pfSense

Move igmpproxy logs to routing.log. Fixes #10139

Merge pull request #4132 from vktg/hidenoprvcerts

Merge pull request #4142 from vktg/routedelete

fixes

parenthesis fix

Ignore the flash devices during the scan for config files at boot.

Merge pull request #4143 from vktg/ipsecgcmnoah

Merge pull request #4129 from luckman212/dns-v6-options-patch-2

cosmetic

strip hash algo if ealgo == *gcm

fix route delete code

fix route delete code

Update copyright notice years. Issue #9245

Rework IPsec P1 Lifetime GUI options. Fixes #9983

fix

Use full path for pkg-static

Remove superfluous ( )'s

3rd try - change config names

Merge pull request #4109 from vktg/p11ipsec

Merge pull request #4122 from vktg/ecdsarenew

do not show certs without prv by default

2nd try
change config option to avoid positive checkbox = negative option

Token -> PKCS#11

gui renaming pkcs11 -> token + show ID

cert on token check

cosmetic

working

pcscd service

some progress

Fix #9873: Use pkg-static

When pkg repo points to a new major version pkg is updated, use
pkg-static binary to check PHP version and make sure the command works

Move syslog format var to syslog.inc. Issue #9808

In some cases, PHP is unhappy with calls to gettext() in globals.inc

Add opts to services_dhcpv6.php and services_router_advertisements.php

Adds config options to disable pushing DNS server options to dhcp6
clients via dhcpd or radvd. Fixes an issue when using split-horizon
DNS with dnsmasq via `localise-queries` option since that supports...

Add option for RFC5424 syslog format. Implements #9808

Don't dedup DNS from dyn sources if override is disabled. Fixes #9963

Merge pull request #4123 from lucasheld/fix-queue-stats

conflicts resolved, needs testing

Lower default_cert_expiredays warning threshold to 27 days

Even at 28, ACME still sometimes warns unnecessarily just before renewal.

IPsec swanctl conversion. Implements #9603

• Converted IPsec configuration code from ipsec.conf ipsec/stroke style
  to swanctl.conf swanctl/vici style. Issue #9603
• Split up much of the single large IPsec configuration function into
  multiple functions as appropriate....

simplify queue stats parser

support variable value length in queue stats parser

curve_compatible_list - array of all compat curves

Init aliases array before use. Fixes #9936

Only try existent devices when looking for the dump device.

typo

prime256v1 ec curve for renew

Merge pull request #4098 from vktg/delzombiealiases

cosmetic

Merge branch 'master' into p11ipsec

rebase

successful connection

more

first steps

merge with upstream

array_diff fix

array_diff fix

Unset temp vars when refreshing CRLs. Issue #9915

Otherwise it might unintentionally add a CRL to a server which does not
have one selected

When refreshing CRLs, increment suffix, do not clean up. Fixes #9915

While here, fix a bug with refresh path.

Correctly populate CRL issuer in crl_contains_cert. Fixes #9924

Add 'none' option to cert_build_list. Issue #9923

Restructure OpenVPN settings directory layout

• Changed from /var/etc/openvpn[-csc]/<mode><id>.<file> to
  /var/etc/openvpn/<mode><id>/<x>
• This keeps all settings for each client and server in a clean
  structure
• Move to CApath style CA structure for OpenVPN, which implements #9915...

Merge pull request #4112 from vktg/poly1305tls12

Add select_source compatible output to cert_build_list(). Implements #9923

Enforce limiter delay 0<=x<=10000. Fixes #9921

Make OpenVPN username-as-common-name options. Implements #8289

Add exit notify to OpenVPN servers/clients. Implements #9078

Prevent OpenVPN tunnel network reuse. Fixes #3244

Ensures that a submitted tunnel network is not already in use on other
OpenVPN client or server instances, to avoid conflicts.

Update OpenVPN EC list based on testing. Issue #9744

CDATA escape more auth-related fields. Fixes #9327

OpenVPN ECDH/ECDSA filtering. Fixes #9744

Can be revisited in the future if the corresponding OpenVPN bug is
resolved.

Correct VTI IPv6 test and syntax. Fixes #9801

Move CA random serial option to upper section. Issue #9883

This allows it to be set when creating a new CA, so it doesn't have to
be edited in later.

Also show the next serial/random status in the CA info block
Hide trust store line from non-CA entries since it's not relevant to...

Rename IPsec "RSA" options to "Certificate". Implements #9903

Fix #7791: strings binary can be useful for troubleshooting

Attempt to fetch EC curve OID if name is blank. Issue #9745

Certificate date calculation changes. Fixes #9899

Make the certificate date calculation more general and also try multiple ways
to determine the date (both timestamp and unix timestamp).

Catch cases where one or the other date fails to calculate to avoid errors....

GUI improvements for ECDSA certificate handling

• Make central functions to check and test ECDSA compatibility. Issue #9843
• Filter incompatible certificates from being offered for the GUI or Captive Portal. Implements #9897
• Do the same for IPsec, which implements #4991...

order fix

add poly1305-chacha20 to nginx cipher list

Change default ECSDA curve to prime256v1. Issue #9843

Previous default was brainpool, but brainpool curves are not (widely?)
supported by browsers and were deprecated by IETF for TLS v1.3

Revert "RADVD: In "managed" or "stateless_dhcp" mode, don't use default values for DNS servers etc (these should come from DHCPv6)"

This reverts commit dcc887a355aae49c7df0c29752c04e12922aca83.

Use more accurate date calculations for CA/Cert operations.

Otherwise calculations could fail on ARM

Lower default cert expire days to 28.

At 30 days, an ACME cert may not have triggered automatic renewal yet,
so it would warn unnecessarily.

Use central download function

Reduce duplicated/inconsistent code by using the new download function.

Add central file download function for use throughout the GUI.

Validate CA/CRL serial input. Issue #9883 Issue #9869

Update privilege definitions

Enforce a max lifetime for CA/Cert/CRL. Issue #3956

Add support for randomized cert serial numbers. Implements #9883

Update globals.inc

fixes

Update globals.inc

successful connection

more

first steps

CRL management overhaul

• Allow revoking by serial number or cert. Implements #9869
• Allow revoking multiple entries at a time. Implements #3258
• Declutter the main CRL list screen
• Move the create control to the bottom under the list
• Various other efficiency/style improvements

Add option to trust local CA entries. Implements #4068

Similar to closed PR #3558 from overhacked, but with a number of
changes.

Make value of cert notify setting consistent with others. Issue #7332

Remove duplicate DHCP log block.

Certificate strength improvements. Fixes #9825

• Change default GUI cert lifetime to 825 days
• Add notes on CA/Cert pages about using potentially insecure parameter
  chocies
• Add visible warnings on CA/Cert pages if paramers are insecure/not
  recommended.

Add daily certificate expiration notice. Issue #7332