Project

General

Profile

Activity

From 11/05/2019 to 12/04/2019

12/04/2019

11:41 PM Feature #9869: Allow CRL entries to be made by serial number
tested on 2.5.0.a.20191203.0148
Resolved Viktor Gurov
04:32 PM Revision 864cf5e1: Revert "Enable Multipath in FRR 7. Implements #9545"
This reverts commit 5fc75545d779e56468ec8c30e573c87f491a980a. Renato Botelho
04:32 PM Revision b0e6754e: Revert "Restore newline at EOF"
This reverts commit bb51e33ba32e0e9b4b6925564c1183cc77923900. Renato Botelho
03:57 PM Revision 66d76b76: Fix #6846: Properly detect Super Micro C2558/C2758
(cherry picked from commit 4de6f04d5f4eb69e9293dad6f47ce66f7d3baec1) Renato Botelho
03:37 PM Revision 2c63d42e: Add RFC 8031 Group 31 to IPsec. Implements #9531
(cherry picked from commit 4fc267484e604509b072b398642f19cb6797ef21) Jim Pingle
10:06 AM Feature #9531: [IPSEC] Add additional curve-based DH Groups (31+)
Jim Pingle wrote:
> I picked back the Group 31 change only to 2.4.5 to test since it was reported to function. If it... Jens Groh
09:38 AM Feature #9531 (Feedback): [IPSEC] Add additional curve-based DH Groups (31+)
I picked back the Group 31 change only to 2.4.5 to test since it was reported to function. If it works, re-target thi... Jim Pingle
08:03 AM Feature #9825 (Feedback): Requirements for trusted certificates in iOS 13 and macOS 10.15
The default GUI cert lifetime of 825 days needs checked on 2.4.5 snapshots. If it's OK, move target back to 2.5.0 sin... Jim Pingle
06:34 AM Bug #9723 (Not a Bug): DHCPv6 server for several interfaces isn't working on all interfaces
Jim Pingle
02:23 AM Bug #9723: DHCPv6 server for several interfaces isn't working on all interfaces
I cannot reproduce this any more. I don't know how this happened but now it's working. Pim Pish
02:20 AM Feature #9942 (New): Give pfSense the possibility to change the keyboard Layout for console users
In pfSense 2.4.4 you can choose a keyboard Layout during installation but the selection won't affect the system. Keyb... Pim Pish

12/03/2019

04:52 PM Revision e79fdf50: Fix the build of miniupnpd in 12, disable CHECK_PORTINUSE.
(cherry picked from commit b761d75c2edc056576c669d36574793c5d13bdda) Luiz Souza
04:37 PM Revision 8df1dee2: Remove zabbix 3.2 and 3.4 options
(cherry picked from commit 1b5941ebe023ad5f72c93325cc427d2e7af5bd56) Renato Botelho
04:36 PM Revision 3b8482db: Enable LDAP for sudo and build nss_ldap. Fixes #9399
(cherry picked from commit 7db5a396d398b010bfb70048881a6cec0577338f) Jim Pingle
04:34 PM Revision 239192a0: Set bind 9.12 options
(cherry picked from commit 342519c47e300cd355d8dbe023704ebba4235299) Renato Botelho
04:33 PM Revision bb51e33b: Restore newline at EOF
(cherry picked from commit 840a0d4335182056f6eb0942d5661e83b400ac8b) Renato Botelho
04:33 PM Revision 5fc75545: Enable Multipath in FRR 7. Implements #9545
(cherry picked from commit 1836b0c237efdf9bf2ce9fab798f2718f0fd6028) Jim Pingle
04:29 PM Revision ed236d9a: Remove zabbix 2.2 leftovers
Renato Botelho
03:49 PM Revision 328d24fe: Remove zabbix 2.2, 3.2 and 3.4 packages
Renato Botelho
03:35 PM Revision e34757e3: Fix drm port name
Renato Botelho
03:33 PM Revision 95a45da5: Revert "Build net/ng_etf-kmod"
Add it to 2.4.5 kernel
This reverts commit 82887eb03ff3d3c83a3cc6295ad73214284329d0. Renato Botelho
01:49 PM Revision 4e02ccf7: Bump version to 2.4.5
Renato Botelho
01:36 PM Bug #9296: Alias content is sometimes incomplete when an alias contains both FQDN and IP address entries
Luiz Souza wrote:
> A fix based on Gavin's PR was committed, please let me know if the problem persists.
>
> Than... Robert Gijsen
10:14 AM Bug #9941: Enabling OpenVPN interface should not validate PPPoE passwords
You can apply the patch from the other issue to test using the System Patches package -- if you need help figuring th... Jim Pingle
10:07 AM Bug #9941: Enabling OpenVPN interface should not validate PPPoE passwords
Jim Pingle wrote:
> This is probably solved by #9864, if not, it's your browser auto-fill that is the problem here.
... Nick DeMarco
09:56 AM Bug #9941 (Duplicate): Enabling OpenVPN interface should not validate PPPoE passwords
This is probably solved by #9864, if not, it's your browser auto-fill that is the problem here. Jim Pingle
09:54 AM Bug #9941 (Duplicate): Enabling OpenVPN interface should not validate PPPoE passwords
Enabling the OpenVPN interface fails if the browser autofills a password in the hidden field PPPoE Password. The brow... Nick DeMarco
01:51 AM Feature #9939: Scheduled update or upgrade option
Jim Pingle wrote:
> That is still very dangerous. An upgrade should always be directly monitored by the admin in cas... Robbie van Moerkerk

12/02/2019

07:04 PM Revision 9d6adc62: "don't" -> "doesn't" (typo fix for help text)
something-big
05:16 PM Bug #9296 (Resolved): Alias content is sometimes incomplete when an alias contains both FQDN and IP address entries
Luiz Souza
02:41 PM Bug #9296: Alias content is sometimes incomplete when an alias contains both FQDN and IP address entries
* Luiz Souza wrote:
> A fix based on Gavin's PR was committed, please let me know if the problem persists.
Conf... Christian Ullrich
08:40 AM Bug #9296: Alias content is sometimes incomplete when an alias contains both FQDN and IP address entries
* Robert Gijsen wrote:
> Maybe a stupic question, but as I don't have any git or build tools available within pfSe... Christian Ullrich
05:25 AM Bug #9296: Alias content is sometimes incomplete when an alias contains both FQDN and IP address entries
Luiz Souza wrote:
> A fix based on Gavin's PR was committed, please let me know if the problem persists.
>
> Than... Robert Gijsen
04:26 PM pfSense Packages Bug #9849: NUT not starting as root? Isn't loading USB drivers?
Braden McGrath wrote:
> Ryan McCullough wrote:
> > It looks like the NUT/UPS driver isn't loading the USB driver un... Ryan McCullough
04:16 PM pfSense Packages Bug #9849: NUT not starting as root? Isn't loading USB drivers?
Ryan McCullough wrote:
> It looks like the NUT/UPS driver isn't loading the USB driver unless I pass the "-u root" p... Braden McGrath
01:57 PM Revision 5a0f6513: simplify queue stats parser
Lucas Held
01:24 PM pfSense Packages Bug #9940 (Duplicate): Removing "default" view under monitoring blocked
Duplicate of #9352 Jim Pingle
12:56 PM pfSense Packages Bug #9940 (Duplicate): Removing "default" view under monitoring blocked
I managed to add a extra view named "default" in the monitoring page. When trying to remove said misstake it is not p... Joakim Dellrud
09:35 AM Feature #9939: Scheduled update or upgrade option
That is still very dangerous. An upgrade should always be directly monitored by the admin in case it does not go as p... Jim Pingle
08:20 AM Feature #9939: Scheduled update or upgrade option
Jim Pingle wrote:
> Having any kind of fully automated update function is very dangerous. Since the process can be t... Robbie van Moerkerk
07:33 AM Feature #9939 (Rejected): Scheduled update or upgrade option
Having any kind of fully automated update function is very dangerous. Since the process can be triggered from the con... Jim Pingle
05:37 AM Feature #9939 (Rejected): Scheduled update or upgrade option
While updating our pfsense cluster we would like to schedule the update/ upgrade found. Please implement an option to... Robbie van Moerkerk
07:33 AM Bug #9938 (Pull Request Review): Queue stats parser broken if bytes > 9999999999
Jim Pingle

12/01/2019

05:34 PM Revision e5deede5: support variable value length in queue stats parser
Lucas Held
01:03 PM Bug #9938 (Resolved): Queue stats parser broken if bytes > 9999999999
Hello,
currently the queue stats parser in the file "/etc/inc/shaper.inc" assumes that the bytes value does not exce... Lucas Held

11/29/2019

09:39 PM Feature #9639: Cloudflare DDNS "API Token"
+1 to getting them supported in the Dynamic DNS service.
They are already supported in the "acme" plugin, but they... John M
07:05 PM Revision 7ee29634: curve_compatible_list - array of all compat curves
Viktor Gurov
02:41 PM Revision e99c638b: Init aliases array before use. Fixes #9936
Jim Pingle
02:08 PM Revision 5b535261: Allow revoking serial '0' by number. Fixes #9869
Jim Pingle
01:49 PM Revision 1b970bb2: Only try existent devices when looking for the dump device.
Luiz Souza
08:50 AM Bug #9936 (Feedback): zombie alias check errors if no alises exist
Applied in changeset commit:e99c638b78540efa478dbb3360943c67de72c1af. Jim Pingle
08:41 AM Bug #9936 (In Progress): zombie alias check errors if no alises exist
Jim Pingle
08:46 AM Feature #9937: OpenVPN Login User Privilege
If this is added it would have to be off by default and enabled on a per-server basis. Jim Pingle
08:29 AM pfSense Packages Bug #9935 (Pull Request Review): hide ECDSA certs for Zabbix
Jim Pingle
08:27 AM Feature #9842 (Pull Request Review): Add CA/certificate renewal function
Jim Pingle
08:15 AM Feature #9869 (Feedback): Allow CRL entries to be made by serial number
Applied in changeset commit:5b535261acc969af2e22dcbd6798c881d42a576a. Jim Pingle
07:41 AM Feature #9869 (In Progress): Allow CRL entries to be made by serial number
Jim Pingle
08:11 AM Bug #9785 (Resolved): ACB permits manual backup attempt when disabled
Jim Pingle
07:41 AM pfSense Packages Bug #9932 (Rejected): Squid is not showing CAs for SSL Interception
Can't reproduce this on 2.5.0 or 2.4.4 Both show CAs as they should. Post on the forum if you are still having issues. Jim Pingle

11/28/2019

02:33 PM Revision 6c97c186: Typo fix
(cherry picked from commit 463d5d11726084575b166dffe4b85164b2f5a5c3) Steve Beaver
01:46 PM Revision 00d9ce91: typo
Viktor Gurov
01:37 PM Revision 941470ef: prime256v1 ec curve for renew
Viktor Gurov
11:42 AM Feature #9937 (New): OpenVPN Login User Privilege
Hello pfsense development Team,
It would be awesome to have a "VPN - User: Openvpn Dialin" privilege in the Group ... Arthur Besnard
11:24 AM Bug #9936 (Resolved): zombie alias check errors if no alises exist
It appears not to check if aliases exist on the system before trying to load the array throwing this error:... Steve Wheeler
10:18 AM pfSense Packages Bug #9935 (Resolved): hide ECDSA certs for Zabbix
ECDSA certificates are not yet supported in Zabbix
see https://support.zabbix.com/browse/ZBXNEXT-5475
https:/... Viktor Gurov
08:59 AM Bug #8468: Status / Queues show mostly NaN
Same problem here, some values are displayed as NaN in the status_queues page.
2 screenshots attached, the diag_pfto... Jo S
08:00 AM pfSense Packages Bug #9934: suricata update kills WAN interface
Suricata is running in INLINE IPS mode. Every time, when suricata is stopped or started, it does a link up/down. Is t... Srijan Nandi
07:28 AM pfSense Packages Bug #9934 (Closed): suricata update kills WAN interface
Hello Everyone,
I am running pfSense *2.4.4-RELEASE-p3 (amd64*) with suricata *VERSION 4.1.5_2*. I had set suricat... Srijan Nandi
07:43 AM Feature #9842: Add CA/certificate renewal function
https://github.com/pfsense/pfsense/pull/4122
I think that we need to decide which EC is minimum.
prime256v1 or se... Viktor Gurov
03:40 AM Feature #9842: Add CA/certificate renewal function
Jim Pingle wrote:
> This should be complete for now. I didn't add a CLI script, as it didn't seem necessary yet. On ... Viktor Gurov
07:31 AM Bug #9296 (Feedback): Alias content is sometimes incomplete when an alias contains both FQDN and IP address entries
A fix based on Gavin's PR was committed, please let me know if the problem persists.
Thanks Luiz Souza
05:29 AM Bug #9933 (Resolved): Captive Portal + Voucher not keeping auto-added "Pass-through MAC Auto Entry"
With Captive Portal, the "Enabled Pass-through MAC Auto Entry" should normally keep definitvly the MAC address into t... Johan DEVELON
04:45 AM Feature #9862 (Resolved): Add support for waiting between ping-packages on diag_ping.php
Renato Botelho
04:15 AM Feature #9862: Add support for waiting between ping-packages on diag_ping.php
Renato Botelho wrote:
> PR has been merged. Thanks!
tested on pfSense 2.5.0.a.20191127.2047
works as expected,... Viktor Gurov
04:17 AM Bug #9785: ACB permits manual backup attempt when disabled
tested on pfSense 2.5.0.a.20191127.2047
'backup' button is inactive when ACB disabled
Resolved Viktor Gurov
03:47 AM Feature #9869: Allow CRL entries to be made by serial number
tested on pfSense 2.5.0.a.20191127.2047
it do not save serial number 0 (zero) Viktor Gurov
02:55 AM pfSense Packages Feature #9901 (Resolved): show ECDSA CAs only with correct curves
tested on pfSense 2.5.0.a.20191127.2047 with squid 0.4.44_9
correct, resolved Viktor Gurov
02:54 AM pfSense Packages Feature #9906 (Resolved): show ECDSA CAs and certs only with correct curves

tested on pfSense 2.5.0.a.20191127.2047 with freeradius3 0.15.7_6
correct, resolved Viktor Gurov
02:53 AM pfSense Packages Bug #9919 (Resolved): stunnel server connection failure if ECDSA cert is not in IPsec list
tested on pfSense 2.5.0.a.20191127.2047 with stunnel 5.50_2
correct, resolved Viktor Gurov
02:51 AM pfSense Packages Feature #9929 (Resolved): show only ECDSA-safe exports packages
tested on pfSense 2.5.0.a.20191127.2047 with openvpn-client-export 1.4.19_1
correct, resolved Viktor Gurov

11/27/2019

04:32 PM Revision f6e1c731: Switch default NTP pool server. Fixes #9931
2.<x> pools contain both IPv4 and IPv6 hosts.
(cherry picked from commit ae132b611439c15003578e38ec338a60eb9ed904) Jim Pingle
04:32 PM Revision 65db2067: Switch default NTP pool server. Fixes #9931
2.<x> pools contain both IPv4 and IPv6 hosts. Jim Pingle
04:31 PM Revision 0f64460f: Merge pull request #4098 from vktg/delzombiealiases
Renato Botelho
04:29 PM Revision 3b2fb394: Merge pull request #4105 from vktg/guirebootarmcheck
Renato Botelho
04:28 PM Revision fcb61f94: Make hostname optional for for DNS-O-Matic.
This resolves ticket #7601.
(cherry picked from commit 1ccc327f0014d74de501a066df556add28c38e78) gizmotronic
04:28 PM Revision bc542876: Merge pull request #4120 from gizmotronic/dnsomatic-hostname-optional
Renato Botelho
12:06 PM pfSense Packages Bug #9932: Squid is not showing CAs for SSL Interception
Correct Version: 0.4.44_9 Nicolas Bezutt
11:58 AM pfSense Packages Bug #9932 (Rejected): Squid is not showing CAs for SSL Interception
After update to 0.4.4_9, the CA field in SSL Man In The Middle Filtering is no more showing any certificates. Older V... Nicolas Bezutt
11:26 AM Feature #9883 (Resolved): Allow CAs to use randomized serials when signing
Jim Pingle
11:12 AM Feature #9883: Allow CAs to use randomized serials when signing

tested on pfSense 2.5.0.a.20191126.1832
it successfully creates random serials when creating certificates or sig... Viktor Gurov
10:40 AM Bug #9931 (Feedback): 0.pfsense.pool.ntp.org doesn't work on IPv6 only installations
Applied in changeset commit:65db20674d716208e340b96471ff98d1bb0c957b. Jim Pingle
10:34 AM Bug #9931: 0.pfsense.pool.ntp.org doesn't work on IPv6 only installations
I didn't see the PR and had already made the change after testing it out locally, it will show up soon. Jim Pingle
10:15 AM Bug #9931: 0.pfsense.pool.ntp.org doesn't work on IPv6 only installations
Changed in https://github.com/pfsense/pfsense/pull/4121 Isaac McDonald
09:59 AM Bug #9931 (Resolved): 0.pfsense.pool.ntp.org doesn't work on IPv6 only installations
I debated whether this should be considered a bug or a feature. I ultimately decided it should be considered a bug se... Isaac McDonald
10:32 AM Bug #9790 (Feedback): firewall aliases table with fqdn stays in system after deleting
PR has been merged. Thanks! Renato Botelho
10:30 AM Feature #9771 (Feedback): diag_reboot.php: add ability to reroot and reboot with fsck to WebGUI
Renato Botelho
10:30 AM Feature #9771: diag_reboot.php: add ability to reroot and reboot with fsck to WebGUI
PR has been merged. Thanks Renato Botelho
10:29 AM Bug #7601 (Feedback): Dynamic DNS - Hostname should not be required for DNS-O-Matic
PR has been merged. Thanks! Renato Botelho
07:42 AM Bug #7601 (Pull Request Review): Dynamic DNS - Hostname should not be required for DNS-O-Matic
Jim Pingle
10:24 AM pfSense Packages Feature #9929 (Feedback): show only ECDSA-safe exports packages
PR has been merged. Thanks! Renato Botelho
07:59 AM pfSense Packages Feature #9929 (Pull Request Review): show only ECDSA-safe exports packages
Jim Pingle
04:32 AM pfSense Packages Feature #9929: show only ECDSA-safe exports packages
two more packages with certificates left - Zabbix-agent and Net-SNMP Viktor Gurov
04:29 AM pfSense Packages Feature #9929 (Resolved): show only ECDSA-safe exports packages
show only ECDSA-safe exports packages on OpenVPN \ Client Export Utility page
i.e. certs with prime256v1, secp384r... Viktor Gurov
10:23 AM pfSense Packages Feature #9901 (Feedback): show ECDSA CAs only with correct curves
PR has been merged. Thanls! Renato Botelho
09:23 AM Revision 192d769c: switch to IPsec cert list
Viktor Gurov
09:16 AM Revision 0619c2b5: cosmetic
Viktor Gurov
09:13 AM Revision 0de3991f: Merge branch 'master' into p11ipsec
vktg
08:59 AM Revision aad37244: rebase
Viktor Gurov
08:57 AM Revision 2d604c8b: successful connection
Viktor Gurov
08:57 AM Revision 5fe27d1c: more
Viktor Gurov
08:34 AM Revision 8b859d91: first steps
Viktor Gurov
08:26 AM Revision 43996917: merge with upstream
Viktor Gurov
07:50 AM Bug #9296 (Pull Request Review): Alias content is sometimes incomplete when an alias contains both FQDN and IP address entries
Jim Pingle
04:27 AM Bug #9296: Alias content is sometimes incomplete when an alias contains both FQDN and IP address entries
I have a fix for this, and have created a pull request.
https://github.com/pfsense/FreeBSD-ports/pull/714 Gavin Stewart
12:29 AM Bug #9296: Alias content is sometimes incomplete when an alias contains both FQDN and IP address entries
Gavin Stewart wrote:
> I now have a minimal and repeatable set of steps to reproduce this.
Actually, I have revis... Gavin Stewart
07:47 AM Feature #9928 (Duplicate): Allow keyless certificates in the Cert Client admin tool
Duplicate of #9834 Jim Pingle
02:55 AM Feature #9928 (Duplicate): Allow keyless certificates in the Cert Client admin tool

Would be useful to also allow for certificates without a key to be created/managed in the cert admin tool.
E.g. ... Dirk-Willem van Gulik
07:46 AM Feature #9927 (Duplicate): Allow Aliases in fields on VPN/OpenVPN/Servers/Edit - in particular for "IPv4 Local network(s)"
Duplicate of #2668 Jim Pingle
02:52 AM Feature #9927 (Duplicate): Allow Aliases in fields on VPN/OpenVPN/Servers/Edit - in particular for "IPv4 Local network(s)"
Would be useful to allow Aliases in particularly the "IPv4 Local network(s)" of the OpenVPN server setup.
As this... Dirk-Willem van Gulik
07:45 AM Bug #9920 (Resolved): system_crlmanager.php: CRL export file is empty if CA key type is ECDSA
My PR was merged upstream and we're on the latest version as well now, without needing a patch. That was finished the... Jim Pingle
12:08 AM Bug #9920: system_crlmanager.php: CRL export file is empty if CA key type is ECDSA
Jim Pingle wrote:
> I added that patch to our port:
>
> https://github.com/pfsense/FreeBSD-ports/commit/1bdb4e58d... Viktor Gurov
07:41 AM Feature #9896 (Resolved): Add poly1305-chacha20 to the TLSv1.2 cipher list in nginx
Jim Pingle
06:38 AM Feature #9896: Add poly1305-chacha20 to the TLSv1.2 cipher list in nginx
Renato Botelho wrote:
> PR has been merged. Thanks
Tested on pfSense 2.5.0.a.20191126.1832... Viktor Gurov
07:40 AM Bug #9930 (Not a Bug): Dpinger fills log with sendto errors when VPN is down
We do not maintain dpinger, if you want to suggest a change to dpinger, raise it on their bug tracker: https://github... Jim Pingle
07:10 AM Bug #9930 (Not a Bug): Dpinger fills log with sendto errors when VPN is down
I have configured a tinc VPN Interface and I have a Gateway on that connection. If the remote host goes down (meaning... Flole Systems
07:02 AM Feature #9905 (Resolved): ospf / ospv3 packet capture
Renato Botelho
04:37 AM Feature #9905: ospf / ospv3 packet capture
tested on 2.5.0.a.20191126.1832
works, Resolved Viktor Gurov
05:22 AM Revision 647bbe86: array_diff fix
Viktor Gurov
05:20 AM Revision 75b83f36: array_diff fix
Viktor Gurov
05:11 AM Revision 96d0cb2d: php_uname func
Viktor Gurov
02:43 AM Revision 1ccc327f: Make hostname optional for for DNS-O-Matic.
This resolves ticket #7601. gizmotronic

11/26/2019

08:19 PM Revision 176c7256: traffic-graphs, don't stop drawing graphs when a interface is disabled
traffic-graphs, don't stop drawing graphs when a interface is disabled Pi Ba
04:56 PM Revision f61a794a: Unset temp vars when refreshing CRLs. Issue #9915
Otherwise it might unintentionally add a CRL to a server which does not
have one selected Jim Pingle
04:05 PM Revision 475d712b: When refreshing CRLs, increment suffix, do not clean up. Fixes #9915
While here, fix a bug with refresh path. Jim Pingle
04:00 PM pfSense Docs Correction #9926 (Closed): Feedback on Virtualization — Virtualizing pfSense with VMware vSphere / ESXi
Thanks! Jim Pingle
03:39 PM pfSense Docs Correction #9926 (Closed): Feedback on Virtualization — Virtualizing pfSense with VMware vSphere / ESXi
*Page:* https://docs.netgate.com/pfsense/en/latest/virtualization/virtualizing-pfsense-with-vmware-vsphere-esxi.html
... Bjorn Formo
03:15 PM Revision 84041dcf: Correctly populate CRL issuer in crl_contains_cert. Fixes #9924
Jim Pingle
03:07 PM pfSense Docs Correction #9925 (Closed): Feedback on VPN — OpenVPN — Troubleshooting Windows OpenVPN Client Connectivity
*Page:* https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/troubleshooting-windows-openvpn-client-connectivity.ht... Steve Wheeler
02:22 PM Feature #9828: L2TP (long) username containing @ (realm separator)
Any proposed changes should be submitted via pull request so they can be reviewed, discussed, and merged.
https://... Jim Pingle
01:47 PM Feature #9828: L2TP (long) username containing @ (realm separator)
bump, anyone? Arjan van der Oest
02:21 PM Todo #9603 (In Progress): Strongswan stroke is deprecated, move to swanctl/vici
I'm looking this over. A few more useful links:
swanctl.conf format:
https://wiki.strongswan.org/projects/strongs... Jim Pingle
02:14 PM Revision 3c1249b3: Add 'none' option to cert_build_list. Issue #9923
Jim Pingle
10:15 AM Todo #9915 (Feedback): Convert OpenVPN to CAPath
Applied in changeset commit:475d712b910e197256c06634051e1ad75be4bdfe. Jim Pingle
10:03 AM Todo #9915: Convert OpenVPN to CAPath
That method does work to update CRLs, so I'll adjust the code to work that way.
Still doesn't work for intermediat... Jim Pingle
09:47 AM Todo #9915 (In Progress): Convert OpenVPN to CAPath
Something else to consider is to increment the CRL suffix number (e.g. r0 -> r1 -> r2), which may trick OpenSSL into ... Jim Pingle
09:44 AM Todo #9915: Convert OpenVPN to CAPath
While the new structure functions well at startup, it does appear as though the CRL status is cached at startup. When... Jim Pingle
09:25 AM Bug #9924 (Feedback): crl_contains_cert() does not correctly report revoked status for intermediate CAs
Applied in changeset commit:84041dcfd744d2dbbcee90338705c12b4c844e96. Jim Pingle
09:14 AM Bug #9924 (Resolved): crl_contains_cert() does not correctly report revoked status for intermediate CAs
If a certificate is issued by an intermediate CA and revoked in a CRL for that intermediate CA, @crl_contains_cert()@... Jim Pingle

11/25/2019

09:50 PM Revision 348c2af1: Restructure OpenVPN settings directory layout
* Changed from /var/etc/openvpn[-csc]/<mode><id>.<file> to
/var/etc/openvpn/<mode><id>/<x>
* This keeps all settings ... Jim Pingle
05:24 PM Revision 67f362de: Merge pull request #4114 from vktg/ospfpcap
Renato Botelho
05:18 PM Revision 22820e3a: Merge pull request #4107 from Godwottery/Godwottery-ping-wait
Renato Botelho
05:17 PM Revision fb8ee03c: Merge pull request #4108 from Augustin-FL/Augustin-FL-patch-builder-common
Renato Botelho
05:10 PM Revision d4b090cb: Merge pull request #4112 from vktg/poly1305tls12
Renato Botelho
04:42 PM Revision 59fac81f: Add select_source compatible output to cert_build_list(). Implements #9923
Jim Pingle
04:00 PM Todo #9915 (Feedback): Convert OpenVPN to CAPath
Applied in changeset commit:348c2af1671d8f11c5d9ca67a32cbb28940ef19a. Jim Pingle
03:07 PM Revision ab5ef410: Enforce limiter delay 0<=x<=10000. Fixes #9921
(cherry picked from commit 8afa74bb099d75962a5efb8a603981c0249f91a0) Jim Pingle
03:06 PM Revision 8afa74bb: Enforce limiter delay 0<=x<=10000. Fixes #9921
Jim Pingle
02:02 PM Revision 1a969ea2: Remove zabbix 2.2 leftovers
Renato Botelho
11:24 AM Feature #9905 (Feedback): ospf / ospv3 packet capture
PR has been merged. Thanks! Renato Botelho
11:19 AM Feature #9862 (Feedback): Add support for waiting between ping-packages on diag_ping.php
PR has been merged. Thanks! Renato Botelho
11:12 AM Feature #9896 (Feedback): Add poly1305-chacha20 to the TLSv1.2 cipher list in nginx
PR has been merged. Thanks Renato Botelho
10:50 AM Feature #9923 (Feedback): Add select_source compatible output to cert_build_list()
Applied in changeset commit:59fac81f316b0616e0c50ec47ffa9cfa97a10ebb. Jim Pingle
10:42 AM Feature #9923 (Resolved): Add select_source compatible output to cert_build_list()
Rather than duplicate the effort in many packages, add support to @cert_build_list()@ to generate an array compatible... Jim Pingle
10:40 AM pfSense Packages Bug #9919 (Feedback): stunnel server connection failure if ECDSA cert is not in IPsec list
PR has been merged. Thanks! Renato Botelho
10:38 AM pfSense Packages Feature #9906 (Feedback): show ECDSA CAs and certs only with correct curves
PR has been merged. Thanks! Renato Botelho
10:27 AM Bug #9920 (Feedback): system_crlmanager.php: CRL export file is empty if CA key type is ECDSA
I added that patch to our port:
https://github.com/pfsense/FreeBSD-ports/commit/1bdb4e58dd3802abbd25acc5ff8da23336... Jim Pingle
10:01 AM Bug #9920: system_crlmanager.php: CRL export file is empty if CA key type is ECDSA
I submitted a PR to their project to add support for ECDSA CAs, it didn't take much:
https://github.com/ukrbublik/... Jim Pingle
09:15 AM Bug #9921 (Feedback): Limiters allow invalid delay values
Applied in changeset commit:8afa74bb099d75962a5efb8a603981c0249f91a0. Jim Pingle
08:46 AM pfSense Packages Bug #9922 (Feedback): haproxy_version does not use full path to haproxy, leads to errors when run during cron
Fixed:
https://github.com/pfsense/FreeBSD-ports/commit/47f4f91aa8159e47f24990eb2496784cb9ef07c6
https://github.co... Jim Pingle
08:41 AM pfSense Packages Bug #9922 (Resolved): haproxy_version does not use full path to haproxy, leads to errors when run during cron
When /etc/rc.filter_configure_sync is run from cron, it yields errors from haproxy. For example in this simulated run... Jim Pingle

11/24/2019

09:10 AM Feature #9918: check user certificates for correct ECDSA curves
In the GUI, yes, but admins could be using them for other purposes. It's best to filter them at the point we know the... Jim Pingle
03:55 AM Feature #9918: check user certificates for correct ECDSA curves
Jim Pingle wrote:
> We don't know what they are using them for necessarily.
As I understand user certs can be use... Viktor Gurov
08:51 AM Bug #9921 (Resolved): Limiters allow invalid delay values
When creating Limiters the GUI allows delay values above 10000ms. The config also allow this and it is written into t... Steve Wheeler
04:42 AM Bug #1943: PPPoE won't reconnect after link loss when using vr(4) NICs on certain ISPs only
I am experiencing the same issue with version 2.4.4-p3 on x86 hardware (re network interfaces). Yuran Yastreb

11/23/2019

11:00 PM pfSense Packages Bug #9919 (Pull Request Review): stunnel server connection failure if ECDSA cert is not in IPsec list
Jim Pingle
03:03 AM pfSense Packages Bug #9919: stunnel server connection failure if ECDSA cert is not in IPsec list
https://github.com/pfsense/FreeBSD-ports/pull/712 Viktor Gurov
02:42 AM pfSense Packages Bug #9919 (Resolved): stunnel server connection failure if ECDSA cert is not in IPsec list
stunnel client can use cert with any ECDSA curve,
but if stunnel server use incorrect (not prime256v1, secp384r1, se... Viktor Gurov
10:58 PM Feature #8289 (Resolved): OpenVPN - configurable username as common name
Thanks for testing! Jim Pingle
02:39 AM Feature #8289: OpenVPN - configurable username as common name
Thanks Jim.
Works. Greg M
10:58 PM Feature #9918 (Closed): check user certificates for correct ECDSA curves
I don't think we should limit this here. When creating/assigning the certs, it's really up to the admin. We don't kno... Jim Pingle
01:27 AM Feature #9918 (Closed): check user certificates for correct ECDSA curves
Show only correct (IPsec = OpenVPN) ECDSA when adding existing certificates to users,
'Choose an Existing Certifica... Viktor Gurov
10:56 PM Bug #9917 (Pull Request Review): Widget Refresh Logic Flawed
Jim Pingle
12:33 AM Bug #9917 (Closed): Widget Refresh Logic Flawed
Hello team,
I have forked pfSense and resolved this in a feature branch, but need to have a redmine issue for refe... Christopher Embry
11:12 AM Bug #9920: system_crlmanager.php: CRL export file is empty if CA key type is ECDSA
it looks like ukrbublik/openssl_x509_crl do not support ECDSA -
https://github.com/ukrbublik/openssl_x509_crl/blob... Viktor Gurov
10:49 AM Bug #9920: system_crlmanager.php: CRL export file is empty if CA key type is ECDSA
in case of ECDSA CA <text></text> field of <crl></crl> is always empty in config.xml Viktor Gurov
10:30 AM Bug #9920 (Resolved): system_crlmanager.php: CRL export file is empty if CA key type is ECDSA
CRL export file is empty if CA key type is ECDSA
certs inside this CRL can be RSA or ECDSA
if CRL CA key type is ... Viktor Gurov
12:15 AM Feature #9878: IPsec PKCS#11 authentication
for today only CheckPoint support PKCS#11 tokens
most of other vendors (Palo Alto, Riverbed, Huawei, Fortinet, F5)... Viktor Gurov

11/22/2019

08:40 PM Revision b3395df2: Add OpenVPN Keepalive/Ping/Inactive input validation. Fixes #3473
(cherry picked from commit 4a5875a1771d286aee1c1e90d7f45991f9892a68) Jim Pingle
08:37 PM Revision 4a5875a1: Add OpenVPN Keepalive/Ping/Inactive input validation. Fixes #3473
Jim Pingle
07:19 PM Revision e5c4f2a7: Make OpenVPN username-as-common-name options. Implements #8289
Jim Pingle
06:59 PM Revision 7591a72a: Add exit notify to OpenVPN servers/clients. Implements #9078
Jim Pingle
05:31 PM Bug #9321: Traffic Graphs on Dashboard not loading with certain types of interfaces
This seems to be a race condition somehow, it doesn't always happen and I think it was loading for me before after di... Flole Systems
04:41 PM Revision 19a0636d: Prevent OpenVPN tunnel network reuse. Fixes #3244
Ensures that a submitted tunnel network is not already in use on other
OpenVPN client or server instances, to avoid c... Jim Pingle
02:45 PM Feature #3473 (Feedback): Allow configuration of OpenVPN keepalive
Applied in changeset commit:4a5875a1771d286aee1c1e90d7f45991f9892a68. Jim Pingle
01:22 PM Feature #3473 (In Progress): Allow configuration of OpenVPN keepalive
This is missing input validation. I'll add it. Jim Pingle
02:39 PM Feature #7803 (Closed): Include more OpenVPN Options in GUI
@--inactive@ was covered by the implementation for #3473, anything else can be handled on specific case-by-case revie... Jim Pingle
01:44 PM Revision ca3cddbe: Update OpenVPN EC list based on testing. Issue #9744
Jim Pingle
01:38 PM Revision 809e196a: CDATA escape more auth-related fields. Fixes #9327
(cherry picked from commit 327ad811aa5f965ba805ea78f879c759ca0fdafa) Jim Pingle
01:35 PM Revision df1de4df: Correct VTI IPv6 test and syntax. Fixes #9801
(cherry picked from commit 1d9fbb716543110ac245e2749f8c06fc77480a77) Jim Pingle
01:25 PM Feature #8289 (Feedback): OpenVPN - configurable username as common name
Applied in changeset commit:e5c4f2a7d977fb1fd6c7b4446e187486b72285be. Jim Pingle
01:10 PM Feature #9078 (Feedback): Investigate adding knobs for explicit-exit-notify in OpenVPN
Applied in changeset commit:7591a72a5108a2ac28d28745cec43ea282869aae. Jim Pingle
10:50 AM Feature #3244 (Feedback): Check that OpenVPN tunnel network does not overlap any other subnet
Applied in changeset commit:19a0636d7c0e0178209406480cc383853f0d3f72. Jim Pingle
08:11 AM pfSense Packages Feature #9742: Print Patch ID in log while patching
The sshguard log message wouldn't be related.
I see logs for manual patching and reverting, but no log messages wh... Jim Pingle
01:23 AM pfSense Packages Feature #9742: Print Patch ID in log while patching
tested on pfSense 2.5.0.a.20191121.2127 with System_Patches 1.2_4
test patch: https://github.com/pfsense/pfsense/com... Viktor Gurov
07:46 AM Bug #9744: fatal error if ECDH Curve not default
I pushed an update in commit:ca3cddbec4 to change the OpenVPN curve list to match IPsec Jim Pingle
01:17 AM Bug #9744: fatal error if ECDH Curve not default
last test result with pfSense 2.5.0.a.20191121.2127 (OpenVPN 2.4.8) and Debian 10.2 client (OpenVPN 2.4.7)
server ... Viktor Gurov
07:35 AM Bug #9801 (Resolved): VTI IPv6 addresses don't get assigned
Thanks for testing! Jim Pingle
07:34 AM Bug #9801: VTI IPv6 addresses don't get assigned
I've tested with the latest 2.5 development snapshot and it seems to be working correctly now. Ben Hughes
01:26 AM pfSense Packages Bug #9850 (Resolved): show huperscan option only for x86 arch
Tested on 2.5.0.a.20191121.1639 (SG-1000, arm) and suricata 4.1.5_2
Ok, Resolved Viktor Gurov

11/21/2019

09:31 PM Revision efe83ab9: Enable OpenVPN x509-alt-username build option. Fixes #9884
Jim Pingle
09:22 PM Revision 327ad811: CDATA escape more auth-related fields. Fixes #9327
Jim Pingle
09:02 PM Revision fd04c00c: Hide OpenVPN 'interface' when multihome is selected. Fixes #7840
(cherry picked from commit 5a9dc1dc278c6c537bfd5289125607117ceb99df) Jim Pingle
09:01 PM Revision 5a9dc1dc: Hide OpenVPN 'interface' when multihome is selected. Fixes #7840
Jim Pingle
08:19 PM Revision 53ede603: OpenVPN page sorting tweaks
(cherry picked from commit 41025f6094ed34406cdf23097656ea7cae4483ae) Jim Pingle
08:19 PM Revision 3e42a128: OpenVPN status page sent/recv bytes sorting changes. Fixes #7359
(cherry picked from commit f467ea24cb3c3a98b370c2427ff1aa53d25f14a1) Jim Pingle
07:41 PM Revision bc3e78ab: OpenVPN ECDH/ECDSA filtering. Fixes #9744
Can be revisited in the future if the corresponding OpenVPN bug is
resolved. Jim Pingle
07:09 PM Revision f467ea24: OpenVPN status page sent/recv bytes sorting changes. Fixes #7359
Jim Pingle
06:36 PM Revision 41025f60: OpenVPN page sorting tweaks
Jim Pingle
05:09 PM Revision 20cd68d2: Add copy action to OpenVPN pages. Implements #5851
Added to Server, Client, and Client-Specific Override pages
(cherry picked from commit d86c28bc833cdeb8eb90525d930ff... Jim Pingle
05:08 PM Revision d86c28bc: Add copy action to OpenVPN pages. Implements #5851
Added to Server, Client, and Client-Specific Override pages Jim Pingle
04:43 PM Bug #9212 (Not a Bug): OpenVPN Client can't connect over IPv6 in "multihome"
OK, that does sound more like an OpenVPN or config issue. Jim Pingle
04:38 PM Bug #9212: OpenVPN Client can't connect over IPv6 in "multihome"
Oh, I totally forgot about this problem.
I finally found the solution and I think the problem comes from OpenVPN a... benoit moreau
03:16 PM Bug #9212 (Incomplete): OpenVPN Client can't connect over IPv6 in "multihome"
The description is a bit vague:
* Is pfSense the server in this scenario, or the client?
* If the client is not p... Jim Pingle
04:34 PM Revision f6636150: arm check fix with get_single_sysctl()
Viktor Gurov
03:40 PM Feature #9884 (Feedback): Add support for OpenVPN --x509-username-field
Applied in changeset commit:efe83ab95d64d8d364d8a210d709fa49a551e718. Jim Pingle
03:32 PM Feature #9884: Add support for OpenVPN --x509-username-field
I'm not seeing any negative effects to enabling that build option, so it should be fine for testing. Jim Pingle
03:30 PM Bug #9327 (Feedback): Using the character "¤" in OpenVPN password field creates invalid config.xml
Applied in changeset commit:327ad811aa5f965ba805ea78f879c759ca0fdafa. Jim Pingle
03:22 PM Bug #9327: Using the character "¤" in OpenVPN password field creates invalid config.xml
Looks like the easiest fix is to CDATA escape that field. Jim Pingle
03:10 PM Bug #7840 (Feedback): OpenVPN 2.4 Server: Hide Interface when Protocol is Multihome
Applied in changeset commit:5a9dc1dc278c6c537bfd5289125607117ceb99df. Jim Pingle
02:55 PM Feature #7353 (Closed): Openvpn Logins page
On 2.5.0 there is a dedicated authentication log, which you could filter for OpenVPN and see most of what you are aft... Jim Pingle
02:48 PM Feature #7078: Allow reordering of client specific overrides in OpenVPN
While not a persistent reordering, I added sorting to the list in commit:41025f6094ed34406cdf23097656ea7cae4483ae
 Jim Pingle
02:47 PM Feature #4728 (Duplicate): Expose ``nopool`` server option in the OpenVPN Server GUI
This was duplicated by #7567 which was solved a couple years ago. Jim Pingle
02:43 PM Feature #3244: Check that OpenVPN tunnel network does not overlap any other subnet
Thinking about this a bit since I noticed the lack of validation when implementing #5851. It makes sense that an Open... Jim Pingle
02:28 PM pfSense Packages Feature #9874 (Pull Request Review): safesearch enforcing
Jim Pingle
03:24 AM pfSense Packages Feature #9874: safesearch enforcing
received email from Yandex support with the list of domains for redirection:... Viktor Gurov
02:27 PM pfSense Packages Feature #9916 (Pull Request Review): Check allow-transfer in custom option when the zone is slave
Jim Pingle
01:32 PM pfSense Packages Feature #9916 (Resolved): Check allow-transfer in custom option when the zone is slave
If i add custom option (allow-transfer) to my slave zone, bind exit with error, because say already defined this opti... Am1g0 B0y
01:50 PM Bug #9744 (Feedback): fatal error if ECDH Curve not default
Applied in changeset commit:bc3e78ab3dd4bffb89cb8d2533199e37f92fcbf2. Jim Pingle
01:20 PM Bug #7359 (Feedback): Status/OpenVPN Page Sorts Incorrectly
Applied in changeset commit:f467ea24cb3c3a98b370c2427ff1aa53d25f14a1. Jim Pingle
11:38 AM Feature #5851: Add copy action to OpenVPN client / server
Thank you! PT Rich
11:15 AM Feature #5851 (Feedback): Add copy action to OpenVPN client / server
Applied in changeset commit:d86c28bc833cdeb8eb90525d930ff81fa3738cc9. Jim Pingle

11/20/2019

04:47 PM Revision 1d9fbb71: Correct VTI IPv6 test and syntax. Fixes #9801
Jim Pingle
04:29 PM Revision 94ce250e: Move CA random serial option to upper section. Issue #9883
This allows it to be set when creating a new CA, so it doesn't have to
be edited in later.
Also show the next serial... Jim Pingle
03:00 PM Todo #9915 (Resolved): Convert OpenVPN to CAPath
While investigating #9889, I found that OpenVPN recently introduced a new style of specifying CA and CRLs in a single... Jim Pingle
02:44 PM Bug #4521: OpenVPN authentication and certificate validation fail due to size of data passed through ``fcgicli``
This is likely less of an issue now that emailAddress is no longer usable in the subject, but might still be hit with... Jim Pingle
02:29 PM Bug #9744: fatal error if ECDH Curve not default
If it works with the secp* curves then maybe we should filter the list like we have done for HTTPS and IPsec. At leas... Jim Pingle
01:16 PM Feature #9309 (Pull Request Review): Allow manual selection of IPsec IKE Pseudo-Random Function (PRF)
Jim Pingle
01:10 PM Feature #3718: radvd - enhancement proposal: ability to advertise routes and some fixes - patches attached
Can you submit this as a pull request on github, rather than attaching patches?
https://docs.netgate.com/pfsense/e... Jim Pingle
10:55 AM Bug #9801 (Feedback): VTI IPv6 addresses don't get assigned
Applied in changeset commit:1d9fbb716543110ac245e2749f8c06fc77480a77. Jim Pingle
10:47 AM Bug #9801 (In Progress): VTI IPv6 addresses don't get assigned
Jim Pingle
08:05 AM Bug #9577: radvd send_ra_forall failed on interface / can't join ipv6-allrouters
Ronald Schellberg wrote:
> On a side note, why has issue dropped from the 2.5 issue list????
It was never assigne... Jim Pingle

11/19/2019

04:43 PM Revision d1f5587d: Rename IPsec "RSA" options to "Certificate". Implements #9903
Jim Pingle
02:21 PM Bug #9873: Switching the System Update to Development renders the system unbootable
If it can help. I was able to correct the issue by running:
ssh to pfsense
cd /usr/local/lib/php/
ln -s 2017071... Alex D
01:45 PM pfSense Packages Bug #9795: FRR add two or more ipv6 BGP Neighbors will system down
i try setup use openbgpd normarl work ipv6 with openvpn. so i think the frr sure has bugs. yon Liu
12:12 PM Bug #9296: Alias content is sometimes incomplete when an alias contains both FQDN and IP address entries
Jim Pingle wrote:
> John K wrote:
> > What's the status here? Has Netgate been able to reproduce this issue?
>
... John K
10:50 AM Todo #9903 (Feedback): Rename IPsec "RSA" options to more generic "Certificate" options
Applied in changeset commit:d1f5587d48af48817336fdf8644ea7d7679cf037. Jim Pingle
09:15 AM Bug #9646: OpenSSL 1.1.1 does not list engines for AES-NI or BSD crypto
On my beyond 2.5 version (12.1 based), the devcryto patch applied, and after the devcrypto.ko is loaded:... Ronald Schellberg
04:57 AM Bug #9646: OpenSSL 1.1.1 does not list engines for AES-NI or BSD crypto
https://forum.netgate.com/topic/148171/openvpn-no-option-for-aes-ni/6
openssl speed -engine rdrand -evp aes-128-gc... yon Liu
07:59 AM Bug #9914 (Rejected): dhcp6c wont work on reboot, only after service restart
This doesn't appear to be a general issue with dhcp6c, but it may be specific to something in your settings or enviro... Jim Pingle
05:35 AM Bug #9914 (Rejected): dhcp6c wont work on reboot, only after service restart
The dhcp6c service is not working after a reboot, I have to restart the service to get it working. The log file has t... Seyfidin Hamraoui
07:51 AM Bug #3965: dhcp6c started before bridge configured at boot, preventing interface tracking
See also: #6529 Jim Pingle
07:51 AM Bug #6529 (Duplicate): dhcp6c fails to start with track6 on a bridge interface
Duplicate of #3965 Jim Pingle
05:55 AM Feature #7791 (Resolved): include /usr/bin/strings in core pfSense
Renato Botelho
12:10 AM pfSense Packages Feature #9913 (Resolved): Adding note Squid Traffic Managment Settings about feature limit
Squid Traffic Managment Settings mostly works with generic HTTP, so that, it may not work without HTTPS Interception ... Constantine Kormashev

11/18/2019

10:33 PM Feature #7791: include /usr/bin/strings in core pfSense
I can confirm that /usr/bin/strings gets included in new builds. Ronald Schellberg
11:00 AM Feature #7791 (Feedback): include /usr/bin/strings in core pfSense
Applied in changeset commit:6ecea21ad2b6b7912968fb1240ee5d32649bbdf1. Renato Botelho
10:29 AM Feature #7791: include /usr/bin/strings in core pfSense
If there an explicit non-plan for this to be addressed, could it be so noted? Royce Williams
09:46 PM Revision 9540eac2: fix
Viktor Gurov
09:30 PM Feature #9911 (Resolved): Show confirmation box before disconnecting PPPoE
Great, thanks for testing! Jim Pingle
09:19 PM Feature #9911: Show confirmation box before disconnecting PPPoE
I can confirm this patch works. Nice red button and it requests confirmation of the selection to disconnect. Ronald Schellberg
09:18 PM Feature #9911: Show confirmation box before disconnecting PPPoE
Hi Jim.
I've applied the patch and I'm happy to confirm that yes, it works perfectly!
I like the fact it's now RED ... Anonymous
03:28 PM Feature #9911: Show confirmation box before disconnecting PPPoE
You're welcome! Did you have a chance to test the patch? You should be able to apply commit 4193cc185ef55e2260dae4ff2... Jim Pingle
03:05 PM Feature #9911: Show confirmation box before disconnecting PPPoE
Unsure if it's appropriate to say "Thanks" in the bugtracker, but *thanks!!* Especially for such a prompt patch. App... Anonymous
01:45 PM Feature #9911 (Feedback): Show confirmation box before disconnecting PPPoE
Applied in changeset commit:b8b0c2a320166a3b5732354d35edad47d0f05a04. Jim Pingle
07:19 AM Feature #9911: Show confirmation box before disconnecting PPPoE
This should be as easy as changing the button from a warning class to a danger class, which automatically gets a JS c... Jim Pingle
12:11 AM Feature #9911 (Resolved): Show confirmation box before disconnecting PPPoE
The *Status->Interfaces* page (_status_interfaces.php_) is very useful for showing Interface details.
On systems tha... Anonymous
07:38 PM Revision 53f5bc4b: more pretty func
Viktor Gurov
07:38 PM Revision 4193cc18: Change interface disconnect/release button to 'danger'. Fixes #9911
While here, add the interface name to the button text.
Net effect is a confirmation box to ensure the user wants to ... Jim Pingle
07:37 PM Revision b8b0c2a3: Change interface disconnect/release button to 'danger'. Fixes #9911
While here, add the interface name to the button text.
Net effect is a confirmation box to ensure the user wants to ... Jim Pingle
07:29 PM Revision b1ffc46f: extra switch case for !ospf
Viktor Gurov
06:57 PM Revision 46ca1080: fixes
Viktor Gurov
04:52 PM Revision 7eed5588: Fix #7791: strings binary can be useful for troubleshooting
Renato Botelho
04:52 PM Revision 6ecea21a: Fix #7791: strings binary can be useful for troubleshooting
Renato Botelho
10:57 AM pfSense Packages Feature #9912 (New): add custom DPI to ntopng
hi, since you don't read a conf file at startup, could you add the -p parameter to the startup script and point it to... ROB VANHOOREN
07:54 AM Bug #9566: Traffic graph displays traffic incorrectly
See also #9910 which suggests it may be related to limiters, though this one mentions ALTQ. Jim Pingle
07:54 AM Bug #9910 (Duplicate): When using limiters, traffic on wan out is doubled
Duplicate of #9566 Jim Pingle
07:52 AM Feature #9909 (Pull Request Review): Add option to (dis)allow unauthenticated LDAP binds
Jim Pingle
07:46 AM Bug #9907 (Pull Request Review): Do not show incompatible ECDSA certs for DNS Resolver
Jim Pingle
07:40 AM Bug #9908 (Duplicate): hn0: driver does not support altq
Duplicate of #9647 Jim Pingle
07:39 AM Bug #9899 (Resolved): PHP Error: DateTime::diff() expects parameter 1 to be DateTimeInterface, bool given in /etc/inc/certs.inc on line 1958
OK, thanks for testing! Jim Pingle
07:35 AM pfSense Packages Feature #9906 (Pull Request Review): show ECDSA CAs and certs only with correct curves
Jim Pingle
07:33 AM Feature #9905 (Pull Request Review): ospf / ospv3 packet capture
Jim Pingle
07:17 AM Bug #9643: Limiters do not function properly on 2.5 snapshots
Nothing yet, but since we are rebasing on FreeBSD 12.1 soon, it will need to wait until after that happens. Jim Pingle
12:41 AM Bug #9643: Limiters do not function properly on 2.5 snapshots
Hi.
Any update on this one?
Thanks! Greg M
12:47 AM Bug #9646: OpenSSL 1.1.1 does not list engines for AES-NI or BSD crypto
This issue caught my eye, so I enabled the devcrypto patch on my version based on 12.1. On my VM, after loading the ... Ronald Schellberg

11/17/2019

03:12 PM Bug #9872: Error during build when compiling a non pfSense software
Another suggested edit to builder_common.sh would be to remove the console redirection on line 1717:
poudriere ... Ronald Schellberg
10:20 AM Bug #9910 (Duplicate): When using limiters, traffic on wan out is doubled
As title says.
Attached screenshot.
Can`t test on 2.5.0 as limiters on WAN on 2.5.0 kill all traffic. Greg M

11/16/2019

08:35 PM Revision ec2ff822: del unused code
Viktor Gurov
02:54 PM Feature #9909: Add option to (dis)allow unauthenticated LDAP binds
Pull Request : https://github.com/pfsense/pfsense/pull/4116 A FL
02:53 PM Feature #9909 (Resolved): Add option to (dis)allow unauthenticated LDAP binds
Hello,
Microsoft AD make the (stupid...) assumption that when an empty password is provided to the LDAP server, th... A FL
02:32 PM Revision 9d9dae5e: cert_build_list() func for certs
Viktor Gurov
12:56 PM Bug #9908: hn0: driver does not support altq
Line 587?
https://github.com/pfsense/FreeBSD-src/blob/RELENG_2_5/sys/dev/hyperv/netvsc/if_hn.c Greg M
12:52 PM Bug #9908 (Duplicate): hn0: driver does not support altq
Hi!
Referenced from here: https://redmine.pfsense.org/issues/8954
I created loader.conf.local with this line in... Greg M
12:48 PM Bug #9899: PHP Error: DateTime::diff() expects parameter 1 to be DateTimeInterface, bool given in /etc/inc/certs.inc on line 1958
Hi.
Confirmed fixed.
Cert expired and it had end date. Greg M
08:41 AM Bug #9907 (Resolved): Do not show incompatible ECDSA certs for DNS Resolver
Do not show incompatible ECDSA certs for DNS Resolver
It is difficult to find EC curves supported by each DNS implem... Viktor Gurov
07:38 AM Bug #9745: can't add ECDSA certificate key when signing CSR
Jim Pingle wrote:
> I made a couple changes that might help here, but I don't have a cert/key made that way to test.... Viktor Gurov
06:17 AM Revision 2a54b4cd: pcap ospf/ospfv3 support
Viktor Gurov
03:05 AM pfSense Packages Feature #9906 (Resolved): show ECDSA CAs and certs only with correct curves
Do not show incompatible ECDSA CAs or certs for FreeRADIUS
same as https://redmine.pfsense.org/issues/9897
... Viktor Gurov
12:40 AM Feature #9905 (Resolved): ospf / ospv3 packet capture
Adds the ability to select OSPF in the protocol field
It can capture OSPF, OSPFv3 or both, depending of Address Fami... Viktor Gurov

11/15/2019

10:51 PM Bug #9904 (Rejected): Unable to edit DHCP interface PPPoE Password and confirmed password must match
It's your browser and/or password manager.
It should be solved by #9864, at least as much as possible.
If the b... Jim Pingle
08:30 PM Bug #9904 (Rejected): Unable to edit DHCP interface PPPoE Password and confirmed password must match
I am unable to edit an interface that is DHCP with the error showing that my PPPoE Password and confirmed password mu... Mathew Keith
04:46 PM Revision 836f6ea5: Test DNS Hostnames separtely from GWs when storing new values. Fixes #9898
(cherry picked from commit 0d192133299b02efcb1db8f72bdce85a32a96631) Jim Pingle
04:24 PM Revision 0d192133: Test DNS Hostnames separtely from GWs when storing new values. Fixes #9898
Jim Pingle
04:02 PM Revision 9dfd57c0: Attempt to fetch EC curve OID if name is blank. Issue #9745
Jim Pingle
03:51 PM Revision 1120b85c: Certificate date calculation changes. Fixes #9899
Make the certificate date calculation more general and also try multiple ways
to determine the date (both timestamp a... Jim Pingle
03:13 PM Feature #4991: WebGUI does not support ECDSA certificates for IPSec Stage 1
I split the task of renaming the options/fixing the backend code to change from "RSA" to "Certificate" into a new iss... Jim Pingle
03:12 PM Todo #9903 (Resolved): Rename IPsec "RSA" options to more generic "Certificate" options
IPsec can use both RSA and ECDSA certificates, so we need to rename any IPsec Certificate-based authentication method... Jim Pingle
03:05 PM pfSense Packages Todo #9900: Status -> Monitoring -> Add View
Thanks Jim a "pkg upgrade -y pfSense-Status_Monitoring" fixed it.
[2.4.4-RELEASE][admin@pfsense]/root: pkg info -x... Andy Kniveton
07:24 AM pfSense Packages Todo #9900 (Duplicate): Status -> Monitoring -> Add View
Duplicate of #9681
See also: https://forum.netgate.com/topic/147819/cannot-create-new-monitoring-views/2 Jim Pingle
04:46 AM pfSense Packages Todo #9900 (Duplicate): Status -> Monitoring -> Add View
View names now seem to be forced lower case, seems odd as the default interface names are in upper case.
 Andy Kniveton
02:24 PM Bug #9267: dhclient does not handle protocol timeouts or script failures correctly
The change is included in FreeBSD 12.1. Once we move pfSense to FreeBSD 12.1 (which will happen before 2.5.0-RELEASE)... Jim Pingle
02:19 PM Bug #9267: dhclient does not handle protocol timeouts or script failures correctly
Any status on this? It pretty much breaks our router being able to handle power outages. Patrick Staton
12:00 PM pfSense Packages Feature #9902 (Resolved): add sticky filter for Alert Log please
hi, could the filter be made sticky?
it's not (as of 4.1.5_2)
thanks!
R.
*observed behaviour:*
services>... ROB VANHOOREN
10:35 AM Bug #9898 (Feedback): DNS over TLS hostname verification does not save
Applied in changeset commit:0d192133299b02efcb1db8f72bdce85a32a96631. Jim Pingle
07:46 AM Bug #9898: DNS over TLS hostname verification does not save
I can reproduce this, but only when the system in question is not Multi-WAN so the DNS server list does not show the ... Jim Pingle
10:16 AM pfSense Packages Bug #9740 (Resolved): empty Status / Tinc VPN page on latest 2.5

Tested on pfSense 2.5.0.a.20191114.1802
tinc 1.0.35_2
OK, Resolved Viktor Gurov
10:04 AM Bug #9745: can't add ECDSA certificate key when signing CSR
I made a couple changes that might help here, but I don't have a cert/key made that way to test. See commit:9dfd57c04... Jim Pingle
09:29 AM Bug #9745: can't add ECDSA certificate key when signing CSR
if key created without _-param_enc explicit_ option, everything is ok:... Viktor Gurov
08:24 AM Bug #9745: can't add ECDSA certificate key when signing CSR
Renato Botelho wrote:
> PR has been merged. Thanks!
Tested on 2.5.0.a.20191114.1802
CSR with key can be signed -... Viktor Gurov
10:00 AM Bug #9899 (Feedback): PHP Error: DateTime::diff() expects parameter 1 to be DateTimeInterface, bool given in /etc/inc/certs.inc on line 1958
Applied in changeset commit:1120b85cb2a275de3ffe337c4c3ac781c2ccfb9e. Jim Pingle
07:37 AM Bug #9899: PHP Error: DateTime::diff() expects parameter 1 to be DateTimeInterface, bool given in /etc/inc/certs.inc on line 1958
Do you have a CA or certificate in your list which has a missing end date?
If so, do you mind sharing the contents... Jim Pingle
12:45 AM Bug #9899 (Resolved): PHP Error: DateTime::diff() expects parameter 1 to be DateTimeInterface, bool given in /etc/inc/certs.inc on line 1958
Hi.
In latest snapshot there is:
Crash report begins. Anonymous machine information:
amd64
12.0-RELEASE-p1... Greg M
07:33 AM Todo #9897 (Resolved): Warn user when using incompatible ECDSA cert curves for WebGUI
I didn't put secp521r1 on the HTTP list for that reason. If it isn't widely compatible, it's best not to recommend it... Jim Pingle
01:35 AM Todo #9897: Warn user when using incompatible ECDSA cert curves for WebGUI

Make central functions to check and test ECDSA compatibility. Issue #9843
Filter incompatible certificates from be... Viktor Gurov
07:22 AM pfSense Packages Feature #9901 (Pull Request Review): show ECDSA CAs only with correct curves
Jim Pingle
05:22 AM pfSense Packages Feature #9901: show ECDSA CAs only with correct curves
https://github.com/pfsense/FreeBSD-ports/pull/709 Viktor Gurov
05:21 AM pfSense Packages Feature #9901 (Resolved): show ECDSA CAs only with correct curves
Do not show incompatible ECDSA CAs for Squid HTTPS/SSL Interception
same as https://redmine.pfsense.org/issues/9897 Viktor Gurov
07:22 AM pfSense Packages Todo #9158: Updates for Squid 4.x
Updated title. 2.5.0 snapshots are already using Squid 4.x (squid-4.8_1), but it may need adjustments to account for ... Jim Pingle
02:34 AM Feature #9896: Add poly1305-chacha20 to the TLSv1.2 cipher list in nginx
Jim Pingle wrote:
> Actually this appears to be unnecessary. It's already enabled by default for TLS 1.3, but that s... Viktor Gurov

11/14/2019

08:59 PM Revision cffcf9bf: GUI improvements for ECDSA certificate handling
* Make central functions to check and test ECDSA compatibility. Issue #9843
* Filter incompatible certificates from b... Jim Pingle
05:48 PM Bug #9898 (Resolved): DNS over TLS hostname verification does not save
Adding a DNS hostname to System>General settings is not being saved. The page reloads with the fields blank and the r... Mathew Keith
04:08 PM Revision b58fe676: order fix
Viktor Gurov
03:05 PM Feature #4991 (Feedback): WebGUI does not support ECDSA certificates for IPSec Stage 1
Applied in changeset commit:cffcf9bfaa1a054917d3427cbc7885b97db8902c. Jim Pingle
01:10 PM Feature #4991 (In Progress): WebGUI does not support ECDSA certificates for IPSec Stage 1
ECDSA keys do work with IPsec, but the OP is right that the key type in ipsec.secrets is incorrect. It needs a fix th... Jim Pingle
08:09 AM Feature #4991: WebGUI does not support ECDSA certificates for IPSec Stage 1
While support for ECDSA certificates is in 2.5.0, it needs tested with IPsec specifically to ensure it works.
Also... Jim Pingle
03:05 PM Todo #9897 (Feedback): Warn user when using incompatible ECDSA cert curves for WebGUI
Applied in changeset commit:cffcf9bfaa1a054917d3427cbc7885b97db8902c. Jim Pingle
01:10 PM Todo #9897 (In Progress): Warn user when using incompatible ECDSA cert curves for WebGUI
Jim Pingle
10:32 AM Todo #9897: Warn user when using incompatible ECDSA cert curves for WebGUI
https://github.com/pfsense/pfsense/pull/4113 Viktor Gurov
09:31 AM Todo #9897: Warn user when using incompatible ECDSA cert curves for WebGUI
Corrected title.
More discussion: https://forum.netgate.com/topic/148128/ecdsa-curve-certificates-on-2-5-0 Jim Pingle
08:18 AM Todo #9897: Warn user when using incompatible ECDSA cert curves for WebGUI
It works fine with the right curve. Only @prime256v1@ and @secp384r1@ will work from our list with TLS v1.3. See comm... Jim Pingle
08:16 AM Todo #9897 (Resolved): Warn user when using incompatible ECDSA cert curves for WebGUI
if you create ECDSA server cert ( https://redmine.pfsense.org/issues/9843 ) and set it to WebGUI HTTPS,
you got such... Viktor Gurov
01:55 PM Revision f660c27d: add poly1305-chacha20 to nginx cipher list
Viktor Gurov
01:43 PM Revision c3cda38e: Change default ECSDA curve to prime256v1. Issue #9843
Previous default was brainpool, but brainpool curves are not (widely?)
supported by browsers and were deprecated by I... Jim Pingle
10:46 AM Feature #3718: radvd - enhancement proposal: ability to advertise routes and some fixes - patches attached
I've tried to update the patch for version 2.4.4 here. Magnus Holmgren
10:02 AM Feature #3718: radvd - enhancement proposal: ability to advertise routes and some fixes - patches attached
Any interest in implementing this? I find it a bit lacking that the UI doesn't support configuring what routes to adv... Magnus Holmgren
10:18 AM Feature #9896 (Pull Request Review): Add poly1305-chacha20 to the TLSv1.2 cipher list in nginx
Actually this appears to be unnecessary. It's already enabled by default for TLS 1.3, but that scanner (nmap ssl-enum... Jim Pingle
08:02 AM Feature #9896 (Resolved): Add poly1305-chacha20 to the TLSv1.2 cipher list in nginx
as part of NGE
https://tools.ietf.org/html/rfc7905
test result (nmap):... Viktor Gurov
02:38 AM pfSense Packages Bug #9860 (Resolved): Illegal string offset 'config' in /usr/local/pkg/tinc.inc on line 83
tested on tinc 1.0.35_2
pfSense 2.5.0.a.20191113.1759
Resolved Viktor Gurov
12:16 AM pfSense Packages Bug #9895 (New): snort reinstallation failed
got such errors during snort pkg update:... Viktor Gurov

11/13/2019

11:23 PM Feature #4991: WebGUI does not support ECDSA certificates for IPSec Stage 1

can be closed
currently pfSense support ECDSA. see https://redmine.pfsense.org/issues/9843 Viktor Gurov
11:19 PM Revision eeceb2ca: Add option to disallow unauthenticated LDAP binds
A FL
06:28 PM Revision 4b4df568: Revert "RADVD: In "managed" or "stateless_dhcp" mode, don't use default values for DNS servers etc (these should come from DHCPv6)"
This reverts commit dcc887a355aae49c7df0c29752c04e12922aca83. Jim Pingle
01:30 PM Revision 555e75fe: Zabbix 2.2 packages are gone
Renato Botelho
01:00 PM Feature #9302: radvd always advertises DNS servers and Domain Search List regardless of M or O flag
Jim Pingle wrote:
> Yes, it should be a feature request (which I just changed). It should be made optional, off by d... Rick Coats
12:29 PM Feature #9302: radvd always advertises DNS servers and Domain Search List regardless of M or O flag
Yes, it should be a feature request (which I just changed). It should be made optional, off by default, and have a se... Jim Pingle
11:55 AM Feature #9302: radvd always advertises DNS servers and Domain Search List regardless of M or O flag
Shouldn't this be changed to a Feature Request?
The Requestor has not shown any documentation that this is a bug. ... Rick Coats
10:08 AM Feature #9302 (Pull Request Review): radvd always advertises DNS servers and Domain Search List regardless of M or O flag
Jim Pingle
10:08 AM Bug #9893 (Duplicate): RDNSS is broken in 2.5 for Android and leightweight Clients
Rather than duplicate the info, let's keep all this on #9302 since it's the same issue. Jim Pingle
08:27 AM pfSense Packages Feature #9875 (Feedback): add extra engines safe search
PR has been merged. Thanks! Renato Botelho
07:59 AM pfSense Packages Bug #8258 (Feedback): BIND responds with SERVFAIL when adding/changing records if 'allow-update' is configured for a zone
PR has been merged. Thanks! Renato Botelho
07:54 AM pfSense Packages Bug #9850 (Feedback): show huperscan option only for x86 arch
PR has been merged. Thanks! Renato Botelho

11/12/2019

07:46 PM Bug #9893: RDNSS is broken in 2.5 for Android and leightweight Clients
We are just going to have to disagree then because multiple RFC's say the same thing. I have been writing and reading... Rick Coats
05:07 PM Bug #9893: RDNSS is broken in 2.5 for Android and leightweight Clients
The extract that you've posted is in Section 1.2 which immediately follows Section 1.1 (which describes how RDNSS in ... Elbin Teh
01:17 PM Bug #9893: RDNSS is broken in 2.5 for Android and leightweight Clients
You need to read to the end of RFC 8106. Section 1 is the rational why RDNSS was added to the Router Announcements.
... Rick Coats
01:28 AM Bug #9893: RDNSS is broken in 2.5 for Android and leightweight Clients
While this is convenient to you as you have a dynamic prefix, there are some situations where this might not be desir... Elbin Teh
04:57 PM Feature #9302: radvd always advertises DNS servers and Domain Search List regardless of M or O flag
The extract that you've posted is in Section 1.2 which immediately follows Section 1.1 (which describes how RDNSS in ... Elbin Teh
12:58 PM Feature #9302: radvd always advertises DNS servers and Domain Search List regardless of M or O flag
Elbin Teh wrote:
> Agreed it would be the responsibility of the network administrator to configure RDNSS or DNSSL or... Rick Coats
01:32 AM Feature #9302: radvd always advertises DNS servers and Domain Search List regardless of M or O flag
Agreed it would be the responsibility of the network administrator to configure RDNSS or DNSSL or disable them comple... Elbin Teh
03:21 PM Revision c2517ce8: Fix #3743: Allow OpenVPN keepalive configuration
- Remove hardcoded 'keepalive 10 60' configuration
- Added 'inactive seconds' option
- Let user configure 'keepalive ... Renato Botelho
03:02 PM Revision e5c893cd: Show DNS server help when server list is empty
(cherry picked from commit 05025e63edf9f85b679de8f99d38d6600e8ad5e3) Steve Beaver
03:02 PM Revision 772e21e0: Allow packet capture to match IPv4+IPv6 CARP. Fixes #9867
(cherry picked from commit b86891b1d5d62d30bc8f1bf3a7fdfee7030ed82b) Jim Pingle
03:02 PM Revision 58b2334f: Add clientAuth EKU to Server type certificates. Fixes #9868
(cherry picked from commit 46869dd2b5ebf32e8297d65f98444fb38d314336) Jim Pingle
03:02 PM Revision 88677f87: Suppress errors from touch when marking GW down. Fixes #9851
(cherry picked from commit 83794361b7135aaef4e47b35bd27df7da6ce023c) Jim Pingle
03:02 PM Revision f6323615: Use full path since this pkg prefix is /usr
(cherry picked from commit 14d49fba46389e3f90d26c6316044dfb52f98fc9) Renato Botelho
03:02 PM Revision 123c3cbf: Fix #9612: Run fsck -z once during upgrade
(cherry picked from commit 7373049764f144b2ea7c891bd60760ab64b41160) Renato Botelho
03:01 PM Revision db95c2d8: Only redirects the user to the default page if no specific page page was set in the querystring
(cherry picked from commit 57b2f31714a77d86e51e09758e20da372c224826) bechaire
03:01 PM Revision c9451253: making sure my tabs align with upstream
(cherry picked from commit 7e114786e63619aaf803a5db33c55a92e2b34123) James Lavoy
03:01 PM Revision 168d3972: adjust GEOM rebuild notifications to only notify the user when raid rebuild hits 25% increments
When a geom rebuild is occurring, this script by default notices that the device status has changed every time the re... James Lavoy
03:01 PM Revision 30ca068b: Add search/filter to DHCP/DHCPv6 leases, ARP, and NDP. Implements #9791
(cherry picked from commit 9297ad6504618c5ffcee9f8fe02535cb33f570c9) Jim Pingle
03:01 PM Revision 076a82d1: Removed escaping of CSS classes
(cherry picked from commit c8954c9f0957264a0287d3591b44fab5d52d0998) Sebastian Fiebig
03:00 PM Revision 46c976a9: Initialize JSON data to avoid warning.
Avoid warning/error for not initialized JSON variable.
(cherry picked from commit 6f2192d44689066e55cb7af6d19323edfc... Sebastian Fiebig
03:00 PM Revision 66a1eb93: Fix malformed JSON
Fix malformed JSON using json_encode().
(cherry picked from commit a9941bf65f82bd0a5491c693a55bc2163a43676d) Sebastian Fiebig
03:00 PM Revision 44a87108: Fix OpenVPN keepalive default values. Fixes #3473
(cherry picked from commit 99d7e8c10e96e6f22ad47973d07258cd02426fe6) Jim Pingle
02:55 PM Bug #9872: Error during build when compiling a non pfSense software
Noticed this error as well, thanks for finding the issue. I have incorporated your PR into my builds.
Maybe a low... Ronald Schellberg
02:17 PM Revision 05025e63: Show DNS server help when server list is empty
Steve Beaver
10:06 AM Bug #9533: XG-7100 FAT config restore not working post-install
Revisiting this after hitting it on another system. Adding the following to loader.conf (or loader.conf.local) allows... Steve Wheeler
06:57 AM Todo #9868 (Resolved): Add clientAuth EKU to Server type certificates
Jim Pingle
02:57 AM Todo #9868: Add clientAuth EKU to Server type certificates
Jim Pingle wrote:
> Applied in changeset commit:46869dd2b5ebf32e8297d65f98444fb38d314336.
Tested on 2.5.0.a.20191... Viktor Gurov

11/11/2019

06:19 PM Feature #9302: radvd always advertises DNS servers and Domain Search List regardless of M or O flag
Elbin Teh wrote:
> Hi,
>
> I did some more research and investigation on this, and on further thought I think thi... Rick Coats
05:36 PM Feature #9302: radvd always advertises DNS servers and Domain Search List regardless of M or O flag
Hi,
I did some more research and investigation on this, and on further thought I think this needs to be revisited.... Elbin Teh
04:56 PM Feature #9302: radvd always advertises DNS servers and Domain Search List regardless of M or O flag
If you look at the last paragraph of the blog from 2012 that you referenced:
"One thing to note, I have found that... Rick Coats
04:11 PM Feature #9302: radvd always advertises DNS servers and Domain Search List regardless of M or O flag
Elbin Teh wrote:
> I totally agree that when using "M" mode that RDNSS should not be disabled.
>
> In fact, the ... Rick Coats
05:10 PM Bug #9893 (Duplicate): RDNSS is broken in 2.5 for Android and leightweight Clients
Version of PfSense under Test:
2.5.0-DEVELOPMENT (amd64)
built on Sun Nov 10 20:08:03 EST 2019
FreeBSD 12.0-RELEAS... Rick Coats

11/10/2019

10:35 AM Feature #9843 (Resolved): allow to generate cert/csr with ECDSA key
Jim Pingle
04:40 AM Feature #9843: allow to generate cert/csr with ECDSA key
Jim Pingle wrote:
> PR has been merged
Tested on 2.5.0.a.20191109.1723
Resolved Viktor Gurov
10:35 AM Feature #9825 (Resolved): Requirements for trusted certificates in iOS 13 and macOS 10.15
Jim Pingle
04:37 AM Feature #9825: Requirements for trusted certificates in iOS 13 and macOS 10.15
Tested on 2.5.0.a.20191109.1723
Change default GUI cert lifetime to 825 days - OK
Add notes on CA/Cert pages abo... Viktor Gurov
10:35 AM Bug #9867 (Resolved): Packet Capture IPv6 rejects all packets if CARP type is set in Protocol field
Jim Pingle
07:37 AM Feature #9891 (Resolved): QLogic 10 Gigabit Ethernet driver (qlxgb)
It seems that *qlxgb* driver is not compiled on pfSense,
see https://forum.netgate.com/topic/139931/hp-qlogic-nc523s... Viktor Gurov
03:26 AM pfSense Packages Feature #9874: safesearch enforcing
PR updated with Firefox DoH blocking support
(see https://forum.netgate.com/topic/133679/heads-up-be-aware-of-truste... Viktor Gurov

11/09/2019

11:55 PM Bug #9867: Packet Capture IPv6 rejects all packets if CARP type is set in Protocol field
Jim Pingle wrote:
> Applied in changeset commit:b86891b1d5d62d30bc8f1bf3a7fdfee7030ed82b.
Tested on 2.5.0.a.20191... Viktor Gurov
10:29 PM Bug #9296: Alias content is sometimes incomplete when an alias contains both FQDN and IP address entries
Jim Pingle wrote:
> John K wrote:
> > What's the status here? Has Netgate been able to reproduce this issue?
>
... Gavin Stewart
02:04 PM pfSense Packages Feature #6022: Consider MLVPN for bonded VPN
https://forum.netgate.com/topic/144050/multi-wan-bonding-150
Added my 2 cents to the forum post, and added $100 to... James Tandy
02:59 AM pfSense Packages Feature #9874: safesearch enforcing
https://github.com/pfsense/FreeBSD-ports/pull/701 Viktor Gurov

11/08/2019

01:03 PM Feature #4632: Support for Multipath TCP (MPTCP)
+1 Bouke Henstra
11:04 AM pfSense Packages Feature #9890 (Needs Patch): Improves Network Quality on a High-latency Lossy Link by using Forward Error Correction
Jim Pingle
11:02 AM pfSense Packages Feature #9890 (Needs Patch): Improves Network Quality on a High-latency Lossy Link by using Forward Error Correction
Network packet loss occurs frequently on long-distance international networks. like: use openvpn gre so on.
I think ... yon Liu
11:01 AM Bug #9889 (Resolved): Cannot validate Certificates against Certificate Revocation Lists for Intermediate Certificate Authorities
Adding this for tracking, but I don't think it's a bug in pfSense or FreeBSD, but OpenSSL itself. It could potentiall... Jim Pingle
09:51 AM pfSense Packages Bug #9888 (Feedback): ACME output sent to browser without encoding
Fixed in ACME package version 0.6.3_1
https://github.com/pfsense/FreeBSD-ports/commit/a6f443cde51e7fcf17e51f16014d... Jim Pingle
09:46 AM pfSense Packages Bug #9888 (Resolved): ACME output sent to browser without encoding
ACME issue/renew output is sent directly to the browser without encoding. In some cases, user input may be included i... Jim Pingle
05:11 AM pfSense Packages Feature #9885 (Resolved): OpenVPN client 2.4.8 update
Renato Botelho
03:29 AM pfSense Packages Feature #9885: OpenVPN client 2.4.8 update
Hi!
Works.
Thanks!
Regards,
G Greg M
03:33 AM Feature #6240: vxlan driver
+1 Gianluca Semprini

11/07/2019

04:50 PM Revision b8b33a3e: Use more accurate date calculations for CA/Cert operations.
Otherwise calculations could fail on ARM Jim Pingle
04:49 PM Revision 26c4679b: Lower default cert expire days to 28.
At 30 days, an ACME cert may not have triggered automatic renewal yet,
so it would warn unnecessarily. Jim Pingle
09:58 AM pfSense Packages Bug #9886 (Rejected): Open-VM-Tools 10.1.0_2,1 on ESXi 6.5 causes gateway disconnects
This site is not for support or diagnostic discussion.
For assistance in solving problems, please post on the "Net... Jim Pingle
09:50 AM Bug #6801: Rule separators are moving when multiple firewall rules are deleted together
I couldn't reproduce the exact same bug stated here, but I did manage to reproduce a similar one. I opened #9887 and ... Jim Pingle
02:18 AM Bug #6801: Rule separators are moving when multiple firewall rules are deleted together
It seems that the bug has returned, as I just had this exact issue when deleting multiple firewall rules with version... Max Frames
09:49 AM Bug #9887 (Resolved): Rule separator positions change when deleting multiple rules
When deleting rules around a separator at the end of the ruleset, separator positions can change unintentionally. Sim... Jim Pingle
08:36 AM pfSense Packages Bug #8454: Arpwatch package break email notifications from other sources
Hi, is there a chance this problem will be fixed? Christian Rhomberg

11/06/2019

08:59 PM Revision 96773352: Add edit screen for Certificate entries.
* Allows editing the name/descr. Implements #7861
* Adds a (not stored) password field and buttons for exporting encr... Jim Pingle
06:16 PM Revision f0b38e39: CA/Cert optimizations
* Actions are now by refid rather than array index, which is more
accurate and not as prone to being affected by para... Jim Pingle
03:10 PM Feature #1192 (Feedback): Certificate Manager - Ability to Encrypt Private Keys When Exporting
Applied in changeset commit:967733529244944d751003517a1e42fba1b29c07. Jim Pingle
02:31 PM Feature #1192 (In Progress): Certificate Manager - Ability to Encrypt Private Keys When Exporting
Jim Pingle
03:10 PM Feature #7861 (Feedback): Make "Descriptive name" of certificates editable
Applied in changeset commit:967733529244944d751003517a1e42fba1b29c07. Jim Pingle
02:31 PM Feature #7861 (In Progress): Make "Descriptive name" of certificates editable
Jim Pingle
02:29 PM pfSense Packages Feature #9871 (Resolved): Snort - User Forced Disabled Rules Ordering
Jim Pingle
01:58 PM pfSense Packages Feature #9871: Snort - User Forced Disabled Rules Ordering
This ticket can be closed as "RESOLVED". Column sorting is now available on the RULES tab in the DEVEL and RELEASE br... Bill Meeks
02:10 PM pfSense Packages Bug #9740 (Feedback): empty Status / Tinc VPN page on latest 2.5
PR has been merged. Thanks! Renato Botelho
02:10 PM pfSense Packages Bug #9860 (Feedback): Illegal string offset 'config' in /usr/local/pkg/tinc.inc on line 83
PR has been merged. Thanks! Renato Botelho
08:08 AM pfSense Packages Feature #9885 (Feedback): OpenVPN client 2.4.8 update
OpenVPN Client Export package version 1.4.19 is up with Windows installers for OpenVPN 2.4.8 (Win10 and Win7) Jim Pingle
07:23 AM pfSense Packages Feature #9885: OpenVPN client 2.4.8 update
Hi!
Yes, I was reffering to client in the export page. Sorry for confusion :) Greg M
07:16 AM pfSense Packages Feature #9885: OpenVPN client 2.4.8 update
I do not see anything in the changelog that makes it compelling to rush a move on the base/FreeBSD side of things. We... Jim Pingle
02:30 AM pfSense Packages Feature #9885 (Resolved): OpenVPN client 2.4.8 update
Hi!
Since OpenVPN 2.4.8 has been released it would be nice to include it in all branches of pfsense.
Thanks! Greg M
03:35 AM pfSense Packages Bug #9886 (Rejected): Open-VM-Tools 10.1.0_2,1 on ESXi 6.5 causes gateway disconnects
I run pfSense 2.4.4 on ESXi 6.5 on a 2010 Mac Mini.
After updating Open-VM-Tools to 10.1.0_2,1 I started getting ... Tim Preston

11/05/2019

11:18 PM pfSense Packages Feature #9871: Snort - User Forced Disabled Rules Ordering
I've added sortable columns to the RULES tab. You can now sort on all of the columns except *State* (that is an icon)... Bill Meeks
09:50 PM Revision ecb594d0: Use central download function
Reduce duplicated/inconsistent code by using the new download function. Jim Pingle
09:06 PM Revision 7e83055a: CA/Cert/CRL code optimizations
While here, use the new download function when exporting items Jim Pingle
09:04 PM Revision 1342f80f: Add central file download function for use throughout the GUI.
Jim Pingle
04:31 PM Revision a6bd9e78: Validate CA/CRL serial input. Issue #9883 Issue #9869
Jim Pingle
01:32 PM Revision a9769a8c: Update privilege definitions
Jim Pingle
01:32 PM Revision d5a222cc: Update privilege definitions
Jim Pingle
07:54 AM Feature #9884: Add support for OpenVPN --x509-username-field
That is true, but it doesn't seem to affect "plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr... Florian Apolloner
07:47 AM Feature #9884: Add support for OpenVPN --x509-username-field
We currently force on username-as-common-name so I don't think you could override that behavior with this new option ... Jim Pingle
07:41 AM Feature #9884: Add support for OpenVPN --x509-username-field
Sorry, I realized that it's not a bug immediately after clicking save, but I cannot edit anything :/
> Even if it ... Florian Apolloner
07:21 AM Feature #9884: Add support for OpenVPN --x509-username-field
This isn't a bug, but a missing feature. Even if it is enabled, it would still need GUI code to configure the behavio... Jim Pingle
05:20 AM Feature #9884 (Resolved): Add support for OpenVPN --x509-username-field
The openvpn shipped with pfsense has enable_x509_alt_username=no as compilation option. It would be great if that cou... Florian Apolloner
 

Also available in: Atom