 23 14:13:16 getty[86940]: tcsetattr /dev/ttyv0: Operation not supported
Feb 23 14:13:16 getty[86940]: tcsetattr /dev/ttyv0: Operation not supported
One question though. I remember seeing bind99 being upgraded. AFAIK, we're only using Unbound or Dnsmasq. Why do we have bind on board?
-
Gentlemen, i386 images are up. Terribly sorry for the delay.
arthurdent: yes, this is a regression in 15.1.6.1 following the FreeBSD 10.1 upgrade. From the announcement:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
QUICK UPDATE: A regression sneaked into the release that renders the console unusable when "System: Advanced: Admin Access: Console menu protection" is being disabled. As far as we can see, this does not effect anything but the console login so you should be able to log back in and recheck the option to get it back (even though you will have to type the username/password).
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Yes you are right, bind 9.9 is barely needed. It was there so in order to not break anything we push it through and pull in security updates. Today I upgraded to bind 9.10 or its stripped down version of bind-tools, so far it seems nsupdate is the only used utility. We will replace it with a sensible equivalent as soon as possible.
-
Will try the i386 version tomorrow in combination with the Soekris met6501 boot problem.
-
Just updated with the i386 images and all appears to be working without issue for the time being.
Not sure what else to check :)
By the way, nsupdate is most likely used for the RFC 2136 DYNDNS update service portion.
-
Yeah, that is true, its invoke is in the dyndns code section. Do you know of a sensible replacement in that regard?
-
I do not know of a sensible replacement. Nsupdate itself should be able to be picked off as it's own utility without needing the entire BIND package, but whatever is used would need the same functionality as the nsupdate utility...
By the way, after speaking with Fitch in IRC, there's a possible issue affecting the firewall in regards to libressl.
This was revealed when I attempted to play some Xbox last night and it failed.. The only change done to that firewall since the last time I tried was the libressl upgrade.
I will perform a downgrade tonight and test again. This might reveal other issues with libressl if it works.
I'll keep you posted.
-
So after downgrading back to openssl, my NAT rules for Xbox live are now working properly without further tweaking.
Not sure what the issue is at this time. Just FYI.
-
Just put the libressl setup back on the firewall.
I will do some more testing on this tonight. Just a bit more detail, I'm not running UPnP at this time (I try to avoid it) and when this was working, I had just basic NAT rules for port tcp/udp 3074 and udp 88 going to the static IP of my Xbox.
Once the upgrade completes, I'll reboot, test tonight, and update here.
-
And the result is: It works just fine.
So yes, the issue I had before was not tied to libressl or the testing parts at all.
Looks like happenstance and Xbox live's service was just having issues
-
Okay, that means bind is here to stay. We will have bind 9.10.2 in 15.1.7 in the lightweight bind-tools package so all we can do has been done already. Glad to hear that.
The other non-issue was related to OpenVPN, which is also fixed in 15.1.7.
The patches we pushed to FreeBSD have been accepted and are in 15.1.7.
See a pattern here? ;)
Unfortunately, Python 2.7 is still unpatched and I want to wait till FreeBSD has it and they are waiting for 2.7.10 to be released. That means we have to sit this one out, but we'll continue this parallel LibreSSL track for the releases and are probably able to switch as soon as Python is updated.
Sounds good? ;)
-
Sounds perfect ;D
-
Gentlemen,
bad news is we won't ship images for 15.1.7-LibreSSL. Good news, though, the amd64/i386 packages are updated and await your firmware upgrade.
Yes, please run the firmware upgrade first from the Dashboard.
Then (and only then) run our nifty base upgrade tool on the root shell:
# opnsense-update && reboot
Edit: If you are new to the show, and want to run 15.1.7, grab a 15.1.6.1 snapshot from here and upgrade using the method described above. https://pkg.opnsense.org/snapshots/
Edit2: i386 images are up. You guys realise the i386 LibreSSL snapshot had OpenSSL? :P
Enjoy,
Franco
-
Two problems, don't know if they are LibreSSL-only, though:
I've setup an IKEv2 VPN tunnel, it's shown as down. But it works fine as far as I can see.
Maybe this is related:
Mar 3 14:11:41 OPNsense opnsense: /index.php: XML error: Not well-formed (invalid token) at line 1 in /tmp/strongswan_leases.xml
cat /tmp/strongswan_leases.xml
cat: /tmp/strongswan_leases.xml: No such file or directory
Another strange issue is trying to edit a firewall rule with Chrome (using it on Windows 7 oder 8.1). Clicking on the pencil works only once. After that, clicking on any pencil in any rule makes the rule flicker shortly and then it says I should press the update button because my ruleset has changed.
IE and Firefox seem to work fine.
-
Thanks, will be taken care of shortly. :)
XML for IKEv2: https://github.com/opnsense/core/issues/89
Chrome Rule Edit bug: https://github.com/opnsense/core/issues/90
-
I closed #90 (Chrome Rule Edit bug) as it cannot be reproduced in 15.1.7.
Tested to work fine on:
Windows Vista: Chrome 41
Windows Vista: IE 9
Windows 7: Chrome 41
Windows 7: IE 11
Windows 7: Firefox 36
Mac OSX: Chrome 41
Mac OSX: Firefox 36
Mac OSX: Safari 7.1.3
-
Packages for 15.1.7.1-LibreSSL for amd64 and i386 are up now. Remember these are experimental builds that we do not test as thoroughly as the official version, but as far as we can see they run smoothly. Plus, there's the new LibreSSL 2.1.4 in there. Have fun. :)
-
No woes? No complaints? No wishes? It looks like we are ready to make the switch. I have prodded our FreeBSD friends and maybe the Python 2.7 patches will hit the ports tree very soon now. :)
-
Apart from the DuckDNS thing not for me.
-
No woes? No complaints? No wishes?
Actually one show stopper for me.
I don't use modern hardware with AES-NI, but I do have quad core Xeon machines each with two Broadcom 5823 Crypto Accelerators inside. They work really well with the ubsec driver and cryptodev.
http://www.broadcom.com/products/Security/Encryption-Coprocessors/BCM5823 (http://www.broadcom.com/products/Security/Encryption-Coprocessors/BCM5823)
Sadly, the LibreSSL people don't like old kit and have cut out all the hardware crypto card support that is still in OpenSSL. This pretty much means that I have a substantial performance advantage staying with OpenSSL. Consequently, although I am interested in testing OPNsense, replacing OpenSSL with LibreSSL pretty much makes it pointless for me to participate.
-
That's true. Maybe we'll continue the two track approach, although some modifications will have to be made so it's possible to switch between package repositories more easily from the GUI. I'll look at this in more detail soon.
15.8.3 and 15.8.3 are probably being shipped today. I did not want to push a faulty LibreSSL version without the necessary stability of the GUI config system. Now is the time. :)
-
All packages for 15.1.8.3-LibreSSL are up. 8)
-
Thanks!
-
15.1.9_LibreSSL updates and images are up: https://pkg.opnsense.org/snapshots/
Disclaimer: still experimental; yadda, yadda; please also read the 15.1.9 announcement... https://forum.opnsense.org/index.php?topic=306.0
Have fun. Report back. :)
-
As I said on IRC, update through console went without a problem.
-
Been testing the past couple of libressl versions and I can't find anything to be broken. What's the actual holdup for shifting over to it? Any programs that depend on openssl and need patches to work?
-
Demetris,
The FreeBSD ports tree still isn't ready by default (Python 2.7 is missing LibreSSL build support). I have some patches to push upstream as well, and Bernard and others are doing a lot more work behind the scenes. See:
http://www.bsdnow.tv/episodes/2015_03_25-ssl_in_the_wild (the interview bits with Bernard Spil)
There is the question of hardware acceleration which isn't in LibreSSL as far as I heard, but I need to check back with LibreSSL devs to be sure or hear their plans.
What we are most likely going to do is release both versions officially in the future as soon as we have automated build infrastructure up and running (building 2 versions in parallel was tricky, building 4 is impossible from this laptop). Donations and help are welcome in that regard. This will most likely materialise for 15.7.
In any case, LibreSSL builds are becoming more frequent with images and timely updates and we want to keep this up. :)
-
My install of 15.1.9-LibreSSL went seamlessly and the console upgrade to latest 15.1.11.1 went through without any hassle. [amd64, SSD, 3NIC em(4), ath(4)]
So far all seems to run proper. :)
-
Maybe one last bump for this thread.
It looks like upgrading from as far back as 15.1.9 works seamlessly, but the snapshots are getting pretty old. Since all of this ran smoothly up until now, there will be official 15.7 images based on LibreSSL. You guys deserve it. <3
For completeness (and because pkgng isn't quite ready yet to move from OpenSSL to LibreSSL as more testing has revealed) here's how to acquire a fresh and current LibreSSL install:
1. Go to the snapshots and install on the target system: https://pkg.opnsense.org/snapshots/15.1.9_LibreSSL/
2. On the console trigger Option 12 to bring your system up to speed.
3. Enjoy.