Project

General

Profile

Actions

Bug #14009

closed

PHP error from upgraded IPsec tunnel containing only deprecated ciphers

Added by Marcos M almost 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.05
Release Notes:
Default
Affected Version:
2.7.0
Affected Architecture:

Description

PHP error after upgrading to 23.01 and trying to configure IPsec tunnels.

PHP Fatal error:  Uncaught TypeError: Cannot access offset of type string on string in /etc/inc/ipsec.inc:2546
Stack trace:
#0 /etc/inc/ipsec.inc(3267): ipsec_setup_tunnels(Array)
#1 /usr/local/www/vpn_ipsec.php(49): ipsec_configure()
#2 {main}
  thrown in /etc/inc/ipsec.inc on line 2546

PHP Fatal error:  Uncaught TypeError: Cannot access offset of type string on string in /usr/local/www/vpn_ipsec_phase1.php:186
Stack trace:
#0 {main}
  thrown in /usr/local/www/vpn_ipsec_phase1.php on line 186

Actions #1

Updated by Jim Pingle almost 2 years ago

Do we have access to the config that triggered this? Somehow it would have to have either a completely empty tunnel entry or one that lacks any encryption options in P1 at all, which the GUI won't let you create.

Actions #2

Updated by Jim Pingle almost 2 years ago

  • Target version set to 2.7.0
  • Plus Target Version changed from 23.01 to 23.05
Actions #3

Updated by Jim Pingle almost 2 years ago

  • Subject changed from PHP error with IPsec to PHP error from upgraded IPsec tunnel containing only deprecated ciphers
  • Assignee set to Jim Pingle

Looks like this is from the upgrade code that removes deprecated encryption options, somehow it ends up with an empty <encryption></encryption> section and then attempting to edit that tunnel triggers this PHP error.

There is a forum thread with additional information: https://forum.netgate.com/topic/178303/ipsec-issue-after-23-01-upgrade

Actions #4

Updated by Jim Pingle almost 2 years ago

According to a user on the forum thread, their pre-upgrade configuration contained the following section:

            <encryption>
                <item>
                    <encryption-algorithm>
                        <name>3des</name>
                        <keylen></keylen>
                    </encryption-algorithm>
                    <hash-algorithm>sha512</hash-algorithm>
                    <prf-algorithm>sha256</prf-algorithm>
                    <dhgroup>20</dhgroup>
                </item>
                <item>
                    <encryption-algorithm>
                        <name>3des</name>
                        <keylen></keylen>
                    </encryption-algorithm>
                    <hash-algorithm>sha256</hash-algorithm>
                    <prf-algorithm>sha256</prf-algorithm>
                    <dhgroup>20</dhgroup>
                </item>
            </encryption>
Actions #5

Updated by Jim Pingle almost 2 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #6

Updated by Danilo Zrenjanin almost 2 years ago

I applied the patch on:

23.01-RELEASE (amd64)
built on Fri Feb 10 20:06:33 UTC 2023
FreeBSD 14.0-CURRENT

However, after restoring the config with the empty <encryption></encryption> section, a PHP crush occurred in the GUI.

Crash report begins.  Anonymous machine information:

amd64
14.0-CURRENT
FreeBSD 14.0-CURRENT #0 plus-RELENG_23_01-n256037-6e914874a5e: Fri Feb 10 20:30:29 UTC 2023     root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/obj/amd64/VDZvZksF/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBS

Crash report details:

PHP Errors:
[04-Mar-2023 15:36:12 Etc/UTC] PHP Fatal error:  Uncaught TypeError: Cannot access offset of type string on string in /etc/inc/ipsec.inc:2546
Stack trace:
#0 /etc/inc/ipsec.inc(3267): ipsec_setup_tunnels(Array)
#1 /etc/rc.bootup(401): ipsec_configure()
#2 {main}
  thrown in /etc/inc/ipsec.inc on line 2546

No FreeBSD crash data found.

Yet, I could edit the IPsec in the GUI with no new crashes.

Actions #7

Updated by Jim Pingle almost 2 years ago

  • Status changed from Feedback to In Progress
  • % Done changed from 100 to 90
Actions #8

Updated by Jim Pingle almost 2 years ago

  • Status changed from In Progress to Feedback
  • % Done changed from 90 to 100
Actions #9

Updated by Danilo Zrenjanin almost 2 years ago

  • Status changed from Feedback to Resolved

That fixed it. I am marking this ticket resolved.

Actions

Also available in: Atom PDF