[Request for Testing] OPNsense LibreSSL flavour

[Dominian]

I do not know of a sensible replacement.  Nsupdate itself should be able to be picked off as it's own utility without needing the entire BIND package, but whatever is used would need the same functionality as the nsupdate utility...

By the way, after speaking with Fitch in IRC, there's a possible issue affecting the firewall in regards to libressl.

This was revealed when I attempted to play some Xbox last night and it failed.. The only change done to that firewall since the last time I tried was the libressl upgrade.

I will perform a downgrade tonight and test again.  This might reveal other issues with libressl if it works.

I'll keep you posted.

[Dominian]

So after downgrading back to openssl, my NAT rules for Xbox live are now working properly without further tweaking.

Not sure what the issue is at this time.  Just FYI.

[Dominian]

Just put the libressl setup back on the firewall.

I will do some more testing on this tonight.  Just a bit more detail, I'm not running UPnP at this time (I try to avoid it) and when this was working, I had just basic NAT rules for port tcp/udp 3074 and udp 88 going to the static IP of my Xbox.

Once the upgrade completes, I'll reboot, test tonight, and update here.

[Dominian]

And the result is: It works just fine.

So yes, the issue I had before was not tied to libressl or the testing parts at all.

Looks like happenstance and Xbox live's service was just having issues

[franco]

Okay, that means bind is here to stay. We will have bind 9.10.2 in 15.1.7 in the lightweight bind-tools package so all we can do has been done already. Glad to hear that.

The other non-issue was related to OpenVPN, which is also fixed in 15.1.7.

The patches we pushed to FreeBSD have been accepted and are in 15.1.7.

See a pattern here?

Unfortunately, Python 2.7 is still unpatched and I want to wait till FreeBSD has it and they are waiting for 2.7.10 to be released. That means we have to sit this one out, but we'll continue this parallel LibreSSL track for the releases and are probably able to switch as soon as Python is updated.

Sounds good?

[mitsos]

Sounds perfect 

[franco]

Gentlemen,

bad news is we won't ship images for 15.1.7-LibreSSL. Good news, though, the amd64/i386 packages are updated and await your firmware upgrade.

Yes, please run the firmware upgrade first from the Dashboard.

Then (and only then) run our nifty base upgrade tool on the root shell:

Code: [Select]

# opnsense-update && reboot
Edit: If you are new to the show, and want to run 15.1.7, grab a 15.1.6.1 snapshot from here and upgrade using the method described above. https://pkg.opnsense.org/snapshots/

Edit2: i386 images are up. You guys realise the i386 LibreSSL snapshot had OpenSSL?


Enjoy,
Franco

[athurdent]

Two problems, don't know if they are LibreSSL-only, though:

I've setup an IKEv2 VPN tunnel, it's shown as down. But it works fine as far as I can see.
Maybe this is related:

Code: [Select]

Mar  3 14:11:41 OPNsense opnsense: /index.php: XML error: Not well-formed (invalid token) at line 1 in /tmp/strongswan_leases.xml

cat /tmp/strongswan_leases.xml
cat: /tmp/strongswan_leases.xml: No such file or directory

Another strange issue is trying to edit a firewall rule with Chrome (using it on Windows 7 oder 8.1). Clicking on the pencil works only once. After that, clicking on any pencil in any rule makes the rule flicker shortly and then it says I should press the update button because my ruleset has changed.
IE and Firefox seem to work fine.

[franco]

Thanks, will be taken care of shortly.

XML for IKEv2: https://github.com/opnsense/core/issues/89
Chrome Rule Edit bug: https://github.com/opnsense/core/issues/90

[jschellevis]

I closed #90 (Chrome Rule Edit bug) as it cannot be reproduced in 15.1.7.

Tested to work fine on:
Windows Vista: Chrome 41
Windows Vista: IE 9
Windows 7: Chrome 41
Windows 7: IE 11
Windows 7: Firefox 36
Mac OSX: Chrome 41
Mac OSX: Firefox 36
Mac OSX: Safari 7.1.3

[franco]

Packages for 15.1.7.1-LibreSSL for amd64 and i386 are up now. Remember these are experimental builds that we do not test as thoroughly as the official version, but as far as we can see they run smoothly. Plus, there's the new LibreSSL 2.1.4 in there. Have fun.

[franco]

No woes? No complaints? No wishes? It looks like we are ready to make the switch. I have prodded our FreeBSD friends and maybe the Python 2.7 patches will hit the ports tree very soon now.

[weust]

Apart from the DuckDNS thing not for me.

[vibe]

No woes? No complaints? No wishes?

Actually one show stopper for me.

I don't use modern hardware with AES-NI, but I do have quad core Xeon machines each with two Broadcom 5823 Crypto Accelerators inside. They work really well with the ubsec driver and cryptodev.
http://www.broadcom.com/products/Security/Encryption-Coprocessors/BCM5823

Sadly, the LibreSSL people don't like old kit and have cut out all the hardware crypto card support that is still in OpenSSL. This pretty much means that I have a substantial performance advantage staying with OpenSSL. Consequently, although I am interested in testing OPNsense, replacing OpenSSL with LibreSSL pretty much makes it pointless for me to participate.

[franco]

That's true. Maybe we'll continue the two track approach, although some modifications will have to be made so it's possible to switch between package repositories more easily from the GUI. I'll look at this in more detail soon.

15.8.3 and 15.8.3 are probably being shipped today. I did not want to push a faulty LibreSSL version without the necessary stability of the GUI config system. Now is the time.