Bug #14009
closed
PHP error from upgraded IPsec tunnel containing only deprecated ciphers
100%
Description
PHP error after upgrading to 23.01 and trying to configure IPsec tunnels.
PHP Fatal error: Uncaught TypeError: Cannot access offset of type string on string in /etc/inc/ipsec.inc:2546
Stack trace:
#0 /etc/inc/ipsec.inc(3267): ipsec_setup_tunnels(Array)
#1 /usr/local/www/vpn_ipsec.php(49): ipsec_configure()
#2 {main}
thrown in /etc/inc/ipsec.inc on line 2546
PHP Fatal error: Uncaught TypeError: Cannot access offset of type string on string in /usr/local/www/vpn_ipsec_phase1.php:186
Stack trace:
#0 {main}
thrown in /usr/local/www/vpn_ipsec_phase1.php on line 186
Updated by Jim Pingle almost 2 years ago
Do we have access to the config that triggered this? Somehow it would have to have either a completely empty tunnel entry or one that lacks any encryption options in P1 at all, which the GUI won't let you create.
Updated by Jim Pingle almost 2 years ago
- Target version set to 2.7.0
- Plus Target Version changed from 23.01 to 23.05
Updated by Jim Pingle over 1 year ago
- Subject changed from PHP error with IPsec to PHP error from upgraded IPsec tunnel containing only deprecated ciphers
- Assignee set to Jim Pingle
Looks like this is from the upgrade code that removes deprecated encryption options, somehow it ends up with an empty <encryption></encryption> section and then attempting to edit that tunnel triggers this PHP error.
There is a forum thread with additional information: https://forum.netgate.com/topic/178303/ipsec-issue-after-23-01-upgrade
Updated by Jim Pingle over 1 year ago
According to a user on the forum thread, their pre-upgrade configuration contained the following section:
<encryption>
<item>
<encryption-algorithm>
<name>3des</name>
<keylen></keylen>
</encryption-algorithm>
<hash-algorithm>sha512</hash-algorithm>
<prf-algorithm>sha256</prf-algorithm>
<dhgroup>20</dhgroup>
</item>
<item>
<encryption-algorithm>
<name>3des</name>
<keylen></keylen>
</encryption-algorithm>
<hash-algorithm>sha256</hash-algorithm>
<prf-algorithm>sha256</prf-algorithm>
<dhgroup>20</dhgroup>
</item>
</encryption>
Updated by Jim Pingle over 1 year ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 24c0f00ff82d78c1e5301e43df21c2ef8ebecf7f.
Updated by Danilo Zrenjanin over 1 year ago
I applied the patch on:
23.01-RELEASE (amd64) built on Fri Feb 10 20:06:33 UTC 2023 FreeBSD 14.0-CURRENT
However, after restoring the config with the empty <encryption></encryption> section, a PHP crush occurred in the GUI.
Crash report begins. Anonymous machine information:
amd64
14.0-CURRENT
FreeBSD 14.0-CURRENT #0 plus-RELENG_23_01-n256037-6e914874a5e: Fri Feb 10 20:30:29 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/obj/amd64/VDZvZksF/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBS
Crash report details:
PHP Errors:
[04-Mar-2023 15:36:12 Etc/UTC] PHP Fatal error: Uncaught TypeError: Cannot access offset of type string on string in /etc/inc/ipsec.inc:2546
Stack trace:
#0 /etc/inc/ipsec.inc(3267): ipsec_setup_tunnels(Array)
#1 /etc/rc.bootup(401): ipsec_configure()
#2 {main}
thrown in /etc/inc/ipsec.inc on line 2546
No FreeBSD crash data found.
Yet, I could edit the IPsec in the GUI with no new crashes.
Updated by Jim Pingle over 1 year ago
- Status changed from Feedback to In Progress
- % Done changed from 100 to 90
Updated by Jim Pingle over 1 year ago
- Status changed from In Progress to Feedback
- % Done changed from 90 to 100
Applied in changeset d24242c77ae420b9df0723ca6f1dab209e69c357.
Updated by Danilo Zrenjanin over 1 year ago
- Status changed from Feedback to Resolved
That fixed it. I am marking this ticket resolved.