[Request for Testing] OPNsense LibreSSL flavour

Started by franco, February 22, 2015, 11:24:10 AM

Previous topic - Next topic
Print
Go Down Pages1 2 3
User actions
February 22, 2015, 11:24:10 AM Last Edit: April 10, 2015, 09:24:05 PM by franco
Hello again,

with the bulk load of 15.1.6.1 out of the way, it's time to bikeshed about our favourite topic: security. We have now have images and packages built against LibreSSL on amd64 (i386 possible if there are requests—speak up). They are fully compatible with the standard images and you will be able switch back and forth with a wee bit of command line trickery as new stable versions get released. So far we've had no visible issues although we would love to know if you run into any issues.

The images can be found here:

https://pkg.opnsense.org/snapshots/

To upgrade your existing amd64 installation (hopefully 15.1.6.1) you need to drop to the command line and install your favourite editor(s):

Code Select
# pkg install vim-lite joe nano

Edit /usr/local/etc/pkg/repos/OPNsense.conf and replace "latest" with "libressl". Save and exit.

In the GUI, run the firmware upgrade. It should upgrade you to opnsense 15.1.6.1_1 (no, that's not a joke). If you upgraded from below 15.1.6, please update the base system afterwards using:

Code Select
# opnsense-update && reboot

Switching back to OpenSSL is done by reediting the OPNsense.conf file, but you might be stuck since the OpenSSL version is "older". The following might work after editing the file:

Code Select
# pkg upgrade -fy
# pkg autoremove
# reboot

Please write in with your feedback, both bad and good.


Until then,
Franco
February 22, 2015, 01:03:38 PM #1
This is only important if you use SSL to use the WebConfigurator, or in general?
For my home use I don't use SSL connections to my firewall or NAS. I don't have a private certificate and would therefore allow a self signed certificate. Which doesn't make sense to me.
Hobbyist at home, sysadmin at work. Sometimes the first is mixed with the second.
February 22, 2015, 02:30:25 PM #2
It is a general security thing. OpenSSL is used for crypto and hashing in a wide range of software. Here is what happens when you try to delete libressl from the release:

Code Select
# pkg delete -n libressl
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 28 packages (of 0 packages in the universe):

Installed packages to be REMOVED:
libressl-2.1.3
libevent2-2.0.22_1
curl-7.40.0
voucher-0.1_4
strongswan-5.2.2
relayd-5.5.20140810_1
python27-2.7.9_1
php56-openssl-5.6.6
openvpn-2.3.6_1
openssh-portable-6.7.p1_1,1
ntp-4.2.8p1
mpd5-5.7_1
mpd4-4.4.1_2
miniupnpd-1.9_1,1
lighttpd-1.4.35_5
ipmitool-1.8.14_1
bind99-9.9.6P2
openldap-client-2.4.40_1
nettle-2.7.1
libssh2-1.4.3_5,2
git-2.3.0
check_reload_status-0.0.3_1
ifstated-5.1,3
php56-curl-5.6.6
opnsense-15.1.6.1_1
php56-ldap-5.6.6
dnsmasq-2.72,1
pecl-ssh2-0.12

With a total of 131 packages that's over 20% of dependencies.
February 22, 2015, 02:43:59 PM #3
Alright, I don't mind testing but will need a i386 version then.
The net6501 is 32 bit with some 64 bit extenstions, so can't boot 64 bit.
Hobbyist at home, sysadmin at work. Sometimes the first is mixed with the second.
February 22, 2015, 03:22:10 PM #4
I just switched and seems OK at first glance,

To be fair I am not using it as my main gateway (that is still an OpenBSD box) but infront of my virtual test env.
So far so good.
February 22, 2015, 03:35:49 PM #5
Thanks guys, that's highly appreciated.

i386 variant will hit the mirror tonight or tomorrow morning.
February 22, 2015, 03:40:27 PM #6
Cool. Just need to be able to get it booting.
Will open a topic on that.
Hobbyist at home, sysadmin at work. Sometimes the first is mixed with the second.
February 22, 2015, 06:13:32 PM #7 Last Edit: February 22, 2015, 06:16:46 PM by shaqan
Downloaded and installed (AMD Athlon 5350 on Asus AM1M-A, 4Gb ECC unb DDR3).

System logs (Gateway section) complains:

Feb 22 17:04:15    OPNsense apinger: SIGHUP received, reloading configuration.
Feb 22 17:03:43    OPNsense apinger: SIGHUP received, reloading configuration.
Feb 22 16:56:58    OPNsense apinger: SIGHUP received, reloading configuration.
Feb 22 16:56:31    OPNsense apinger: Starting Alarm Pinger, apinger(18779)
Feb 22 16:55:01    OPNsense apinger: No usable targets found, exiting
Feb 22 16:55:01    OPNsense apinger: Starting Alarm Pinger, apinger(14594

other than that in logs, everything I am using (basic fw, DHCP4, upnp) seems to work.

I predict there is going to be an issue with PowerD but it's issue of a FreeBSD itself (AM1 platforms crash after turning on cpu power management)
February 22, 2015, 06:50:28 PM #8
I will also need an i386 version.  Right now I'm limited to i386 until I can sort out why FreeBSD doesn't like my test PowerEdge server :(
February 23, 2015, 07:47:09 AM #9
I managed to screw up the i386 ports build twice in a row. Images tonight.

shaqan: The apinger issue seems unrelated. Must be something with the networking setup instead?
February 23, 2015, 02:18:10 PM #10
Updated my KVM to the LibreSSL version, worked without problems.
I'm getting a lot of those but I think they are there since 15.1.6.1:

Code Select
Feb 23 14:13:16 getty[7118]: getty: unknown gettytab entry 'al.Pc'
Feb 23 14:13:16 getty[7118]: getty: unknown gettytab entry 'al.Pc'
Feb 23 14:13:16 getty[86940]: tcsetattr /dev/ttyv0: Operation not supported
Feb 23 14:13:16 getty[86940]: tcsetattr /dev/ttyv0: Operation not supported

One question though. I remember seeing bind99 being upgraded. AFAIK, we're only using Unbound or Dnsmasq. Why do we have bind on board?
February 23, 2015, 10:00:32 PM #11 Last Edit: February 23, 2015, 10:02:17 PM by franco
Gentlemen, i386 images are up. Terribly sorry for the delay.

arthurdent: yes, this is a regression in 15.1.6.1 following the FreeBSD 10.1 upgrade. From the announcement:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
QUICK UPDATE: A regression sneaked into the release that renders the console unusable when "System: Advanced: Admin Access: Console menu protection" is being disabled. As far as we can see, this does not effect anything but the console login so you should be able to log back in and recheck the option to get it back (even though you will have to type the username/password).
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Yes you are right, bind 9.9 is barely needed. It was there so in order to not break anything we push it through and pull in security updates. Today I upgraded to bind 9.10 or its stripped down version of bind-tools, so far it seems nsupdate is the only used utility. We will replace it with a sensible equivalent as soon as possible.
February 24, 2015, 12:03:59 AM #12
Will try the i386 version tomorrow in combination with the Soekris met6501 boot problem.
Hobbyist at home, sysadmin at work. Sometimes the first is mixed with the second.
February 24, 2015, 04:24:13 AM #13
Just updated with the i386 images and all appears to be working without issue for the time being.

Not sure what else to check :)

By the way, nsupdate is most likely used for the RFC 2136 DYNDNS update service portion.
February 24, 2015, 07:17:17 AM #14
Yeah, that is true, its invoke is in the dyndns code section. Do you know of a sensible replacement in that regard?
Print
Go Up Pages1 2 3
User actions